This is the fourth in a series of Arrayent blog posts on IoT security. The series is written for employees of companies who sell connected products, especially those new to IoT. With this series, we hope to bring a basic level of awareness and understanding of key issues that face everyone who develops connected consumer products. We also hope to stimulate an ongoing dialog that helps move the conversation about connected products security forward.
External audits: detective work or proctology, to IoT platform companies it feels like both
Any manufacturer of branded consumer products who is looking to partner with an IoT cloud platform will want to vet that company thoroughly to ensure their security technology, policies, and procedures are up to snuff. During the getting-to-know-you process, it is important to find out how the company views security and what their internal processes include. Asking questions about how they store data, who has access to it, the physical security procedures for employees, whether their phones and laptops have two-factor authentication and are encrypted—these are all important items of inquiry when vetting IoT partners.
But one critical item not to overlook is the importance of external firms who are hired to audit IoT security strengths and weaknesses. External audits are a means to evaluate and test systems, practices, and operations to determine if the information assets at a company are adequately safeguarded in order to achieve the company’s business goals. The evaluation looks at whether a partner has effective internal controls to secure precious data and protect its integrity as well as comply with regulations as they apply across the globe.
TRUST, BUT VERIFY
Rarely, if ever, does someone who is vetting a prospective IoT platform partner pay for a third party firm to conduct an audit. But you will want to know the platform partner’s policy on accepting third-party audits once you are their customer and on an ongoing basis. For example, as part of Arrayent’s master service agreements, we accept up to two external audits per year. We limit this to two because audits can be disruptive to personnel and we feel that accepting two audits should answer any questions on the part of the customer. When you are vetting IoT partners, you should know your rights under contract and the partner’s willingness to accept audits in terms of frequency and duration.
While passing an audit cannot guarantee there couldn’t be a security breech or data handling error in the future, it can foretell whether there are any unaddressed problems now, and whether an IoT cloud platform partner continues to be a good fit for the needs of your company.
One way to use the power of 3rd-party independent audits during the vetting process is to ask the IoT platform company how many audits they have gone through recently. Because those audits may have been initiated and paid for by the IoT platform’s other customers, it is unlikely you will be able to see the audit reports. But if, for example, you are choosing between four different IoT platform companies and find out how many time and how fre-quently each has been audited, you might gain a clearer picture on which among them is being put more strongly to the test—and who, presumably, is all the better for it.
FIVE BEST PRACTICES FOR IMPLEMENTING EXTERNAL AUDITS
The diffuse nature of IoT poses new challenges to security beyond traditional IT auditing, as requirements and standards for an audit will vary depending on product offerings and the markets a company serves. Industry organizations like the Cloud Security Alliance (CSA), National Institute of Standards and Technology (NIST), ISO, ISACA, Online Trust Alliance, and others, are helping define the IoT industry’s standards and best practices and are great resources as you undertake IoT partner vetting. Here are a few of the best practices we have learned about external audits over the past decade that we share with our prospective customers:
Finally, to learn more about the challenges and emerging approaches on cloud security auditing, this IEEE article is an excellent resource. For more detailed advice about conduc-ting audits this SearchCloudSecurity article also offers valuable insights. And, for advice on how to find an external audit firm, here are recommendations by Forrester analyst Robert Stroud on the ISACA blog. If you wish to speak with Arrayent more deeply about our own security practices, contact us here.