1

Securing Privileged Access in the IoT Age

When utilities introduced smart meters in the early 2000s, most people had their first exposure to the Internet of Things (IoT). The purpose of these devices was simple: provide a practical, hands-off way to improve the monitoring and collection of usage data for greater oversight and efficiency.

This approach helped solidify the groundwork for the idea of enabling other digital connections among remote devices and business systems, with the Internet serving as the go-between network.

Today, IOT is truly picking up steam—providing new value-added functionality through online devices ranging from smartphones, watches, refrigerators and cars to medical implants and industrial machinery.

Yet, just as adoption rates for smart devices continue to increase rapidly, so do the related security risks. This begs the question: Are organizations like yours fully prepared to secure connectivity at this level?

2

The Internet of Things Is Here to Stay

Connectivity on the MoveFrom individual consumers to large industrial plants, IoT impacts everyone and everything

today. In fact, experts estimate that there may be as many as

1 CMO.com: “15 Mind-Blowing Stats About the Internet of Things,” April 17, 2015.

50 billion connected devices online by 2019.1

Where’s the Risk?

You may have thought it was nifty when you were first able to sync your cell phone with your car’s Bluetooth stereo system, or when auto manufacturers made GPS capabilities a widespread offering.

Today, smart cars are available that enable you to lock and unlock doors, schedule a future start to warm up or cool down the vehicle, check on fuel and oil levels, and locate where the vehicle is parked—all from an Internet-enabled remote device.

As more auto manufacturers gear up to deliver similar remote functionality, imagine the dangers to unsuspecting drivers if hackers were able to access and take control of their vehicles.

Or if malicious perpetrators attacked the firmware associated with medical implants and other life-saving equipment to stop transmissions or somehow interfere with their performance?

The trouble is, not only are these kinds of IoT-related hacks possible, but they’re already occurring where security is inadequate or non-existent.

3

The medical community is becoming increasingly aware of lurking dangers around medical devices. Concerned that former Vice President Dick Cheney’s pacemaker could be hacked, his cardiologist disabled the device’s Wi-Fi capability during Cheney’s time in office.2

When Security Gets Personal

2 “How The Internet Of Things Got Hacked,” wired.com, January 28, 2015.

4

The number of people whose personal information, including Social Security numbers, was stolen from U.S. Office of Personnel Management computers.3

This is the result of an attack by suspected Chinese hackers who likely used social engineering to gain access to valid user credentials for the systems they targeted.

Cyber Attack Steals “Treasure Trove” of Information

21.5 million

3 “Hacking of Government Computers Exposed 21.5 Million People,” nytimes.com, July 9, 2015.

No wonder the threat surface is spreading when every IoT device typically has a single account associated with it that is used to change parameters and policies or upload software updates. This means that any device that allows two-way communication and is upgradeable—like a car’s navigation app or internal network—has a privileged account assigned to it.

Applying privileged access management (PAM) helps defend against these security threats. But what makes things more complicated today is that the “someone” with privileged access can be a systems administrator or just another connected device or back-end service.

So envision how many potential access points will be available to hackers as these devices expand exponentially. And consider that almost every major hack—not just IoT-related, but all hacks reported recently—can be attributed to privileged accounts.

That’s why good PAM is so important. It enables you to secure the credentials for these at-risk accounts, no matter how they’re accessed. It also allows you to audit and log their activity to help prevent breaches and demonstrate compliance.

Privileged Access Management and the Expanding Threat Surface

5

The increased threats around many IoT devices call for stronger security measures. So while password-based and two-factor authentication methods have proven sufficient for devices like ATMs and smartphones, risky IoT scenarios require more robust safeguards.

For example, as you identify and authenticate users or connected devices to enable privileged access, you need to consider multiple factors, including user roles and behavioral access patterns, geo-location, the type of device used to access systems or data, and the type of data being accessed.

PAM systems give you the capability to monitor access against all these variables. But to promote optimal security, you need to manage all credentials through the same PAM system. This approach provides a centralized point of authentication, and is especially effective in helping prevent exposure and risk to privileged accounts and shared administrative credentials.

