So, Mr. IT professional, you suffer from your colleagues at work connecting all sorts of crap to your network that you\u2019ve never heard of?\u00a0 You\u2019re not alone.\u00a0 As more and more devices hit the network, the ability to maintain control can often prove challenging.\u00a0 Here are your choices for dealing with miscreant devices:<\/p>\n
A bunch of companies I work with generally aim for 1 and end up with 3.\u00a0 A bunch of administrators recognize the situation and fit into 2.\u00a0 Everyone<\/strong> I talk to wants to find a way to scale 4, but nobody has, as of yet.\u00a0 What does 4 involve?\u00a0 Today, it means an IT person researching a given device, determining what networking requirements it has, creating firewall rules, and some associated policies, and establishing an approval mechanism for a device to connect.<\/p>\n This problem is exacerbated by the fact that many different enterprise departments have wide and varied needs, and the network stands as critical to many of them.\u00a0 Furthermore, very few of those departments reports through the chief information officer, and chief information security officers often lack the attention their concerns receive.<\/p>\n I would claim that the problem is that incentives are not well aligned, were people in other departments even aware of the IT person\u2019s concerns in the first place, and often they are not.\u00a0 The person responsible for providing vending machines just wants to get the vending machines hooked up, while the person in charge of facilities just wants the lights to come on and the temperature to be correct.<\/p>\n What we know from hard experience is that the best way to address this sort of misalignment is to make it easy for everyone to do the right thing. What, then, is the right thing?<\/p>\n It has been important pretty much forever for enterprises to be able to maintain an inventory of devices that connect to their networks.\u00a0 This can be tied into the DHCP infrastructure or to the device authentication infrastructure.\u00a0 Many such systems exist, the simplest of which is Active Directory.\u00a0 Some are passive and snoop the network.\u00a0 The key point is simply this: you can\u2019t authorize a system if you can\u2019t remember it.\u00a0 In order to remember it, the device itself needs to have some sort of unique identifier.\u00a0 In the simplest case, this is a MAC address.<\/p>\n Manufacturers need to make your life easier by providing you a description what the device\u2019s communication requirements are.\u00a0 The best way to do this is with Manufacturer Usage Descriptions (MUD).\u00a0 When MUD is used, your network management system can retrieve a recommendation from the manufacturer, and then you can approve, modify, or refuse a policy.\u00a0 By doing this, you don\u2019t have to go searching all over random web sites.<\/p>\n Once in place you now have a nice system that encourages the right thing to happen, without other departments having to do anything other than to identify the devices they want to connect.\u00a0 That could be as simple as a picture of a QR code or otherwise entering a serial #.\u00a0 The easier we can make it for people who know nothing about networking, the better all our lives will be.<\/p>\n","protected":false},"excerpt":{"rendered":" People in departments outside of IT aren\u2019t paid to understand IT security. In the world of IoT, we need to make it easy for those people to do the right thing.<\/p>\n","protected":false},"author":172,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[545,536,9,1],"tags":[565,511,546],"class_list":["post-2214","post","type-post","status-publish","format-standard","hentry","category-iot","category-mud","category-security","category-uncategorized","tag-enterprises","tag-iot","tag-iot-security"],"_links":{"self":[{"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=\/wp\/v2\/posts\/2214","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=\/wp\/v2\/users\/172"}],"replies":[{"embeddable":true,"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2214"}],"version-history":[{"count":2,"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=\/wp\/v2\/posts\/2214\/revisions"}],"predecessor-version":[{"id":2216,"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=\/wp\/v2\/posts\/2214\/revisions\/2216"}],"wp:attachment":[{"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2214"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2214"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2214"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Prerequisites<\/h3>\n
Ask device manufacturers to help<\/h3>\n
Have a simple and accessible user interface for people to use<\/h3>\n