Cloud // Infrastructure as a Service
Commentary
6/17/2014
10:30 AM
Connect Directly
RSS
E-Mail
50%
50%

IoT: Get Security Right The First Time

Let's start building security into the Internet of Things now, before everything becomes connected -- and hackable.

The Internet of Things (IoT) is weaving itself into the fabric of everyday life, including smart grids, smart meters, connected cars, and devices for the home. Gartner reports there are more than 2.5 billion connected devices today, and by 2020, there will be more than 30 billion.

While there's excitement about IoT's potential to create new business and boost productivity and convenience, the technology community can't forget about security. If there's one thing IT professionals know, it's that if something is connected to the Internet, someone will try to hack it.

Unfortunately, the technology industry has a long history of ignoring security in the rush to open new markets, and we may see it happen again with IoT. We've already witnessed instances of hackers exploiting security holes in smart TVs and baby monitors.

In some cases, IoT may be able to use existing security technology, such as encryption. Encryption can be used to authenticate devices and, when used with VPNs, can safeguard sensitive data in transit.

[All work and no play make the IoT boring. See Playing Games With The Internet Of Things.]

Although VPNs are most often thought of as a technology to secure communications with corporate networks and the Internet, they can just as easily be implemented within devices to support machine-to-machine (M2M) communications and more innovative forms of connectivity.

However, encryption also comes with its own drawbacks. Consider key management, for example. As billions of connected devices get rolled out, there is a looming logistical challenge to secure and manage encryption keys.

A well-designed public key infrastructure (PKI) can cover some requirements regarding rollout and maintenance of large-scale encryption systems. However, IoT is not just a big "blob" in the cloud, but a collection of islands where each service provider -- e.g., electric utilities, set-top box providers, consumer-goods manufacturers, and so on -- has to manage its own keys on its own devices.

(Image: ITechPress)
(Image: ITechPress)

In some cases, encryption also may not always be an option. For instance, some low-power devices may lack the computational power necessary to encrypt and decrypt data.

Access control also presents a security challenge in an IoT world. When users are able to access an endpoint device, they're able to access the entire system, so it's necessary to have access control systems that manage user and device privileges.

Network administrators have to see the whole remote-access picture, including endpoints, VPNs, and the rest of the network infrastructure. Limiting network access, securing communications, and securing device access all need to be part of an IoT network security strategy.

There's also the issue of software. As we've learned from years of exploits against servers, PCs, and smartphones, attackers will always find vulnerabilities or weaknesses in software that they can use to their advantage.

Organizations that build IoT devices must use secure software development practices to limit potential exploits. Meanwhile, IoT vendors and customers must ensure mechanisms are in place to apply patches or update software as necessary.

More security will certainly come with increased costs. However, this is the price that must be paid to reduce risks. In the long run, any additional costs will be well worth it to ensure corporate, employee, and customer data remain secure.

The Internet of Things has great potential to transform our lives. However, to provide the highest level of end-to-end security, IoT equipment and software have to be designed -- from the start -- with security in mind, giving consideration to how each component is being used, what type of data will be communicated, what connections will be made, and who will have access.

All communication modes/channels need to be thought through from a security standpoint, and reasonable security guidelines must be established and implemented for all connected devices.

The Internet has taught us the hard way that security has to be baked in, not bolted on afterwards, for maximum effectiveness. Let's hope the technology community will apply this lesson to IoT.

In its ninth year, Interop New York (Sept. 29 to Oct. 3) is the premier event for the Northeast IT market. Strongly represented vertical industries include financial services, government, and education. Join more than 5,000 attendees to learn about IT leadership, cloud, collaboration, infrastructure, mobility, risk management and security, and SDN, as well as explore 125 exhibitors' offerings. Register with Discount Code MPIWK to save $200 off Total Access & Conference Passes.

Patrick Oliver Graf is General Manager, Americas, of NCP Engineering. His company sells its remote-access VPNs to government agencies and other organizations. A total of 24 federal, state, and local agencies have equipped themselves with NCP's technology for fast, secure ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Patrick Oliver Graf
50%
50%
Patrick Oliver Graf,
User Rank: Apprentice
6/19/2014 | 1:33:27 PM
Re: IoT
You make a good point, as all departments need to have a seat at the table to discuss security issues that affect their roles in running the business. Whether due to BYOD or necessitated by enterprise requirements, a wide range of new connected devices will be accessing networks in the coming years and numerous threat vectors will emerge to exploit them. These trends will affect everyone in an organization who uses or interacts with a device that connects to the corporate network.

