Procuring IoT: Data Integrity and Security

The Internet of Things (IoT) is undoubtedly going to play a major role in the workplace.  Because an employer has a number of critical employee-related interests in securing IoT data, including protecting securing otherwise private employee and business information as well as protecting trade secrets, employment lawyers should be in the conversation with the technology acquisition and development teams as they develop an IoT acquisition policy.  Here is how to create such a policy.

Briefly, Gartner’s succinct definition of IoT is “the network of physical objects that contain embedded technology to communicate and sense or interact with their internal states or the external environment.”   In short, any device that can sense and/or interact with its environment and which is controlled by, or sends data to, another device via the internet.

Here are some elements to consider in an IoT acquisition policy:

Data Integrity

1. What I call “Data integrity” must be built in by design.  That is, a device must collect, store, send, and share data according to an understood plan — no more and no less,
2. If the data is being captured, stored or transferred by the supplier, insist on adequate physical and technological security measures for that transfer and storage — and appropriate indemnification.
3. The device must be configurable to limit the data collection and/or retention to what is needed for business purposes.   Remove all unused software/tools and use white-listing to ensure that only trusted apps run.
4. The supplier must reveal all of the data the device is collecting.  Unless it is purpose-built for you, a device may collect data you did not anticipate.
5. Ensure that the device is compatible is with your data governance and ESI discovery plan.
6. Insist on rapid notification of breaches at the supplier or its other customers with similar software or devices.

Security

1. Security must be built into the technology by design.  That means security was a primary concern of the designers; baked into the original product specifications rather than being added on later.
2. Security must follow a “defense-in-depth” approach, ensuring that no one security measure is a single point of failure
3. When the device is booted up, the network should be able to verify that the on-board software is legitimate and has not been subject to any tampering (that is, a secure boot chain).
4. When the device comes onto the network, it should be capable of authenticating itself prior to receiving or transmitting data.
5. Expect devices to be rate limiting, that is, limiting the flow of inbound and outbound traffic to certain attempts per time period (to limit brute force attacks).
6. Require that the device is capable of assessing whether inbound data conforms to that which is expected (essentially, an on-board firewall).
7. Require all outbound data to be properly encrypted.
8. Determine whether access to non-local (non-employer-owned) networks is necessary and if not, require that non-local networking is disabled.
9. Require that the device can only access those part of a network that it has a right to access and structure the network such that a compromise of a device’s security does not allow interference with other data
10. Ensure that the device has been tested against attacks that center on any device-web interface.
11. Require the ability to push authenticated patches and software updates.
12. Require a smart fail-safe mechanism when connection or power is lost or jammed
13. Ensure the supplier has sufficient control over its supply chain to ensure that all chips and components are legitimate and do not contain malicious code.

See this useful guide from the FTC.  See also The Basics of IoT Security, Security in the Internet of Things (.PDF) and 8 Ways You Can Help Secure the Internet of Things.  The gold standard, in my opinion, is Symantec’s whitepaper on IoT Security, found here (.PDF).