Get started Bring yourself up to speed with our introductory content.

IoT data is growing fast, and security remains the biggest hurdle

Data is the backbone and currency of the internet of things. Whether it’s a sensor generating temperature data, a sock tracking a baby’s vitals or a vending machine that sends alerts when products are low, IoT data needs to be transmitted, processed, secured and potentially stored. One thing is clear: The choice of which data to capture and what to leave behind is a strategic business decision that widely varies depending on the company, business goals and industry. Despite how a business deals with this data, cloud storage is the way forward and a key enabler for the growth and continued innovation in IoT.

Cloud storage is gaining momentum in business overall, and with wider accessibility and lowered costs, the cloud is becoming an option to manage the copious amounts of data created by IoT. But even with lowered costs, the sheer volume of IoT data that needs to be stored, transported and processed can quickly drive up the costs beyond the budgets of many enterprises. There are different schools of thought on how to approach this, and embracing computing “on the edge” is one solution many are considering when tackling the data storage issue, particularly for industrial IoT applications.

Hardware computing processing is a more cost-effective data storage alternative, allowing for most of the data management and processing to happen closer to the source of the data, on the edge or fog area of the network, rather than deep in the cloud network. Edge, or fog, computing complements the cloud storage strategy by reducing costs of transit and storage by completing repetitive tasks and computations on network devices, and then transporting key data and anomalies back to the core network in the cloud.

Shifting IoT data to the cloud presents other challenges beyond just cost. To make data and costs manageable from a business perspective, there are several important questions that need to be asked:

  • Do I want a single-source strategy for my data storage?
  • How — if ever — do I get my data out of the cloud or switch it to another cloud, should I ever want to?
  • How dependent is my business model on that one cloud provider?

Regardless of what cloud strategy a business decides to take, it needs to ensure that the device, and the data collected from it, remains safe. The most reliable way to manage the point of cloud vendor dependency is to always encrypt data before moving to the cloud, and keep the keys separate.

Data exploitation, storage and security remain issues

Storing and accessing the growing amounts of IoT data is quickly becoming a major issue. As companies leverage the cloud to store their data, cleaning up the cellar and moving it all offsite can mean there are additional security concerns with storing and accessing this data. Unfortunately, many companies do not encrypt IoT data before moving it to the cloud.

According to 2017 survey data collected from Altman Vilandrie & Company, 46% of IoT security buyers have experienced an IoT-related security intrusion or breach in the last two years, which seems to suggest that while traditional cybersecurity is taking a front seat for most industries, it’s still an afterthought for IoT.

A quick look at headlines shows there has been no shortage of high-profile data breaches over the last few years, with a few racking up millions of dollars in costs. Considering how many devices are being connected in homes, businesses and hospitals, utilities and other critical infrastructures, we are widening the paths of opportunity for malicious hackers, which is why it’s so important to encrypt the IoT data before moving it into a cloud environment.

The most recent Petya and WannaCry ransomware attacks that spread globally prove that just one infected machine or system has the potential to halt production and shut down an entire factory or other critical infrastructure. If these attacks are any indication of things to come, then the industry must find better solutions to address cybersecurity before these connected IoT devices become the next attack path.

It’s all in the “keys”

Data and device security in IoT continues to be a major issue, as organizations of all sizes struggle to find the right security regimen to meet their needs. However, if the most important first step to keeping IoT data safe in a cloud environment is ensuring it’s encrypted, then the second key step is ensuring that the keys to that data are kept separately.

Many companies in the IoT ecosystem are starting to realize how important it is to implement robust encryption policies that include high-quality cryptographic keys. Strong encryption results from strong cryptographic keys generated from a quality source like a hardware security module (HSM), which can be used for the creation, storage and management of cryptographic keys. By keeping the keys separate from where the rest of the IoT data is being stored, companies are effectively safeguarding who has access to the data. In many cases, this also means restricting access to the vendor tasked with storing the IoT data.