IT departments will have to approach information security, and implementing policies and technologies, more collaboratively and flexibly. As IT professionals are already learning from the BYOD trend, flexibility and open dialogue are necessary to support the systems and devices departments and users need but still maintain security. To do that, given the limited resources they have, IT's priorities for information security must also shift to centrally managing and automating as many of their management tasks as possible and using network and security components that are interoperable. As we've seen from the Target breach, organizations' systems are more interconnected than many often think, but often not by design, and a truly holistic, defense in depth approach is required.
Jon Geater
50%
50%
Jon Geater,
User Rank: Apprentice
6/17/2014 | 5:22:54 PM
Re: Business opportunity
Encrypting universally is easy.  It wouldn't even take VC money to do it.

Decrypting on the other hand...you might find some issues with that.


One of the many issues here is that key management is a fourth-order problem.  You only need key management because you started encrypting (or signing, or authenticating) stuff.  And you only started encrypting (or signing, or authenticating) stuff because other bits of the network of systems that handle your data don't otherwise adequately secure it.


And what's adequate?  Well, that's up to you, and up to what your data is, and up to what the consequences are if your data is leaked, or copied, or corrupted.  There's your first-order problem.

In IoT you have large numbers of actors, many different types of data, and crucially your expectations about who or what is allowed to decrypt any given lump of information may well change depending on very complex factors that cannot be analysed by the thingfrastructure itself.


Specific key management for specific closed, controlled scenarios is well understood, and has been for more than the decade you mention (though I concede even in these situatiuons it's rarely done right).  Generalized key management to suit all possible definitions of 'adequate' for all possible combinations of dynamic actors, systems and data?  That's the toughie.
Stratustician
50%
50%
Stratustician,
User Rank: Ninja
6/17/2014 | 2:38:20 PM
Re: Business opportunity
I think a lot of it has to do withy the technology that comes with IoT.  Since many use RFID, the security controls simply aren't in place in how the technology operates.  Since the transmitter is essentially a dumb terminal in that it will respond to any request it receives, it would require an overall change to how these operate, meaning redesigning the receivers to understand encrypted data.  Other technologies require the same type of key component, which sadly often gets omitted during the technology design phase when it comes to how these are utilized (in cars etc).  Needless to say, it's a very real concern as IoT continues to be used in more everyday applications.
ChrisMurphy
50%
50%
ChrisMurphy,
User Rank: Author
6/17/2014 | 1:50:16 PM
Re: IoT
What I've been hearing more often is how the IT-centric view of information security won't cut it in the Internet of things world. Whether it's privacy policies or endpoint protection, we need people in operations, supply chains, legal, and IT rethinking security. One expert bluntly put it to me that the IT folks don't get the operational technology challenges.
Lorna Garey
IW Pick
100%
0%
Lorna Garey,
User Rank: Author
6/17/2014 | 1:46:42 PM
Business opportunity
I have been hearing for literally a decade how key management is too hard, and that's why we can't encrypt universally. Either IT and security pros are flinging excuses, or VCs have missed the boat on a huge business opportunity.
Laurianne
50%
50%
Laurianne,
User Rank: Author
6/17/2014 | 12:10:11 PM
IoT
I saw a term on Twitter today regarding IoT security that I loved: Thingfrastructure. Readers, do you feel like your IT organizations are doing adequate IoT prep?
Multicloud Infrastructure & Application Management
Multicloud Infrastructure & Application Management
Enterprise cloud adoption has evolved to the point where hybrid public/private cloud designs and use of multiple providers is common. Who among us has mastered provisioning resources in different clouds; allocating the right resources to each application; assigning applications to the "best" cloud provider based on performance or reliability requirements.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - August 20, 2014
CIOs need people who know the ins and outs of cloud software stacks and security, and, most of all, can break through cultural resistance.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.