Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Embracing iot in the enterprise


Published on

Presentation from IBM InterConnect in Las Vegas March 2017.

Enabling Internet of Things (IoT) so your employees and your customers can have a simplified experience with new services and products sounds exciting. In this session, we will dig into the top ten risks that come with the IoT experience. Due to the rapidly evolving nature of IoT and associated threats, there are risks in allowing access to your enterprise resources. Custom firmware, embedded operating systems and wi-fi connectivity of IoT devices offer many possible areas for exploits and misuse. Come explore current security offerings and get a first look at best practices. Walk away with an immediate checklist to benefit your enterprise as it deploys and offers IoT access.

Published in: Internet
  • Be the first to comment

  • Be the first to like this

Embracing iot in the enterprise

  1. 1. Embracing IoT in the Enterprise and Blocking the Top 10 Risks Gabriella Davis Technical Director - IBM Lifetime Champion The Turtle Partnership IWT-2469 IBM InterConnect 2017 Conference
  2. 2. Who Am I? • Admin of all things and especially quite complicated things where the fun is • Working with security , healthchecks, single sign on, design and deployment of IBM technologies and things that they talk to • Stubborn and relentless problem solver • Lives in London about half of the Bme • • twiEer: gabturtle • Awarded the first IBM LifeBme Achievement Award for CollaboraBon SoluBons
  3. 3. Roadmap For This Session • The World of IoT • Opportunities In The Enterprise • Challenges of IoT • Risks of the Unexpected • Your Checklist For IoT In The Enterprise
  4. 4. Internet Of Things • A physical device with embedded internet connectivity and “always on” status • The beauty of IOT devices is that they are integrated into your life • There’s no authentication • They know everything they need to know simply because of their placement or setup • Their true value is in learning about things like your preferences, behaviour, patterns
  5. 5. Pre IoT Machine Learning • Using algorithms to learn and improve functionality without direct programming • Guided learning - this is where we want to get to • Unguided learning - using only the data • Reinforced learning - based on interactions • IoT connect devices whereas machine learning accumulates and acts on data
  6. 6. Evolution of IoT • Consumer products • Envisaging potential for Enterprises • Initial investments • In most industries we are still at a very early conceptualising stage
  7. 7. Opportunities In The Enterprise
  8. 8. How IoT Can Change Enterprises • Generating new revenue models • Becoming a digital enterprise • Introducing efficiencies • Changing and aiding customer service and customer reach
  9. 9. Manufacturing (Industry 4.0) • Improve the production process and the supply chain • More suppliers over longer distances all attempting to work together • Much of the supply chain is outside direct control and IoT devices can supply the data needed to regain that
  10. 10. Retail • Store layout • High traffic areas, tracking customer paths • Using beacon technology to reach out to consumers in store with promotions • Connecting digital and physical worlds • Disney’s Magic Bands
  11. 11. Utilities • Customer Service • Manage communication • Improving response for outages • Increasing reliability • Competition for utilities providers from IoT providers • Developing countries with monitoring for sanitation • Recycling companies with sensors on bins and collection trucks
  12. 12. Insurance • Triggering alerts on damage including quantifiable data • Recording environment status • Customer service - automatically generating insurance claims
  13. 13. Healthcare • Devices to record and send data • Sensors to track and monitor vital signs • Smartbeds • Home medicine dispensers • Increasing interactions between Dr and patient
  14. 14. Challenges of IoT
  15. 15. Changing existing models • The principles behind deploying IoT anywhere require re- thinking of existing processes and models • IoT cannot just be bolted on to an existing method • Enormous amounts of data will be generated and where and how to insert them into the business as well as how to leverage them needs to be considered
  16. 16. Challenging Embedded Thinking • Changes to the way people and processes work requires us to approach each area of the business holistically • Do we need to do this this way? • If we could get any information either from our own systems or from our customers what would we want and what would we do with it? • Assuming anything is achievable
  17. 17. Building From New • It’s far more likely that a system integrating IoT into your business will require building from new • Certainly deploying the correct hardware / sensors and modifying processes both mechanical and human to leverage those is a big undertaking • There will be a significant investment required in hardware and an ongoing investment in maintenance, data analysis, training, marketing and change
  18. 18. Handling large amounts of data • IoT is about generating masses of data and then acting on it • Virgin Airlines new 787 planes are expected to generate over half a TB of data per flight on every aspect of the plane’s mechanics • There needs to be a plan for what data will be generated, how it will be handled, how to act on it quickly, how to secure it and how to destroy it
  19. 19. Analysing Data, Identifying Patterns • The value from IoT is dependent on the ability to generate, analyse and act on data • Data visualisation, design algorithms, customer service all depend on management of data • Farmers are able to use sensors to monitor soil content in real time and adjust their treatment
  20. 20. Risks of the Unexpected
  21. 21. Why This Is A Concern With IOT • Physical devices may now come with built in connectivity as an added feature • Companies who didn’t deploy them for that feature may also not have security policies in place to disable or limit it • Risk assessment happens too late
  22. 22. Risk: Data Bleed • Malware • Sniffing Traffic • Compromised credentials • Traversing across into secure internal networks
  23. 23. Risk: DNS Attacks A vulnerability in a particular sensor’s hardware that could allow a DNS attack and potentially disable other similar devices or break a process / production line
  24. 24. Risk: BYOIoTD • People bringing IoT devices in from home and attaching them to corporate networks • Enterprise wifi transmitting insecure private information • Supporting application software with too high permissions • Data protection for personal information
  25. 25. Risk: HTTP Traffic • Many devices are designed to use HTTP to send data to the cloud or between themselves • Some devices receive firmware updates without authentication over HTTP • For consumer devices this is often not detailed in documentation • Most enterprises restrict inbound traffic but not always for HTTP
