Protecting the internet of things
Myriad articles have already been written regarding the internet of things. Advances in computing, communications and sensor technologies bring intelligence to previously passive objects, create new business models, drastically increase the volumes of data generated and improve the precision, accuracy and productivity of just about every industry.
The advances made possible by IoT now seem almost inevitable. IoT has become pervasive, ubiquitous and essential. The benefits of IoT are being realized in nearly every industry:
- Agriculture: Sensors that monitor soil and microclimate conditions, automated fertigation, robotic harvesting
- Automotive: Connected cars, autonomous vehicles, insurance based on driving habits
- Construction: Material tagging and tracking, worker safety
- Healthcare: Wearables and embedded devices to monitor patient health
- Local government: Public safety, parking management, electric vehicle charging stations
- Household: Amazon Echo, intelligent thermostats, smart appliances
- Manufacturing: “Lights-out” factories, cobots, digital twins
- Retail: Location-based promotions, store traffic analysis, automated checkout
- Transportation: Optimized traffic flows, vehicle-to-vehicle communication, predictive maintenance
- Utilities: Smart meters, leak detection, renewable energy sources
Unfortunately, these transformational innovations provide an entirely new set of cybersecurity targets. With IoT assuming a greater role in our daily activities, data theft, disruption of services and takeover of critical equipment become all the more consequential. The massive volumes of data generated combined with the rapidly increasing number of connected devices makes IoT security a formidable challenge.
IoT cybersecurity threats on the rise
According to Symantec’s Internet Security Report, Volume 23, attacks against IoT devices increased 600% in 2017 over 2016. Routers and modems are primary targets for IoT attacks with poor security, weak passwords, unpatched vulnerabilities and hijacked software updates being the most common means of entry. That statistic should keep corporate executives and IT personnel awake at night.
Well aware of these threats, enterprises are making significant investments to improve IoT security. In a March 2018 press release, Gartner stated, “IoT-based attacks are already a reality. A recent CEB, now Gartner, survey found that nearly 20% of organizations observed at least one IoT-based attack in the past three years. To protect against those threats Gartner, Inc. forecasts that worldwide spending on IoT security will reach $1.5 billion in 2018, a 28% increase from 2017 spending of $1.2 billion.” Despite these investments, many enterprises simply have little to no control over software and hardware utilized by smart connected devices. Given the plethora and variety of devices and the challenge of ensuring security, cloud architects and data security professionals must implement consistent strategies to prevent these attacks. An interconnection-oriented architecture to ensure private data communications and a centralized data encryption strategy will help enterprises protect against IoT cyberattacks.
Interconnection-oriented architecture for IoT security
Much of the value of IoT lies in the data. Billions of IoT devices generate parcels of data that, more often than not, are digital representations of the physical world. Operational attributes such as speed, temperature, pressure, location, dimensions, distance, volume, vibration, sound and images are captured and transmitted for processing in the cloud. Historical and real-time analytics are then applied to data to identify patterns that indicate operational anomalies, respond to requests or provide feedback to improve system performance.
Unfortunately, the huge volumes of data moving across the widely-distributed networks that connect sensors, devices, machines, infrastructure and data centers are vulnerable to attack. A successful attack can be disruptive, if not devastating.
Enterprises with widely distributed operations need secure connectivity between their evolving digital edge where IoT devices exist and their infrastructure edge where their applications live within data centers providing real-time IoT data aggregation, analysis and storage. Private interconnection, therefore, offers a secure means of protecting transmitted data from cyberattacks.
The enormous amounts of data collected and analyzed in real time for IoT-based products and services to function efficiently require instant action. Proximity to the digital edge ensures low-latency interconnections between the devices, sensors, machinery, infrastructure and cloud-based analytical applications that drive performance.
A centralized data encryption strategy
In addition to establishing secure interconnections among IoT devices, applications and data exchanges, enterprises need to securely protect IoT data. It’s a well-established fact that encryption is the best practice for protecting data from cyberattacks. In the event that a hacker surmounts your defenses, the stolen information will be useless if you’ve properly encrypted the data and protected the encryption keys.
Consider the public and private keys of SSL certificates. The public key is accessible to all, but the private key must be strongly protected. If a hacker gains access to the private key, communications can be decrypted, providing the hacker with access to personally identifiable information, security credentials or financial records — a nightmare for any enterprise. Private keys should be stored in a secure, well-managed environment, separate from the data they decrypt and, ideally, separate from the cloud provider’s environment where encrypted data is stored. Without access to the encryption keys, data remains just meaningless ciphertext.
For the most critical IoT data, security professionals need to establish encryption protocols to protect data moving between the digital edge and the cloud-based systems and applications that manage, analyze and store that data. The complexity of devices and applications and data managed in different cloud providers makes this a significant challenge for many enterprises.
Hardware security modules (HSMs) have historically provided the most secure protection for encryption keys. These plug-in or external device hardware modules were purchased and provisioned on-premises in an enterprise’s data center. But as enterprises rapidly adopt cloud environments — private, public and hybrid — the HSM approach to key management is no longer simple.
Today, HSM selection and provisioning is typically done by your cloud provider. With the vast majority of enterprises using multiple cloud providers, management of the different HSMs places an unnecessary burden on an enterprise’s data security organization. When managing encryption keys in multi-cloud environments, HSMs have limitations.
One means of simplifying the complexity of data encryption across a variety of cloud environments is by establishing a single, centralized method of encryption key management.
A cloud-neutral approach to encryption key management builds on the proven capabilities of the cloud. It’s available on demand as a service, so it’s implemented quickly and scales easily as your business grows or as data volumes increase. It offers HSM-grade security without the need for physical hardware security modules. You can think of this as HSM as a service. Encryption keys are held in an encrypted database when not in use and are only available inside a secure enclave, which ensures that the key material is never available in plaintext to any software component. The keys, including the key material and the related metadata, are encrypted both in use and at rest.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.