IoT: Get Security Right The First Time - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud // Infrastructure as a Service
10:30 AM

IoT: Get Security Right The First Time

Let's start building security into the Internet of Things now, before everything becomes connected -- and hackable.

The Internet of Things (IoT) is weaving itself into the fabric of everyday life, including smart grids, smart meters, connected cars, and devices for the home. Gartner reports there are more than 2.5 billion connected devices today, and by 2020, there will be more than 30 billion.

While there's excitement about IoT's potential to create new business and boost productivity and convenience, the technology community can't forget about security. If there's one thing IT professionals know, it's that if something is connected to the Internet, someone will try to hack it.

Unfortunately, the technology industry has a long history of ignoring security in the rush to open new markets, and we may see it happen again with IoT. We've already witnessed instances of hackers exploiting security holes in smart TVs and baby monitors.

In some cases, IoT may be able to use existing security technology, such as encryption. Encryption can be used to authenticate devices and, when used with VPNs, can safeguard sensitive data in transit.

[All work and no play make the IoT boring. See Playing Games With The Internet Of Things.]

Although VPNs are most often thought of as a technology to secure communications with corporate networks and the Internet, they can just as easily be implemented within devices to support machine-to-machine (M2M) communications and more innovative forms of connectivity.

However, encryption also comes with its own drawbacks. Consider key management, for example. As billions of connected devices get rolled out, there is a looming logistical challenge to secure and manage encryption keys.

A well-designed public key infrastructure (PKI) can cover some requirements regarding rollout and maintenance of large-scale encryption systems. However, IoT is not just a big "blob" in the cloud, but a collection of islands where each service provider -- e.g., electric utilities, set-top box providers, consumer-goods manufacturers, and so on -- has to manage its own keys on its own devices.

(Image: ITechPress)
(Image: ITechPress)

In some cases, encryption also may not always be an option. For instance, some low-power devices may lack the computational power necessary to encrypt and decrypt data.

Access control also presents a security challenge in an IoT world. When users are able to access an endpoint device, they're able to access the entire system, so it's necessary to have access control systems that manage user and device privileges.

Network administrators have to see the whole remote-access picture, including endpoints, VPNs, and the rest of the network infrastructure. Limiting network access, securing communications, and securing device access all need to be part of an IoT network security strategy.

There's also the issue of software. As we've learned from years of exploits against servers, PCs, and smartphones, attackers will always find vulnerabilities or weaknesses in software that they can use to their advantage.

Organizations that build IoT devices must use secure software development practices to limit potential exploits. Meanwhile, IoT vendors and customers must ensure mechanisms are in place to apply patches or update software as necessary.

More security will certainly come with increased costs. However, this is the price that must be paid to reduce risks. In the long run, any additional costs will be well worth it to ensure corporate, employee, and customer data remain secure.

The Internet of Things has great potential to transform our lives. However, to provide the highest level of end-to-end security, IoT equipment and software have to be designed -- from the start -- with security in mind, giving consideration to how each component is being used, what type of data will be communicated, what connections will be made, and who will have access.

All communication modes/channels need to be thought through from a security standpoint, and reasonable security guidelines must be established and implemented for all connected devices.

The Internet has taught us the hard way that security has to be baked in, not bolted on afterwards, for maximum effectiveness. Let's hope the technology community will apply this lesson to IoT.

In its ninth year, Interop New York (Sept. 29 to Oct. 3) is the premier event for the Northeast IT market. Strongly represented vertical industries include financial services, government, and education. Join more than 5,000 attendees to learn about IT leadership, cloud, collaboration, infrastructure, mobility, risk management and security, and SDN, as well as explore 125 exhibitors' offerings. Register with Discount Code MPIWK to save $200 off Total Access & Conference Passes.

Patrick Oliver Graf is General Manager, Americas, of NCP Engineering. His company sells its remote-access VPNs to government agencies and other organizations. A total of 24 federal, state, and local agencies have equipped themselves with NCP's technology for fast, secure ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Author
6/17/2014 | 1:50:16 PM
Re: IoT
What I've been hearing more often is how the IT-centric view of information security won't cut it in the Internet of things world. Whether it's privacy policies or endpoint protection, we need people in operations, supply chains, legal, and IT rethinking security. One expert bluntly put it to me that the IT folks don't get the operational technology challenges.
Lorna Garey
IW Pick
Lorna Garey,
User Rank: Author
6/17/2014 | 1:46:42 PM
Business opportunity
I have been hearing for literally a decade how key management is too hard, and that's why we can't encrypt universally. Either IT and security pros are flinging excuses, or VCs have missed the boat on a huge business opportunity.
User Rank: Author
6/17/2014 | 12:10:11 PM
I saw a term on Twitter today regarding IoT security that I loved: Thingfrastructure. Readers, do you feel like your IT organizations are doing adequate IoT prep?
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Why IT Leaders Should Make Cloud Training a Top Priority
John Edwards, Technology Journalist & Author,  4/14/2021
10 Things Your Artificial Intelligence Initiative Needs to Succeed
Lisa Morgan, Freelance Writer,  4/20/2021
Lessons I've Learned From My Career in Technology
Guest Commentary, Guest Commentary,  5/4/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Flash Poll