Securing identities, protecting data in the IoT
19 January, 2016
category: Corporate, Digital ID
Jason Hart, CTO of Data Protection, Gemalto
Once it was smartphones, then it was tablets followed by wearables but this year, the hottest innovation is Internet of Things (IoT). At a fundamental level, the IoT refers to connected objects that have embedded sensors and the ability to send and exchange data over wireless networks. Examples from the recent CES show include connected cars that can turn on the lights and unlock the front door as you arrive home and smart refrigerators that display the family calendar, suggest recipes and even solve the age-old problem of forgetting your shopping list at home by sending images to a smartphone showing what food is in the fridge.
Consumer devices are only a small segment of the exploding IoT marketplace, which is expected to grow to 50 billion connections by 2020 up from 16 billion connections today. Industrial grade Machine-to-Machine (M2M) IoT solutions are optimizing operations and improving the bottom line for a range of industries and enterprise solutions. For instance, plentiful farming yields are on the rise in part due to the exploding “smart farming” sector, which uses connected farm equipment to measure soil nutrients, track livestock, manage field irrigation and even keep honeybees buzzing and pollinating. Smart energy systems are improving conservation and optimizing power generation and delivery. Plus a wide variety of remote management and tracking and tracing solutions are optimizing manufacturing and distribution as well.
The dark side of the IoT
As exciting and promising as this is, when your smart home is under attack by unknown forces, the IoT takes on a much darker hue. Digital security and privacy issues are a serious concern as the growing incidence of hacks and data breaches expose the vulnerabilities of IoT. In the first half of 2015, there were more than 880 major breaches reported that compromised well over 245 million data records. That’s the equivalent of 16 lost or stolen data records every second or 1.3 million every day.
In the race to add IP connectivity to cars, homes, cities and farms, digital security has often been an afterthought. And make no mistake; there is no shortage of hackers that will exploit any weakness they discover. Driven by a wide range of motivations including fame, fortune and the simple joy of a challenge, hackers grow more sophisticated everyday.
Trusted partner
Fortunately, the same challenges currently facing the IoT have been seen before. Gemalto has been developing solutions for decades to defend against attack in sensitive industries such as banking, health care and government. IoT developers can learn from these industries and approach connectivity with the intelligence of IT system integrators who defend against attack on all fronts and continuously update security architecture as new threat emerge.
Security by design is essential
It’s been said that “the devil is in the details” and no place is this more true than in IoT security. Just as one would never build a home without a foundation, IoT solution design must begin with intelligent security architecture as the foundation of trust in the device, the data, the network and the ecosystem. Security needs to be designed in at the beginning of development projects across the entire IoT ecosystem and not bolted on as afterthought.
The following five guiding principles for data security can help developers as they begin new IoT design and development projects:
- Confidentiality – Assure that data is confidential across the entire ecosystem and access is limited only to authorized stakeholders
- Integrity – Secure the integrity of the data, maintaining and assuring the accuracy and consistency ofdata over its entire life cycle. This is a critical aspect of design, implementation and usage because integrity attacks are difficult to identify and hackers can alter data that is used to make mission critical business decisions.
- Availability – Solution design must ensure thatdata is easily available at required levels in all situations even when challenging wireless network conditions prevail
- Accountability – Assure that system users across the ecosystem are accountable for the data they produce and the actions they take
- Auditability – Design systems that provide a clear and transparent audit trail providing evidence that the data is accurate
- Risk Evaluation and hack testing
Developers need to work with experienced and trusted security partners to know, identify and understand all potential system vulnerabilities. An early comprehensive risk evaluation is critical to implement security architecture across the entire connected device ecosystem – from the hardware components that enable connectivity, to the software running the device, out to the communication channels it uses and the cloud platforms hosting applications. In the same way that we rely on crash tests to verify the safety of a car, digital security partners can provide security ‘hack tests’ that reliably establish that a given product is secure and safe to use. These best practices help protect the device, the network and the data at rest and in motion.
Trusted identities: an important consideration
Unlike consumer devices that are connected to a single user with a tradition identity structure, IoT devices have multiple identities. Each of them needs to be secured and authenticated in order to secure the entire ecosystem.
IoT solutions need to be able authenticate the ID of a device like a connected smart tractor along with the farmer using it and the other smart farming ecosystem elements the tractor communicates with – the tractor manufacturer’s cloud system, the smart irrigation system, the farmer’s iPad. In other words, the smart tractor needs to automatically and securely authenticate that the irrigation system is who it says it is and not a malicious attacker seeking to alter crop yields for personal gain in the commodities trading market down the road.
Best practices for secure IoT solutions
With decades of experience in virtually all IoT vertical markets, Gemalto has developed field proven best practices for protecting the device, the cloud, the communication channel and the ecosystem. The following strategy for implementing end-to-end trust points and countermeasures, including hardware and software elements, can help mitigate threats and defend data when and if attacks occur.
- Protect the device – Implement tamper-proof hardware solutions and secure software to protect the device. For example, embedded Secure Elements are implemented to add a layer of physical and digital protection against intrusion and to store credentials and device data in a dedicated, secure platform.
- Encrypt and digitally sign the operating software to protect against attack. Encrypted software is useless without the keys and an electronic signature will ensure that only validated software is running on the IOT device!
- Implement strong authentication and encryption software solutions to ensure integrity and that only authorized people and applications are granted access to the IOT solution infrastructure.
- Securely manage encryption keys to protect data and manage access to connected systems
- Protect against attack across the lifecycle of the device by including an interoperable, dedicated platform to deploy security updates and launch new applications over the air without impacting other embedded software
The “Age of the IoT Revolution” has arrived and our world is quickly transforming to a place where ubiquitous connectivity provides the potential to greatly improve the way we live, work and play. Cyber attacks are inevitable. However, we can defend against them and protect data privacy by designing security architecture at the beginning of development projects and managing the entire trust ecosystem, from the edge to the core, protecting what matters, where it matters and when it matters.
