Extending Security to the Cloud and Beyond
The IoT’s arrival puts the security issues that arise from connectedness front and center.
The concepts of product security and embedded security have always been complex, but at least they were familiar. But the Internet of Things (IoT) takes the idea of “product” and upends it by making connectivity an integral part of the product definition.
As a result, it’s no longer enough to talk about security at the device level. Everyone from embedded system designers to manufacturers of home appliances must factor in the issues that arise from connectedness. Complicating this challenge is the fact that most IoT products were not originally conceived as connected products, and their manufacturers rarely have the in-depth expertise required to secure their products when they are connected to the IoT.
|Figure 1. Typical IoT devices—such as kitchen appliances, baby monitors, fitness trackers—were not designed with computer-level operating systems or the security features they include.|
What’s needed is a holistic, end-to-end platform approach to IoT-enabled devices that’s available and accessible to manufacturers of any kind of product. With such a platform approach, interoperable security technologies and processes can be woven into each step, from a device and all its embedded components to the cloud to the mobile apps used to control the final product.
What End-to-End Security Means
Connectedness increases security risks. Potentially sensitive data generated by IoT devices in our homes, workplaces and public spaces now traverses the public Internet. Securing this data is of primary concern to both the manufacturers and the users of these connected devices.
To achieve end-to-end security for an IoT-connected device, security processes and procedures must extend in a seamless, fully integrated way in the device, cloud and application—each of which has its own set of security protocols and standards. For example:
- Chip-level security focuses on encryption technologies, including encryption key transmission protocols such as Secure Sockets Layer (SSL).
- Cloud-level security combines computer and networking security protocols.
- Application-level security encompasses security measures taken during software development as well as after the app is deployed.
Computers and smartphones have evolved sophisticated operating systems with built-in security measures. But typical IoT devices—such as kitchen appliances, baby monitors, fitness trackers—were not designed with computer-level operating systems or the security features they include. The question becomes: Who is responsible for the end-to-end security that these connected products require?
The best answer is for manufacturers of connected devices to take advantage of a well-conceived IoT platform.
A Platform Approach to IoT Security
A holistic platform approach can enable IoT-based devices to be continuously available and secure, on the physical, cloud and software levels.
Here are some important security principles that an IoT platform should follow:
- Deliver AAA security. AAA security refers to the Authentication, Authorization and Accounting approach, which enables mobile and dynamic security. It means authentication of users, typically identifying an individual based on a username and password; authorization of access to network resources to authenticated users; and accounting for or auditing what the authenticated, authorized user does while accessing the network resources.
- Manage lost or stolen devices. This might include remotely wiping out the contents of a device or disabling its connectivity.
- Encrypt all user-identifiable information. Encryption helps protect data in transit, whether it’s via networks, mobile phones, wireless microphones, wireless intercoms or Bluetooth devices.
- Use two-factor authentication. With two layers of protection, hackers must breach both layers to complete an attack.
- Provide security of data at rest, in transit and in the cloud. Data security in transit is dependent on the method of transport. Securing data at rest and in transit typically involves HTTPS and UDP-based services to ensure that each packet is encrypted using AES 128-bit encryption. Backups should be encrypted, too. Ensuring that data is secure as it passes through the cloud might mean using services deployed within an AWS Virtual Private Cloud (VPC) environment, which allocates a private subnet to the service provider and restricts all inbound access.
Manufacturers of connected devices need IoT platform providers that can help them:
- Consider potential scenarios for user data. How much privacy control should end users have over data such as when they leave the house and return? What data should maintenance or service personnel have access too? What different kinds of users might want to interact with the same device, and in what ways?
- Think about how customers will take ownership of the devices. If ownership transfers, what happens to the original owner’s data? This concept applies to both infrequent transfers—such as someone buying and moving into a new house—and situations such as hotels, where guests are checking in and out daily.
- Deal with the default credentials provided when IoT platforms are first used. Many devices, such as wireless access points and printers, come with known administrator IDs and passwords. Devices might provide admins with a built-in web server so they can connect, log in and manage devices remotely. Such default credentials represent a huge potential vulnerability that can be exploited by attackers.
Role-based access control is essential to protecting user privacy and for handling the real-world usage of all kinds of IoT-based devices. With role-based access, security can be fine-tuned to handle nearly any kind of scenario or use case.
Combining Security Strength with Flexibility
Manufacturers must realize that their security is only as strong as the weakest link. Minimizing those weak links is what an IoT platform is designed to do.
An IoT platform with built-in end-to-end security allows security to permeate all aspects of data collection and transmission. It will be able to provide security for device booting and authentication, access control, firewalling, data transmission, and updates and patches once a device has been deployed.
Security requirements vary by device. For instance, unlocking the doors of a vehicle requires strong user authentication. Protecting medical data being transferred from an outpatient’s heart monitor to a physician’s iPad requires rock-solid data encryption. An IoT platform’s architecture must distinguish among these various scenarios and be able to incorporate the appropriate multilevel security with end-to-end protection.
It might be tempting for some manufacturers to try building their own end-to-end security solutions in-house. But unless they have deep expertise and extensive experience with all aspects of security, they’ll find it too daunting.
A better approach is to take advantage of an IoT platform designed from the ground up to deliver the right kind of security from the device to the cloud to the mobile app.
The IoT continues to evolve rapidly, and new scenarios and use cases are emerging all the time. New security threats are inevitable. To gain and retain end users’ trust, manufacturers of IoT-connected devices must choose an IoT platform that incorporates advanced security principles and processes and that is flexible enough to keep pace with novel security threats as they arise.
The reward for manufacturers who choose their IoT platform wisely is the knowledge that breaches in software, hardware, communication or physical security will not jeopardize the acceptance of IoT applications, nor threaten the privacy of those who use them.
David Friedman is co-founder and chief executive officer of Ayla Networks. He holds an MBA from the University of Michigan, a BA from Colgate University, and five U.S. Patents.