Keep IoT security close to your heart
Security and access management will be vital to enabling IoT in the healthcare sector.
While the Internet of Things is still an emerging phenomenon, it has already attracted something of a backlash. There’s even a Twitter account (the name of which I cannot repeat on a family blog) dedicated to poking fun at the sillier side of IoT. Generally, this means embarrassing security breaches and pointless connectivity in consumer goods. It’s all good fun for tech boosters and skeptics alike but somehow misses the point about the real benefits and even the true risks of IoT.
Connecting a range of everyday devices creates enormous opportunities for organizations to do any number of great things—improve customer service, optimize product performance, and maximize efficiency to name a few. But the risks of potentially exposing these devices to hackers can be enormous. This fact has been brought home by recent connected car hacks and it was made especially vivid by this Securelist article focusing on security risks created by connectivity in the healthcare sector.
The healthcare sector actually witnessed some of the first concerns around IoT security. As early as 2007, Vice President Dick Cheney had the wireless connectivity on his pacemaker disabled, fearing it could be hacked in an assassination attempt. Sounds paranoid? Well, keep in mind that Robert Vamosi’s 2011 book When Gadgets Betray Us reported that security researchers at a number of universities had managed to remotely disrupt the performance of connected pacemakers.
While a hack of this sort is difficult to execute, the consequences are potentially catastrophic—death, frankly. Moreover, the previously mentioned Securelist article makes it clear that it doesn’t necessarily take the resources available to a university or a national government to hack connected healthcare devices. In fact, the article’s author, Sergey Lozhkin, managed to access multiple sensitive devices simply by cracking a weak password on his local hospital’s wireless network.
Lozhkin observes it is “radically wrong” that medical devices should be exposed to the Internet with weak-to-no authorization controls. Identity and access weaknesses of this sort—in many ways, the Achilles heel of IoT—are discussed in a new CA Technologies eBook: Securing Privileged Access in the IoT Age. The eBook explains that one of the reasons it’s so challenging to secure and manage authorized identities in IoT scenarios is that there are simply so many identities involved.
This is because each device will have at least one identity associated with it, almost certainly including a privileged account, through which changes like firmware updates can be made. Keep in mind there are billions of devices involved, meaning billions of privileged identities. This is complicated further by the fact that these may be human or machine identities. And it’s made more serious by the fact that privileged accounts have proved to be the number one way in for malicious hackers.
The commonplace abuse of privileged accounts has led to the creation of privileged access management (PAM) systems that makes it possible to secure login credentials for privileged accounts and monitor account activity to identify and stop abuse. This is an emerging discipline in the enterprise world and specifically IoT-centric solutions have not yet arrived, but it is clear that PAM technology will play a crucial role in the high-stakes game of securing connected devices against misuse.
To learn more about how PAM will help connected enterprises to keep their sensitive systems secure and customers safe, read Securing Privileged Access in the IoT Age today.