  26. 26. Designing Security Best Practices • Physical access / location • Firmware updates • Local administrative accounts and access • Network access • Encryption tunnels for data • Recovery / remediation plan
  27. 27. Blockchain and IoT • Blockchain is a transactional auditing method originated for Bitcoins but rapidly expanding out to enterprise technologies • Using Blockchain every transaction is logged and verified via cryptographic strings across multiple nodes. • Once enough nodes have verified a transaction as valid that is written to the audit record • Blockchain deployed for IoT devices would present a way to identify missing expected transactions and unexpected transactions both of which result from hijacking
  28. 28. Your Checklist For IoT In The Enterprise
  29. 29. Planning 1. Risk assessment of enterprise hardware 2. Policy for use of consumer devices by line of business 3. Budget planning for IoT assessment, maintenance and security
  30. 30. Security 4. Finding all the devices - most will not advertise themselves or be visible on the network as they use specific protocols that aren’t easily to monitor 5. Identify the device type and usefulness 6. Identify the attack surface of a device 7. Create security policies for the use and maintenance of IoT devices
  31. 31. Securing the Enterprise Network 8. Create an isolated IoT network Deny user credentials onto that network 9. Traffic monitoring 10.Resetting firmware and all administrative authentication protocols on any IoT devices
  32. 32. Maintenance & Firmware Updates 11.Most IoT devices use unexpected protocols and can’t be interrogated by standard network monitoring tools 12.IoT devices use specific operating systems, at best you could hope for a version of Linux. It’s unlikely you can install management software on them 13.Keeping the enterprise secure will require devices to be updated / patched with the latest firmware almost certainly a manual process for each device 14.The expected lifespan of most IoT devices is much longer than for other hardware
  33. 33. Remediation 1. Map all critical inbound and outbound routes and have a plan to shut down non critical and, if necessary, critical ones 2. Disable sensors on unnecessary IoT devices. If a piece of hardware has an IoT sensor you don’t need, disable it before installing it 3. Have plans to replace or regenerate data 4. Be able to isolate network activity by separating networks 5. Don’t expect the worst but plan for an analog fallback in the event systems are disabled or networks are unavailable
  34. 34. Summary 1. We are at the beginning of an evolutionary and exciting phase in every industry. Now is the time to think about how this will change yours. 2. IoT is not something that can be bolted on to existing systems, thinking and processes the planning involved will always be a large commitment 3. Technology and security for IoT devices is changing but not rapidly enough and older devices will not have the hardware on board to support new security processes 4. IoT brings huge opportunities to every industry sector offering a chance to innovate and drastically alter existing business models
  35. 35. • •twitter: gabturtle
  36. 36. Notices and disclaimers Copyright © 2017 by International Business Machines Corporation (IBM). No part of this document may be reproduced or transmitted in any form without written permission from IBM. U.S. Government Users Restricted Rights — Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM. Information in these presentations (including information relating to products that have not yet been announced by IBM) has been reviewed for accuracy as of the date of initial publication and could include unintentional technical or typographical errors. IBM shall have no responsibility to update this information. THIS DOCUMENT IS DISTRIBUTED "AS IS" WITHOUT ANY WARRANTY, EITHER EXPRESS OR IMPLIED. IN NO EVENT SHALL IBM BE LIABLE FOR ANY DAMAGE ARISING FROM THE USE OF THIS INFORMATION, INCLUDING BUT NOT LIMITED TO, LOSS OF DATA, BUSINESS INTERRUPTION, LOSS OF PROFIT OR LOSS OF OPPORTUNITY. IBM products and services are warranted according to the terms and conditions of the agreements under which they are provided. IBM products are manufactured from new parts or new and used parts. In some cases, a product may not be new and may have been previously installed. Regardless, our warranty terms apply.” Any statements regarding IBM's future direction, intent or product plans are subject to change or withdrawal without notice. Performance data contained herein was generally obtained in a controlled, isolated environments. Customer examples are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual performance, cost, savings or other results in other operating environments may vary. References in this document to IBM products, programs, or services does not imply that IBM intends to make such products, programs or services available in all countries in which IBM operates or does business. Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not necessarily reflect the views of IBM. All materials and discussions are provided for informational purposes only, and are neither intended to, nor shall constitute legal or other guidance or advice to any individual participant or their specific situation. It is the customer’s responsibility to insure its own compliance with legal requirements and to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer’s business and any actions the customer may need to take to comply with such laws. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the customer is in compliance with any law
  37. 37. Notices and disclaimers continued Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products in connection with this publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. IBM does not warrant the quality of any third-party products, or the ability of any such third-party products to interoperate with IBM’s products. IBM EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. The provision of the information contained herein is not intended to, and does not, grant any right or license under any IBM patents, copyrights, trademarks or other intellectual property right. IBM, the IBM logo,, Aspera®, Bluemix, Blueworks Live, CICS, Clearcase, Cognos®, DOORS®, Emptoris®, Enterprise Document Management System™, FASP®, FileNet®, Global Business Services ®, Global Technology Services ®, IBM ExperienceOne™, IBM SmartCloud®, IBM Social Business®, Information on Demand, ILOG, Maximo®, MQIntegrator®, MQSeries®, Netcool®, OMEGAMON, OpenPower, PureAnalytics™, PureApplication®, pureCluster™, PureCoverage®, PureData®, PureExperience®, PureFlex®, pureQuery®, pureScale®, PureSystems®, QRadar®, Rational®, Rhapsody®, Smarter Commerce®, SoDA, SPSS, Sterling Commerce®, StoredIQ, Tealeaf®, Tivoli®, Trusteer®, Unica®, urban{code}®, Watson, WebSphere®, Worklight®, X-Force® and System z® Z/OS, are trademarks of International Business Machines Corporation, registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at: