The Importance of External IoT Security Audits When Vetting An IoT Platform Partner

This is the fourth in a series of Arrayent blog posts on IoT security. The series is written for employees of companies who sell connected products, especially those new to IoT. With this series, we hope to bring a basic level of awareness and understanding of key issues that face everyone who develops connected consumer products. We also hope to stimulate an ongoing dialog that helps move the conversation about connected products security forward.

 The pain of external audits

External audits: detective work or proctology, to IoT platform companies it feels like both

Any manufacturer of branded consumer products who is looking to partner with an IoT cloud platform will want to vet that company thoroughly to ensure their security technology, policies, and procedures are up to snuff. During the getting-to-know-you process, it is important to find out how the company views security and what their internal processes include. Asking questions about how they store data, who has access to it, the physical security procedures for employees, whether their phones and laptops have two-factor authentication and are encrypted—these are all important items of inquiry when vetting IoT partners.

But one critical item not to overlook is the importance of external firms who are hired to audit IoT security strengths and weaknesses. External audits are a means to evaluate and test systems, practices, and operations to determine if the information assets at a company are adequately safeguarded in order to achieve the company’s business goals. The evaluation looks at whether a partner has effective internal controls to secure precious data and protect its integrity as well as comply with regulations as they apply across the globe.

TRUST, BUT VERIFY

Rarely, if ever, does someone who is vetting a prospective IoT platform partner pay for a third party firm to conduct an audit. But you will want to know the platform partner’s policy on accepting third-party audits once you are their customer and on an ongoing basis. For example, as part of Arrayent’s master service agreements, we accept up to two external audits per year. We limit this to two because audits can be disruptive to personnel and we feel that accepting two audits should answer any questions on the part of the customer. When you are vetting IoT partners, you should know your rights under contract and the partner’s willingness to accept audits in terms of frequency and duration.

While passing an audit cannot guarantee there couldn’t be a security breech or data handling error in the future, it can foretell whether there are any unaddressed problems now, and whether an IoT cloud platform partner continues to be a good fit for the needs of your company.

One way to use the power of 3rd-party independent audits during the vetting process is to ask the IoT platform company how many audits they have gone through recently. Because those audits may have been initiated and paid for by the IoT platform’s other customers, it is unlikely you will be able to see the audit reports. But if, for example, you are choosing between four different IoT platform companies and find out how many time and how fre-quently each has been audited, you might gain a clearer picture on which among them is being put more strongly to the test—and who, presumably, is all the better for it.

FIVE BEST PRACTICES FOR IMPLEMENTING EXTERNAL AUDITS

The diffuse nature of IoT poses new challenges to security beyond traditional IT auditing, as requirements and standards for an audit will vary depending on product offerings and the markets a company serves. Industry organizations like the Cloud Security Alliance (CSA), National Institute of Standards and Technology (NIST), ISO, ISACA, Online Trust Alliance, and others, are helping define the IoT industry’s standards and best practices and are great resources as you undertake IoT partner vetting. Here are a few of the best practices we have learned about external audits over the past decade that we share with our prospective customers:

  1. When hiring an independent auditing firm, select one who is familiar with the unique challenges of IoT and who has actual IoT and cloud security experience, as well as proper certifications such as CISA.
  2. When vetting IoT partners, ask if they have had previous external audits; by whom, how many and when? Can they provide any other customer references. Will they be able share any portion of previous audit results?
  3. Ask your IoT partner if they can pass along any independent assessments of their subcontractors (such as co-location facilities).
  4. If you are initiating an audit, make sure you clearly define your company’s objectives, priorities, requirements and unique risks and any required deliverables from the auditing firm. Get a Statement of Work (SOW) that details how they will conduct the audit to meet your objectives.
  5. Stay involved as much as is appropriate and allowable to be sure the audit is conducted properly and the final audit report reflects real risks and recommendations.

Finally, to learn more about the challenges and emerging approaches on cloud security auditing, this IEEE article is an excellent resource. For more detailed advice about conduc-ting audits this SearchCloudSecurity article also offers valuable insights. And, for advice on how to find an external audit firm, here are recommendations by Forrester analyst Robert Stroud on the ISACA blog. If you wish to speak with Arrayent more deeply about our own security practices, contact us here.