CIS Controls v8 Internet of Things & Mobile Companion Guides
The Center for Internet Security (CIS) launched CIS Controls v8 earlier this year. It was enhanced to keep up with evolving technology (modern systems and software), evolving threats, and even the evolving workplace. The v8 release was not just an update to the CIS Critical Security Controls (CIS Controls); the whole ecosystem surrounding the Controls has been (or soon will be) updated as well. The latest additions include the CIS Controls Internet of Things and Mobile Companion Guides.
IoT in the Workplace
Internet of Things (IoT) devices aren’t just invading our homes; these smart, connected machines have taken root in the workplace, and they’re here to stay. To help secure this new frontier, CIS released a CIS Controls Companion Guide to help organizations apply Controls v8 to the IoT. This guidance provides security recommendations for a variety of IoT devices that often present unique and complex challenges for security professionals.
IoT devices are embedded into enterprises across the globe and often can’t be secured via standard enterprise security methods, such as traditional antivirus software. Yet for ease of use and flexibility, IoT devices are often connected to the same workplace networks employees use day in and day out. IoT devices include smart speakers, security cameras, door locks, window sensors, thermostats, headsets, watches, and more – all devices that may be integrated into a typical business IT environment.
Perspectives from industry, academia, governments, and others across the world focus on the needs of their sector, business, or area of interest. While there is no universally agreed upon definition for IoT, there are common features:
- Communications – IoT devices can communicate with other devices. This could be via a local medium, such as radio frequency identification (RFID), Bluetooth, WiFi, or via a wide area network (WAN) protocol, such as cellular.
- Functionality – IoT devices typically have a core function as well as some additional functionality, but they do not do everything. Most IoT devices do one thing and do it well.
- Processing Capability – IoT devices have sufficient processing capability to make their own decisions and act on inputs received from outside sources, but not enough intelligence to do complex tasks. For instance, they generally cannot run a rich operating system designed for a traditional desktop or mobile device.
Security Challenges for IoT
The lack of a consistent, agreed upon definition is actually part of the challenge with security in the IoT arena. IoT is a large, complex space and common issues include:
- Ubiquity – There are a large number of devices.
- Uniqueness – Devices are developed by different manufacturers with varying version numbers.
- Ecosystem – Multiple vendors are involved in creating each device, including hardware, firmware, and software.
This makes securing the Internet of Things difficult.
Hardening Embedded Technology
IoT devices often cannot be secured via standard enterprise security methods. The first task of the CIS IoT Community, a group of dedicated IoT security professionals, was to develop a consistent approach on how to apply the CIS Controls to IoT devices commonly found within an enterprise. The approach used throughout the IoT Guide was to assess:
- How applicable the CIS Control or Safeguard are to IoT – For instance, recommendations surrounding firewalls or network visibility may not directly apply to IoT.
- What challenges exist to implement a given CIS Control for IoT – Some IoT devices are “smarter” than others and may not offer the functionality needed to take advantage of advanced security measures.
- Any additional discussion necessary to secure a device.
By working together with subject matter expert volunteers, we developed the IoT Companion Guide to help your organization implement best practices across a range of connected devices.
Focus on the Future
IoT devices are everywhere and our security needs to move with them. Devices are the thing within IoT and are the primary focus of this guide. Ready to start applying the CIS Controls Implementation Groups to your IoT devices? Download the free guide now.
Bringing the CIS Controls to Mobile Environments
Earlier this year, the CIS Controls team released a new companion guide to help organizations break down and map the applicable CIS Controls and their implementation in mobile environments. This new resource helps organizations implement the consensus-developed best practices using CIS Controls v8 for phones, tablets, and mobile applications.
For the Mobile Companion Guide, we focused on a consistent approach on how to apply the CIS Controls security recommendations to Google Android and Apple iOS environments. Factors such as “Who owns the data?” and “Who owns the device?” all affect how the device can be secured, and against what threats.
Device Management Styles
The guide explores various ways that organizations purchase, provision, and provide devices to employees. Styles include bring your own device (BYOD), corporate-owned, personally-enabled (COPE), fully managed, and unmanaged.
- Unmanaged – Organizations can provide access to enterprise services, such as email, contacts, and calendar, to employee users without surveying or inspecting the device. Although a popular model for small companies and startups, this is the most dangerous scenario to the enterprise and should be avoided if possible.
- BYOD (Bring Your Own Device) – Devices are owned by the end-user but occasionally are used for work purposes, and should be permitted the least access to organization resources. These devices could be joined directly to a Mobile Device Management (MDM) system with end-user consent, but are more often managed through a mail and calendaring system such as Exchange ActiveSync. Access from BYOD devices to organizational resources should be strictly controlled and limited.
- COPE (Corporate Owned, Personally Enabled) – COPE devices work in a fashion similar to BYOD, except the organization owns and furnishes the mobile device themselves. Restrictions will be applied to the device, but generally don't prevent most of what the user intends to do with the device. Although a COPE device is personally enabled, it ultimately belongs to the enterprise – as does the information on the device.
- Fully managed – Devices within this deployment scenario are typically locked down and only permitted to perform business functions. Fully managed devices are often owned by the organization as are all data residing on the device, necessitating that employees have a second device for personal use. These devices are often heavily centrally managed, providing important security benefits, but also presenting usability barriers to employees.
In this guide, we also analyzed and explored the systems that help administer and monitor mobile devices. These include Enterprise Mobility Management (EMM), MDM, Mobile Application Vetting (MAV), and Mobile Threat Defense (MTD). All of these technologies can be used in concert to protect an enterprise’s mobile footprint, and are the primary technologies used to implement the CIS Controls for phones, tablets, and mobile apps.
Security on the Go
Mobile devices are everywhere – which means our security mindset needs to adapt to the unique challenges of hardening on-the-go environments and controlling remote access to enterprise resources. Identifying who owns mobile devices and who is responsible for the data they contain is one important step. With this companion guide, users can take security even further and implement the CIS Controls.
Just as technology and the threat landscape evolved, so did the CIS Controls. Version 8 and the accompanying ecosystem are the direct representation of adaptability, simplification, and consistency that you’ve come to expect from the CIS Controls.