There are a few established security and cryptographic protocols that can easily be adapted to meet the needs of IoT manufacturers, including:

  • Key injection — Ensuring the secure transfer of data is a critical industry priority. As one component of an HSM, companies can insert individual digital keys into semiconductors during production using a true random number generator. With each unique key, the connected device or thing is given a “digital identity” that authenticates it throughout its entire lifecycle from creation all the way into the consumer’s home.
  • Code signing — It’s fundamentally important that software code is delivered from its developer to its precise destination intact and unaltered. By ensuring the software receives an individual, unique public key during the development phase of the device, this small step can go a long way to ensure that the code is both genuine and correct. If an IoT device receives software that doesn’t have the matching key signature coinciding with what’s embedded in its system, then that code is automatically rejected, thus safeguarding the overall system from a breach or attack.
  • Authentication as the basis for access — As IoT systems grow and need to communicate with each other, they may need improvements and updates along the way. One way to confirm the safety of this process is by ensuring proper authentication practices are put in place. Only those who have the digital key can make changes to the system — for example, to download necessary software updates or upgrades. For maintenance work by service staff, access can be secured using a public key infrastructure.
  • Hardware security modules — Enabling the secure communication of IoT data is a critical industry priority considering the billions of devices that will be connected wirelessly by 2020. That data should only ever be stored in an encrypted database. The cryptographic key material should then be managed and stored physically separated from that database in an HSM. This protects the data against unauthorized access, even if database contents get into the hands of cybercriminals.

Keep the keys and encrypted data separate

HSMs play a crucial role in ensuring the security of your data generated by IoT is kept safe while stored in the cloud. HSMs not only generate the keys, but provide a secure wrapper around the master keys, all in a secure and tamper-proof setting. Before, using an HSM meant purchasing and maintaining a physical device on premises — either as a PCI card or a rack-mounted appliance. Like other business services that have moved to the cloud, you are now able to access the full benefits of an HSM through the cloud via an HSM as a service model.

One clear message for storing secure data in the cloud is to ensure you are keeping your encryption keys and encrypted data separated. Two of the largest global cloud service providers provide both cloud storage and HSM services. This might sound like a great idea to have a one-stop shop — two services and one bill — but it provides a certain amount of risk. For example, if the master keys are stored with the encrypted data and the cloud service is hacked, there is a possibility of those master keys becoming compromised as well. If cybercriminals have the master keys, they can have access to your data. Likewise, HSM as a service typically has a multi-tenancy architecture where multiple customers will be served through secure partitions on the cloud HSM. The potential issue is if that particular server is subpoenaed or seized by legal authorities due to the actions of another customer. The cloud service provider may comply with the subpoena without your authority, allowing others to have access to your keys and secure data.

Companies are best served by retaining full access to the keys, which are safeguarding the data by storing them in an HSM either in the cloud away from their data storage provider or on premises in a physical HSM they control. Once the cryptographic keys are secure in a separate cloud HSM or on-premises HSM, not even the vendor storing the IoT data will have access to the keys.

HSM as a service is also helping smaller cloud service providers remain competitive in an increasingly crowded market. By providing a reliable service for end-customers looking to move business-critical data to the cloud, these smaller companies no longer must worry about building their own, in-house offerings from the ground up. Instead, they provide their customers with the flexibility and accessibility of a secure cloud HSM as a service, solving what was once a major hurdle for cloud adoption.

Overall, the future of IoT looks brighter than ever. With many more connected devices in development every day, there’s no stopping its proliferation into our homes, streets and even cities. Unfortunately, as industries trust important parts of their business to software-enabled systems or services, such as connected cars, smart energy distribution grids or electronic payment infrastructures, the potential for abuse is a given.

Many IoT manufacturers are realizing how important it is to implement strong encryption policies with high-quality cryptographic keys generated by a true random source. Whether that’s through basic digital signatures or taking a bigger step toward encrypting all the data, securing IoT is imperative if companies hope to protect their customers, their data and their reputations. It’s certainly where hardware security modules can best be used, and it’s only a matter of time until the rest of the industry has adopted this technology.

All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.