As we move into a more connected, always-on world, the cybersecurity stakes keep getting higher.
It is estimated that there will be more than 50 billion connected devices in the world by 2020, including everything from pacemakers and insulin pumps to self-driving cars and wheelchairs to smart coffee makers and fitness trackers. While the connected devices of IoT create possibilities for optimizing our lives and businesses, they also pose a plethora of new security concerns. This rapid influx of potentially insecure connected devices poses more targets for cyberattacks, upping the ante for cybersecurity.
Vulnerabilities in IoT devices
The majority of these connected devices were built with function and design top of mind, leaving security as an afterthought or skipping it altogether. As such, many of these devices lack basic security aspects such as encryption and authentication.
The scope of security issues was made clear in August at the DEFCON hacking conference, where hackers found 47 new vulnerabilities affecting 23 devices from 21 manufacturers. The types of vulnerabilities cited included bad design decisions, such as the use of hard-coded passwords and lack of transport encryption, to coding flaws, such as buffer overflow. If exploited, the repercussions could include shutting down power facilities, controlling home heating systems, bypassing smart locks or taking control of home networks.
To compound the issue, the nature of connected devices is that they collect sensitive data — from personal health information to an individual’s whereabouts. Furthermore, much of this data is subject to the mandates of regulatory bodies, such as EU Data Protection and HIPAA; improperly securing and storing this information could result in hefty fines for companies.
As more companies work with connected devices, they should keep in mind these key security components to pave the path to a secure IoT future:
Build secure devices and services
In the internet of things, the entire ecosystem of platforms and devices is only as secure as its weakest link, making security on all IoT devices, and the services attached to them, paramount. For services and applications, the security processes must be updated to include strong encryption support and authentication.
When it comes to the devices, the Cloud Security Alliance (CSA) recently released a set of guidelines for IoT device makers and designers to consider for sufficiently securing connected devices. The security considerations include everything from product interfaces with authentication and encryption, to independent security assessments of IoT products.
Where to run the service and store the data
Enterprises with aging servers and networks — which are hard-pressed to meet data security standards and protect against data breaches — often find that moving those servers from data centers to the public cloud solves a lot of problems. With a cloud-based approach, businesses are able to authorize security over more tenants.
However, even when using a cloud-based service to securely store data, it’s crucial that each company, which controls data, is responsible for knowing how to deal with data properly. Without that knowledge, they lack the ability to choose a suitable cloud provider.
Check your boxes
Information security involves more than jumping through security-standard hoops. Enterprises must establish and maintain programs and requirements, which ensure that customer and company information is protected.
When choosing to use a cloud service for IoT service, having key personnel properly trained and certified is a plus in the evaluation and regular review of the cloud service. Organizations such as (ISC)2, SANS and the CSA provide well-known security certifications.
A key focus of evaluating a cloud provider is to make sure that their security meets a company’s needs based on regulatory requirements. It is critical to understand these requirements. There is some regulatory compliance that may pass down to the cloud provider, such as requirements for HIPAA business associates and EU data processors. In general, companies are responsible for most of these, while the cloud provider has primary responsibility for the security of the data. This analysis should include making sure that cloud provider staff is trained and certified and able to provide copies of their SOC 2 or SOC 3 audits and well-known certifications such as the ISO 27000 series. There are also additional certifications that might be appropriate based upon unique regulatory needs (PCI-DSS, Shared Assessments, HITRUST).
As we delve deeper into IoT, the critical nature of stored information, the transport of that information and the design of devices will continue to make the issue of data security paramount. If businesses place more trust in cloud security, have a firm grasp of data safety needs and meet formal standards for security, then the IoT of the future will be secure and full of potential.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.