When it comes to IoT devices, we need a holistic end-to-end platform that is readily accessible to any type of product manufacturer. With such a platform, secure technologies and processes for Internet product operations can be integrated into every aspect, from the device and its embedded components, to the cloud, to the mobile terminal applications used to control the final product.
What makes a secure IoT cloud platform?
What end-to-end security means
Connectivity increases security risks. Potentially sensitive types of data generated by IoT devices in residential homes, workplaces, and public **** spaces now travel back and forth across the public **** Internet. Ensuring the security of this data can be a top priority for manufacturers as well as users of these connected devices.
In order to achieve end-to-end security in connected devices, security processes and procedures must extend to the device, the cloud, and the application - all three with their own security protocols and standards - in a fully integrated and seamless manner. For example:
Chip-level security focuses on cryptography, which includes cryptographic key transfer protocols such as Secure Sockets Layer (SSL).
Cloud-level security blends computer and network security protocols.
Application-level security encompasses security measures employed during software development and after the application is deployed.
Computers and smartphones have evolved to include sophisticated operating systems with built-in security measures. However, typical IoT devices -- such as kitchen appliances, baby monitors, and fitness trackers -- are not designed with computer-grade operating systems and don't have appropriate security features. So the question is: Who should be responsible for the end-to-end security that these connected products need?
The best answer is for connected device manufacturers to utilize a quality IoT platform.
What makes a secure IoT platform
A complete platform solution enables IoT devices to remain available and secure all the time, on the device side, in the cloud, and at the software level. Here are some important security principles that an IoT platform should adhere to:
Provide AAA security. AAA security refers to Authentication, Authorization, and Accounting that enables mobile and dynamic security. It will authenticate the user's identity, usually based on the user name and password to the user's identity; authenticated users to access network resources for authorization; authorized and authenticated users need to access network resources, will be in the process of the activities of the act of auditing.
Management of lost or stolen devices. This may include remotely erasing the contents of a device or disabling the networking of a device.
Encryption of all user authentication information. Encryption helps protect data in transit, whether it's over the Web, cell phone, wireless microphone, wireless intercom, or through a Bluetooth device.
Use binary authentication. With dual protection, hackers must break through two layers of defense when conducting an attack.
Provides security for data at rest, data in transit, and data in the cloud. The security of data in transit depends on the transmission method. Securing data at rest as well as data in transit typically involves HTTPS and UDP-based services, which ensures that each packet is sub-encrypted using AES 128-bit encryption. Backup data is also encrypted. To secure data that passes through the cloud, it may be necessary to use services deployed in an AWS virtual private cloud (VPC) environment, thereby assigning a private subnet to the service provider and restricting all inbound access.
Connected device manufacturers need support from IoT platform service providers for the following:
Potential scenarios for analyzing user data. How much privacy control should the end user have over the data, such as when do they leave the house and when do they return home? What data should maintenance or service personnel have access to? What different types of users might want to interact with the same device, and in what ways?
Think about how the customer will take ownership of the device. What will happen to the original owner's data when ownership is transferred? This idea applies not only to infrequent transfers, such as buying and moving into a new home, but also to scenarios such as hotels where tenants check in and out every day.
Process the default credentials provided when the IoT platform is first used. Many devices such as wireless access points and printers have known administrator IDs and passwords. Devices may provide administrators with a built-in web server that allows them to connect, log in, and manage the device remotely. These default credentials pose a number of potential security risks that can be exploited by attackers.
Role-based access control is essential when it comes to protecting user privacy and dealing with the various types of IoT devices in reality. With role-based access, we can tailor security to address virtually any type of scenario or use case.
Blending Security Strength with Flexibility
Manufacturers must realize that they are only as secure as their weakest link. And what IoT platforms have to do is minimize those weak links.
An IoT platform that has built-in end-to-end security will enable make security pervasive in all aspects of data collection and transmission. It will be able to provide security for device bootstrapping and authentication, access control, firewalls, and data transmission, as well as updates and vulnerability remediation after the device is deployed.
Different devices have different security requirements. For example, unlocking car doors requires strong user authentication. Protecting medical data transmitted from an outpatient heart monitor, to an internist's iPod, requires rock-solid data encryption. The architecture of an IoT platform must differentiate between these various scenarios and provide the right level of security settings with end-to-end protection for each scenario.
For some manufacturers, it may be tempting to build their own end-to-end security solutions. But unless they have senior technical expertise and extensive experience in all aspects of security, they may find this difficult to achieve.
The better solution is to leverage IoT platforms that provide the right kind of security at the device, cloud, and mobile application levels.
As the IoT continues to grow rapidly, new scenarios and use cases are emerging. New security threats are inevitable. To gain and maintain end-user trust in their platforms, IoT connected device manufacturers must choose an IoT platform that employs advanced security principles and processes, and that IoT platform must also be flexible enough to respond proactively as new security threats emerge.
When they make smart choices about IoT platforms, manufacturers will be able to ensure that vulnerabilities in hardware, software, communications, and physical security do not jeopardize the acceptance of IoT applications or threaten user privacy.