The Internet of Things (IoT) adds another sticky layer to the question of cloud security. Most organizations think in terms of the devices themselves, rather than the services offered through the cloud, as potential vulnerability points. However, with all the data being gathered through IoT devices, organizations will find that utilizing cloud services may be the best way to alleviate strain on their in-house infrastructures. That opens up a whole new can of worms--and experts advise getting on top of cloud security now, rather than later, to prevent costly breaches.
IoT devices will monitor, communicate, and respond according to their environments, according to Paul Hill, senior consultant at SystemExperts. While many of these IoT devices are consumer-oriented, more enterprises are embracing IoT devices for a variety of applications.
"Potentially, IoT will double, or even increase by an order magnitude, the number of devices appearing on an enterprise network," Hill said. Gathering and analyzing that information will easily exceed most IT departments' in-house server capacity, leading organizations to cloud data centers. But that comes with its own perils.

Shore up network controls before introducing IoT

The Cloud Security Alliance (CSA) has formed a working group to offer best practices, and experts offer a few of their own tips to prevent cloud security from being the weak link in an IoT deployment: handling traffic, understanding the security around cloud services, and more.
For example, Hill recommended segregating IoT traffic from other network traffic. "Just as most secure organizations segregate their data traffic from their voice traffic, the IoT traffic should also be segregated from other network traffic," he said, noting that an IoT gateway can be used for this purpose.
In addition, IoT network traffic needs to be monitored and managed once it's segregated, just like any other traffic on the network. "Many enterprises lack a complete understanding of the network traffic generated by IoT devices and the cloud services they may access," Hill said. "Tools will be needed to detect whether--and when--compromised credentials or unmanaged devices are used to access cloud services," as well as to verify that sensitive IoT data and systems are securely handled.
Some insight into traffic can be gleaned from DNS, firewall, and web proxy logs. However, more advanced tools, like intrusion detection systems, intrusion prevention systems, and cloud access security broker systems, should be considered, Hill said.

featureddownload2.jpg

Cloud computing policy

Advantages of cloud computing include lowered operational costs, greater technological flexibility, and the ability to rapidly implement new systems or services. However, cloud computing has also opened up new opportunities for impact by security threats or lost data. This policy provides guidelines for secure and effective cloud computing operations to ensure the integrity and privacy of company-owned information. Free for Tech Pro Research subscribers.

Inspect cloud infrastructure before use

Cloud infrastructure, like AWS, is another concern for organizations using it to manage their IoT devices. "There are many security controls that can be overlooked and bypassed by an attacker, despite best efforts at hardening your application," said Paul Moreno, cybersecurity expert at Ayden and Bugcrowd advisor.
Other support infrastructure, like GitHub, could present vulnerabilities if it doesn't have the proper controls in place, Moreno said. "All it takes to ruin a day is forgetting to lock down an S3 bucket permission or checking sensitive code into a public repository."

Pay attention to security maintenance procedures

What cloud security controls are in place may not matter much if they're not maintained, monitored, and responded to, said Jeff Man, cybersecurity evangelist at Cybrary. While the burden of security is passed along to the cloud provider, someone still needs to be in charge of access control, traffic filtering, security configurations, data protection, virus protection, and other incident monitoring, response, and prevention, he said.
Most cloud service providers will stipulate in the service level agreement what is and isn't included. "The main problem I've seen is customers believing that the cloud providers are offering more security controls than they actually do," Man said. He recommends that companies migrating operations to the cloud read SLAs carefully and make sure they know which security controls will be maintained by the cloud provider and which ones they'll have to implement themselves.
"The overlap of cloud security and IoT is mostly in the land of opportunity for security vendors right now," Man said. Most of these vendors are focused on developing security controls and services that can be offered in the cloud and reach unknown and known IoT devices. Detection is the first component, because organizations can't protect what they don't know about, followed by security testing and vulnerability identification.
"Companies that rely on discovery for identifying what is resident in or can access their network are doomed to always play catch-up," Man said. "Having proactive and enforced access controls, a legitimate inventory of systems and users, configuration and patch management are the necessary essentials."
For enterprises using cloud services with IoT, adhering to as many best practices as possible seems to be the way to go. Knowing who is responsible for security, what the cloud provider offers, and what already is in place on their own networks will go a long way toward preventing breaches and helping them stay one step ahead of hackers.