How Privileged Access Management Offers Greater Security

Access Management for IoT

Devices authenticate to the enterprise

Users authenticate to devices.

Additionally, the enterprise needs to understand and control…

HOW devices and backend resources are being used (When? What apps?)

WHAT devices and backend resources are being used for (Why? Which data?)

Users(human and machine)

The Enterprise(sensitive backend systems)

Devices(50 billion by 20204)

In IoT, it’s vital to know WHO has access …

4 CMO.com: “15 Mind-Blowing Stats About the Internet of Things,” April 17, 2015.

6

Are you authorized?

IoT is growing at an order of magnitude, and any privileged access measures you implement to secure your infrastructure need to keep up. Specifically, they need to provide for identity management capabilities that can scale to accommodate the anticipated surge in connected devices and related access requests made to your critical apps and systems.

You’ll feel the impact of this demand as you continue to roll out the kind of new apps and software updates that are part and parcel of the growing application economy—and essential to effectively leveraging IoT.

Meanwhile, this explosion in connectivity leads to a larger and larger network of devices that creates a target-rich environment for hackers. Having a strong analytics engine that can rapidly monitor and detect anomalies in device access and usage patterns will help prevent links between your enterprise and the IoT ecosystem from being compromised.

Scale and Analytics are Becoming Essential

Access and usage behaviors of privileged users must be constantly screened to ensure they make sense based on the role of each individual. For example, a doctor may be authorized to access patient data from both a tablet and laptop. But if analysis shows that the request originated from an unusual device or geographic location, then established security policy controls can deny access.

Steps to Effective PAM

7

A full-featured PAM solution—whether designed for a typical enterprise environment or optimized to tackle the specific challenges of IoT—will help give your organization deeper protection against hacks while keeping access seamless for authorized users.

PAM can help with compliance, too. Although much remains unknown about how IoT devices will be regulated in industries like healthcare, a good PAM solution will lay the groundwork for IoT compliance by creating a paper trail to record who accesses what.

What can you do now?Since PAM is still relatively new in the enterprise space, it could be some time before available solutions are equipped to address security requirements in consumer and IoT scenarios. But you can get a head start today by taking the following steps:

Protect communication among devices and any service providers. It goes without saying, but any user credentials should be sent using secure channels and not in open text.

Properly secure any APIs you have created to connect IoT devices and services by using an API management solution.

Add a layer of protection beyond the password using advanced authentication methods, such as multi-factor and risk-based authentication.

1

2

3

Welcome IoT: Overcome Your Security DisconnectIoT opens up possibilities for companies to deliver newly connected products and services that help drive greater profitability and growth. And for the end users of those offerings, the benefits range from organizations boosting staff productivity to consumers experiencing higher levels of convenience and efficiency. But exploiting those opportunities may not happen as easily or safely as you think.

Because with merely a partial understanding of IoT and what it means from a security perspective, how can organizations possibly protect themselves from potential IoT-related breaches and vulnerabilities? Addressing this disconnect is critical, and effective privileged access management plays an important role.

Learn how PAM can help you safeguard privileged accounts and credentials at:

ca.com/privileged-access-management

8

5 Accenture CEO Briefing 2015: From Productivity to Outcome – Using the Internet of Things to drive future business strategies.

Only 38% of C-suite executives think their company’s senior leaders fully understand IoT,

while a whopping 84% believe their organizations are ready to capitalize on it.5

9

Learn more: ca.com/privileged-access-management

© CA 2016. All rights reserved. All marks used herein may belong to their respective companies. This document does not contain any warranties and is provided for informational purposes only. Any functionality descriptions may be unique to the customers depicted herein and actual product performance may vary.

CS200-177923

CA Technologies (NASDAQ: CA) creates software that fuels transformation for companies and enables them to seize the opportunities of the application economy. Software is at the heart of every business, in every industry. From planning to development to management and security, CA is working with companies worldwide to change the way we live, transact and communicate – across mobile, private and public cloud, distributed and mainframe environments. Learn more at ca.com.