According to Gartner, worldwide spending on IoT security will reach $547.2 million in 2018 and $840 million by 2020. While IoT may be a game changer in many respects, from a security perspective, the game actually changes very little. At its most basic level, security in an IoT system is about having high assurance that the data is protected at all times and originates from devices which are trusted.
The basic fundamentals of information security include confidentiality (keeping things secret), integrity (keeping things trustworthy), availability (keeping things available when they need to be accessed), accountability (someone is responsible for security) and auditability (keeping verifiable records about the interactions in the system). Because IoT is new and novel, there is a tendency to overthink things and to look for new and novel security frameworks. However, these fundamentals remain true to IoT. It may just be that the tools that are used for executing these fundamentals are different, due to IoT’s differences from systems of the past.
The hardest problem in any data transaction is verifying the identity of the parties involved. But once the identities are trusted, everything else is just accounting. By accounting, I mean that we are able to follow a procedure to complete the transaction (which can be anything from updating a field in the database or connecting a rider to a driver in a ride-sharing app). The procedure itself may not be easy, but it’s not nearly as hard as establishing identity of the transacting parties. To establish identity reliably, you need to establish a trust mechanism. Since trust cannot be established in isolation, a chain of trust in the IoT ecosystem is needed.
When enterprises started moving to the cloud, many IT professionals noted that cloud offered an opportunity to build security in, as opposed to bolting it on. This gave rise to the “secure by design” philosophy, where security was part of the blueprint that built the systems. In some ways, this is true for IoT as well. By applying the right security technologies to the IoT ecosystem and using a security-first mindset, we can establish trust and security from the ground up. This will ensure the next generation of connected devices can be used securely and fulfill their potential.
Unfortunately, right now companies do not have an incentive to future-proof their IoT products. Time to market and cost are predominant forces shaping the technologies and services, as well as a lack of security expertise. It may seem like an overwhelming challenge, but it does not have to be this way. Stay tuned for my next blog where I’ll outline the building blocks for a secure IoT.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.