A blueprint for secure enterprise IoT deployment

A blueprint for secure enterprise IoT deployment

Article by Rapid7 IoT Principal Security Researcher Deral Heiland.

Increasingly, organizations are adopting smart technologies to support innovations that can improve safety and productivity in every part of our lives, from industrial systems, utilities, and building management to various forms of business enablement.

But while these technologies offer tremendous benefits, as with any new technology, they also present the potential for unintended consequences due to technical issues or tampering that may not yet be discovered and mitigated.

The very purpose of Internet of Things (IoT) technologies is to bridge the gap between our virtual and physical worlds, and as such, tampering with or technical failure has the potential to result in loss of privacy, systems availability, and, in some cases, even physical damage.

I recently had the opportunity to work with Domino’s Pizza to evaluate an in-house conceived IoT-based retail solution that they had designed and implemented across all of their stores. The multinational pizza restaurant is the perfect example of a large company leveraging IoT technology for business enablement on a regular basis.

Domino’s IoT-based ecosystem solution is known as Flex, a platform-based solution consisting of several small services. This enables stores to leverage diverse web experiences and digital products across a variety of kiosk displays in their stores. These are specific Domino’s products that store team members take advantage of at will. The platform powers all in-store display technology, enabling stores and team members to be more efficient and situational aware, so they can manage their respective stores effectively. The platform also provides a centralized cloud-managed platform with Domino’s hosted experiences, giving stores and team members the technology flexibility they need to run stores efficiently and successfully.

The goal of this research project was to understand the security implications around a large-scale enterprise IoT project and the processes related to acquisition, implementation, and deployment; technology and functionality; and management and support.

Initial phase

The project began with each of the internal teams involved in the project discussing those key areas and how security was defined and applied within each. This provided valuable new insights into how security should play into the design and build of a large business IoT solution, especially within the planning and procurement phases, and seeing how a security-driven organization like Domino’s approaches a project on a large scale like this. Two key conclusions emerged. Always consider vendor security first in your risk planning and modeling. Second, the security “must haves” must correspond to your organization’s internal security policies.

security assessment

It was also necessary during this initial phase to conduct a full security assessment of the ecosystem, examining all critical hardware components, operating software, and associated network communications.

As with any large-scale enterprise deployment, we encountered some security issues, so all projects, even those with security built in from the start, should go through a wide-ranging security assessment to iron out any shortcomings. This allowed security teams and project developers to quickly create solutions to address identified issues. Additionally, by looking at and discussing the processes and methodologies used to create and implement solutions in production, the assessment ensured that Domino’s did so safely to avoid impacting production.

During a typical security assessment of an enterprise-wide business solution such as this one, we are reminded of a couple of key best practice elements that should always be considered. First, when testing the security of a new technology, use a holistic approach that looks at the entire ecosystem of solutions. Second, test documented security procedures regularly: Security is a moving target, and testing these procedures regularly can help identify gaps.

goes live

Once an idea is designed, built, and deployed to production, we need to ensure that the deployed solution remains fully functional and secure. To achieve that at Domino’s, they moved the implemented enterprise IoT solution under a structured management and support plan. This support structure was designed as expected to help avoid or prevent outages and security incidents that could affect production, loss of services or loss of data, focusing on patch management, risk and vulnerability management, and monitoring and recording.

Once again, it was important to sit down and talk about security with the various teams involved in the support infrastructure and see how it not only applied to this specific project, but how Domino’s applied these same security methodologies throughout the company.

During this final evaluation phase of the project, we were reminded of one of the most important points that many organizations do not apply (except Domino’s). That is, when implementing new integrated technology within your business environment, ensure that the technology is properly integrated into your organization’s patch management.

By the end of this research project, I have a much better understanding of the complexity, pitfalls, and security best practice challenges that a large enterprise IoT project could require. However, I am pleased to say that this time Domino’s rose to that challenge and successfully delivered this project to your business.

Leave a Comment