Security Best Practices for the Internet of Things
I recently spoke at the latest InteropITX conference on the topic of IoT and cloud security. At the beginning of the session I asked a fun and simple question: “How many people in the room have two or more devices, right there with them, which can connect to the cloud?” I then asked the same question, but for people who had three devices; and then four, and even five devices.
I was impressed by the number of people who still had their hands up with three devices in that room. The winner had five devices with them, including two phones, a laptop, an iPad, and an Apple Watch.
Are you really surprised? If you look around your own home and even workplace how many devices do you have right now which can connect to the Internet? I bet it’s quite a few.
As this all sinks in remember that we are living in a vastly connected world. The latest Cloud Index Report from Cisco said that cloud services are accelerated in part by the unprecedented amounts of data being generated by not only people but also machines and things. Cisco estimates that 600 ZB will be generated by all people, machines, and things by 2020, up from 145 ZB generated in 2015.
In the very near future we’ll see almost everything become a “connected entity” – where entire cities become smart hubs creating vast amounts of data.
The Components of IoT and Security Best Practices
During my session, I discussed, from a very simple perspective, that IoT consists of six key components. That is – Compute, Connectivity, Security, Data and Analytics, Ecosystem, and Services.
Almost every connected thing has these six components in one aspect or another. Think of an Apple Watch for example. It has a compute engine, it connects via Bluetooth, security is accomplished via a unique connection, it produces a vast amount of data which is then analyzed, your ecosystem is built on the Apple platform, and finally – the watch delivers an array of services revolving around notifications, health, and more.
With this in mind – let’s look at each of these components and understand where security fits in.
- Compute: At the core of your device, you’ll have a compute engine. This can be a processor, some type of chip, or a board designed to perform a function. When you look at the compute layer – make sure you know which types of components you’re putting in. Are they validated? Where were they made? Are they easy to upgrade? Do they have any secondary functions like caching data? Yes, there will be less expensive components out there. However, make sure you work with a compute engine that fits your use-case and is easy to work with.
- Connectivity: Believe it or not, this is one of the harder questions to answer. First of all – will your device be wired or wireless? Wireless antennas aren’t entirely cheap, so know your connection protocol. For example, will it be just Bluetooth or maybe via WiFi? In that instance, which protocols will you support – a,b,g, or just n? Furthermore, the actual board or antenna you use for your connectivity requirements is important as well. Is it easy to upgrade? Can you make adjustments as needed?
- Security: The security architecture around your device will be very much dependent on your use-case. For example, if you’re working in healthcare you have to know if the device will be storing, sending and/or receiving data. And, can this data be intercepted? Furthermore, is the data PHI? Remember, just because a device is “stupid” doesn’t mean it won’t become a target. Consider this: on October 21, 2016, we experienced the single-most impactful DDoS attack ever recorded in history. The attack measured roughly 1.2Tbps in strength as it took aim at Dyn DNS services across the entire world. It was more than twice as large as any other recorded DDoS attack, ever. More than 100,000 IoT devices took aim at Dyn services and crippled parts of the Internet. Security must revolve around the device, the data it creates, how it interacts with other parts of the network, and how that data is managed. Security, when it comes to IoT, must be contextual in nature. That is – who is accessing the device, where is data being stored, how is it interacting with the network, when is it being accesses, and so on.
- Data and Analytics: This part is critical as well as it deals entirely with data and how this information is analyzed for use. All of your devices will generate data. Your job is to have data aggregation systems which can help you deliver information to analytics and monitoring engines. Outside of the device, take careful consideration around where data is being stored and how it’s being accessed. This will require an architectural approach where you visualize the entire data flow. Careful planning around this will allow you to design a platform that’s intuitive as well as secure.
- Ecosystem: Consider this as your framework. This can be storage, your overall network, and interaction with cloud services. Furthermore, it can be proprietary (think Apple), or custom-designed for your use-case. Finally, your ecosystem will need to take into consideration all of the other components of your IoT infrastructure. Your design may very well leverage new components as well as existing data center parts. Take the time to design your IoT ecosystem and absolutely take the flow of data into consideration.
- Services: In deploying IoT you must think of the use-cases for your devices. I’d recommend starting with the end-user to understand how they will be interacting with the device. The idea is to make it all as easy and intuitive as possible. From there, once you understand how the device will be interacted with, you can design the services that it’ll deliver. Is it a simple O2 and heart rate monitor or is it a more complex device delivering various services? Remember to design your IoT device based on the services it’ll be delivering. That means right-sizing the design for both current as well as future utilization. A smart design will allow the hardware to leverage new services via simple updates; instead of replacing the entire device.
In the near future we’ll see an even larger influx of connected devices and the data they all produce. For your own use-cases, make sure to plan out the design, deployment, and utilization of your connected systems. Make sure you’re clear on the components being used, where data is being transmitted/stored, and how these devices interact with your overall IT infrastructure.
Careful planning not only helps mitigate risk, it also helps you better utilize all of these connected things. And, in return, help you create even more value from the solution.