Eight Steps for Designing your IoT Security Architecture

There is lots of hype around the Internet of Things (IoT) and sometimes it is difficult to wade through the noise to determine what an enterprise IT organization should actually be doing today to prepare. Many times it is hard to define even what we mean by “thing,” as everything from wearables to heat sensors to retail kiosks are lumped under that broad umbrella. At MobileIron, we expect the number of devices with connectivity will grow exponentially over the next decade. Some of the those devices will have a human interface and be multi-purpose, like a smartwatch. Others will never interface with a person and be highly specialized, like a motion sensor. But all will produce and consume enterprise data and need to be part of an overall security architecture.

Here are seven steps that each company should take as they formulate their long-term IoT security strategy:

  1. Identify the primary information flows in the organizations and, especially, the sets of data that feed core computational systems, even if that data is not collected or transmitted electronically today. Wherever data collection or data consumption creates business value, you should expect to one day see connected (IoT) devices.
  2. Categorize the types of IoT devices expected and their baseline management requirements, for example, device discovery, inventory, remote configuration, monitoring, and software upgrade. Prioritize by timeframe.
  3. Define and prioritize the new risks of data loss, especially new vectors that emerge due to the fragmentation of embedded operating systems, networks, and interfaces.
  4. Quantify the risk of unauthorized access to these devices. For example, if a factory automation device in a manufacturing floor or smart medical device in a hospital is compromised, it could have significant negative impact on the business.
  5. Define the associated security actions to be triggered, such as the circumstances under which a device that is compromised would be taken off the connected network.
  6. Define your Big Data strategy for IoT. How will you secure the massive amount of business critical data that is produced by the sensors in these devices? What if massive amount of sensor data emanating from a business critical device is compromised or leaked? Data-oriented security with dynamic data correlation, analysis, and intelligence is a core requirement for IoT.
  7. Develop privacy policies for sensor data. The proliferation of sensors will result in more and more personal data being generated, for example health information from medical devices. The access to and the security of this data will have many privacy implications with limited guidance from existing case law.
  8. Protect these new connected devices against network intrusions and denial-of-service attacks. Enterprises have mechanisms to do this today, but now they will have to do it across a much broader set of devices.

Our mission at MobileIron is to secure enterprise data wherever it lives. IoT will introduce many new use cases for enterprise data. These considerations are top of mind for us as we determine where, when, and how to extend our capabilities around data protection, posture detection and policy-based authorization and access control to a broader set of endpoints and communication methods.

Ojas Rege

Chief Strategy Officer

About the author

twitter icon



Ojas Rege's perspective on enterprise mobility has been covered by Bloomberg, CIO Magazine, Financial Times, Forbes, and Reuters. He coined the term “Mobile First” on TechCrunch in 2007, one week after the launch of the first iPhone, to represent a new model of personal and business computing. He is co-inventor on six mobility patents, including the enterprise app store and BYOD privacy. Ojas is also a Fellow of the Ponemon Institute for information security policy. Ojas has a BS/MS in Computer Engineering from M.I.T. and an MBA from Stanford. Ojas is also Board Chair for Pact, a non-profit in Oakland, California that provides adoption services for children of color and their parents.