Smart digital city with connection network showing need for IoT security

Telcos and PAM: A Response to the Next Wave of IoT

The world is getting smaller by the day empowering more people to be connected with a simple touch of a button.

Not only are we living in a hyper-globalized era in a physical sense, where people and goods can reach the other side of the planet in a matter of hours, we are also hyper-globalized virtually because of technology.

By the end of 2018 there were 22 billion Internet of Things (IoT) connected devices, around three for every person on the planet. By 2030, this will more than double reaching 50 billion.

Devices such as these are used to send up to 65 billion WhatsApp messages a day, along with more than 300 billion emails, with the physical distance between sender and recipient causing zero hinderance to the process.

According to the GSMA, the global IoT market will be worth $900 billion by 2025, almost three times what it was valued in 2019 – this is despite the setbacks of COVID-19 which have partially been offset by rising connectivity revenues.

In the UK, the government has identified 5G as a key technology to deliver gigabit broadband connectivity nationwide. It currently ranks sixth among the world’s leading nations in terms of 5G deployment, and is grounded in the view that mobile technology will soon surpass connectivity speeds offered by fixed networks.

So much so, the UK’s Department for Digital, Culture, Media, and Sport wants to have the majority of the population covered by 5G by 2027, making clear in its UK Telecoms Supply Chain Review Report that this project will bring about enormous benefits to consumers and businesses alike.

Indeed, the use cases of 5G are vast. From powering the Industrial Internet of Things (IIoT) to facilitating the likes of smart healthcare and autonomous vehicles, such is the capital being bet on this technology that even talks of 6G and 7G are starting to emerge.

A call for telcos to adopt IoT risk assessments

While the consensus is, rightly, that connected devices can improve society in the future, we must embrace technology responsibly and consider the principle that with opportunity also comes risk.

The GSMA, the industry body representing the global mobile industry, identifies IoT as one of the main security threats for telecoms networks.

The threat is twofold. On a consumer level, there are dangers posed by the masses of insecure IoT devices and on the enterprise level, critical services are managed by IoT devices which can be prone to cyberattacks.

Telcos are also rapidly expanding their remit into other services such as streaming entertainment content or services which involve the exchange of money, seizing on the sorts of opportunities being exploited by fintechs.

In 2020, the number of mobile money accounts topped 1.2 billion – a rise of 13% in the space of a year. What this shows is a growing appetite to perform monetary transactions via mobile devices, devices which rely on IoT and 5G to facilitate such services.

Whether it is obtaining sensitive organizational data or personal financial details, the threat landscape for cybercriminals is becoming wider and more alluring as IoT and 5G take greater hold.  Not only is this a risk for greater masses of devices cybercriminals can access, but they can also extract sensitive data at much faster rates meaning large amounts of data can be stolen in minutes rather than days.

Of course, alongside these developments are increasingly sophisticated security technologies and defenses designed to keep networks, businesses and consumers safe, and it’s imperative that telcos adopt a device-specific risk assessment approach to IoT security.

There are many reasons why this is important. First, IoT devices interact with the physical world in ways conventional IT devices do not; many IoT devices cannot be accessed, managed or monitored in the same way either. Most IoT threats come from attackers taking advantage of factory default settings or poorly configured devices.

For each IoT device, risk assessments should answer fundamental questions such as: ‘What could go wrong?’, ‘What are the chances of this happening?’, and ‘What are the repercussions?’

Likewise, IoT itself should not be treated as a singular entity. Each device has a different business purpose – some collect data, some correlate data from multiple sensors, some present data using various algorithms. Before formulating an IoT security strategy, organizations need to take a step back and avoid falling into the trap of treating IoT equally.

PAM is part of the answer to reducing the risk

This approach will inform telcos as to who should have access to certain infrastructure and at what level (typically there are two types – access to view and access to change).

Privileged Access Management (PAM) are solutions that manage the accounts of identities (human or non-human) who have permissions to view and change critical corporate resources. These identities can be human administrators, devices or applications and are lucrative targets for cybercriminals.

Specifically, PAM tools also offer features that enable security and risk leaders to automatically randomize, manage and vault passwords and other credentials, control access to privileged accounts and isolate, monitor, record and audit privileged access sessions, commands, and actions.  The recent UK law introduced banning easy-to-guess default passwords on virtually all devices now means IoT manufacturers must look to PAM solutions to help with the automation of password security.

There are many best practices organizations can adopt in relation to PAM. Some include:

  • Treat all users as privileged users: You should aim to have end-to-end privileged access across traditional applications, endpoints infrastructure and all areas of a network.
  • Don’t stop monitoring: Seems simple, but administrative rights frequently change.
  • Monitoring for local admin accounts: Once granted administrative rights, users often create a secondary or local account that has full access but may not be properly identified in a directory system.  Practice the principle of least privilege and move to on-demand privileges.
  • Look beyond simple credentials: Password vault solutions are not the be all and end all, as IT companies are shifting away from passwords to stronger forms of authentication.
  • Use PAM to limit the risk of lateral movement: A common tactic attackers use is to exploit one set of credentials and move them laterally.

In short, PAM allows you to place stricter granular controls on the different types of roles and scope of access to devices and infrastructure; for many telcos, this is a big opportunity currently being missed.

Telcos will no longer simply be provisioners of bandwidth and internet access. Eventually, because of all the additional transactional services they are exploring, telcos will become more like banks or media providers and they must factor this in.

By providing hosted services to corporations and even small businesses, they will need to consider public access management to secure not only their own infrastructure, but also that of their clients.

By providing hosted services to businesses, #telcos will need to consider privilege access management to secure not only their own infrastructure, but also that of their clients. #cybersecurity #respectdataClick to Tweet

Security could become a key differentiator for telcos. The sooner they realize this opportunity, the more likely they are to profit and help build a safer connected society for all.

 

Chief Security Scientist & Advisory CISO at Thycotic