The Internet of Insecure Things??

In this Digital Transformation era, enterprises need to know much better about their business ecosystem, customers and various internal & external environmental factors, so that they can transform their products, optimize operations, empower their employees and engage with customers.The Internet of Things

There’s a huge opportunity for enterprises today to leverage the Internet of Things (IoT) to Gain insight into customer usage and device performance to improve future products , to open new opportunity to monetize value added service around product usage , to get better insight into supply chain management & to get the ability to update products in the field to enhance capabilities and extend life-cycle.

The IoT market in India is poised to reach USD 15 billion by 2020 accounting for nearly 5% of total global market. Over USD 1 billion investment commitment is there from the Indian government on building 100 smart cities every year for the next 5 years.

IoT, where everything under the sun can be connected to the internet, the bright side is, we are now able to do things we never thought would be possible before. But there’s also a flip side to IoT: It has become an attractive target for cyber criminals.

The number of units under Internet of Things (IoT) is expected to grow exponentially to ~ 2 billion units in India by 2020. There will not be just one or two IoT devices in our lives, they are going to outnumber non-connected IoT weekend Saledevices soon.

This will open multiple doors for sharks to crawl through in the in the ocean of valuable data which poised a serious threat to the business inturn & hence Following 3 aspects are key to make sure that our IoT systems are immune to security breaches –

1. Simply keep the ground rule of security same here as well. i.e. IoT architecture design should have a live security model covering multiple attack surfaces. 3

2. Eco System: of IoT platform & security vendors, customers, auditors , IoT hardware manufacturer etc facilitating open standards & security programs.

3. Government regulations and policy recommendations: Build cross-disciplinary partnerships through public-private collaboration and interagency coordination to promote security principles and guidelines

Lets evaluate these 3 aspects one by one –

1. IoT Security model & architecture:

The IoT platform providers like Microsoft are not only enabling enterprises to leverage the business value of IoT but also embedding end to end security strategies with in the architecture, starting from Device protection, Threat resistance and data protection in motion & rest.

end to end security

a. Device Protection​ – Building secure devices is challenging. From observation of existing best-in-class devices, we argue it is more of a science than an art. If one adheres rigorously to well-understood principles and practices, building secure devices is repeatable. We have identified seven properties we assert must be shared by all highly secure, network-connected devices: a hardware-based root of trust, a small trusted computing base, defense in-depth, compartmentalization, certificate-based authentication, security renewal, and failure reporting.

 7 layers

Cloud platforms like MS Azure providers are working with standards organizations and major industry partners to employ latest in security best practices to deploy support for a wide variety of Hardware Secure Modules (HSM) to offer resistant and resilient hardware root of trust in IoT devices to offer a major defense layer to raise trust in authentication, integrity, confidentiality & privacy.

Proven technologies such as Trusted platform modules, secure boot, Bitlocker protect data at rest and provide a secure execution environment.

Device Health Attestation provides a way to verify the boot binaries, device configuration and runtime policies are enforced on the device and checks whether the device is in a healthy state. With Device Health Attestation the device that is not healthy won’t get access to critical resources for e.g. Azure IoT Hub. ​

​b. Threat resistance​ – With security tools set or windows like Device Guard, Windows Firewall and Windows Defender threat resistance is provided to a wide range of threats against execution of unauthorized code and scripts, network and malware attacks. ​

c.  Connection Security:

Secure ConnectionAll data transmitted between the IoT device and IoT platform should be confidential and tamper-proof. Internet connection between the IoT device and IoT plat form should be secured using standards like Transport Layer Security (TLS) standard.

d. Cloud / IoT platform security:

platform securityIoT platform like MS Azure IoT suite helps keep data secure by incorporating encrypted communications & also during processing of data in the cloud. It provides flexibility to implement additional encryption and management of security keys.

Azure IoT Suite uses Azure Active Directory (AAD) for user authentication and authorization to provide a policy-based authorization model for data in the cloud, enabling easy, auditable, reviewable access management.

All security keys used by the IoT infrastructure are stored in the cloud in secure storage, and data can be stored in DB formats that enable you define security levels. Azure also provides a way to monitor and audit any intrusion or unauthorized access to your data.

2. Eco System:

IoT platform & security vendors, customers, auditors, IoT hardware manufacturer etc should facilitate open standards & security programs to provide additional assurances to customer.

Microsoft ‘s security Program for Azure IoT brings together a curated set of best-in-class security auditors ( include Casaba Security LLC, CyberX, Praetorian, and Tech Mahindra and will expand as the program grows) which customers can choose from to perform a security audit on their IoT solutions to find issues and to get recommendations. 

ecosystemMicrosoft is working with these security auditing partners and standards organizations, such as the Industrial Internet Consortium (IIC), to establish industry protocols and best practices for security auditing. This is part of our commitment to establish a vibrant and safe IoT ecosystem.

Microsoft’s commitment to leadership in IoT security continues with Azure IoT’s improving the level of trust and confidence in securing IoT deployments.  Azure IoT now supports Device Identity Composition Engine (DICE) and many kinds of Hardware Security Modules (HSMs). DICE is an upcoming standard at Trusted Computing Group (TCG) for device identification and attestation which enables manufacturers to use silicon gates to create device identification based in hardware, making security hardware part of the DNA of new devices from the ground up.

3. Government regulations and policy recommendations:

Innovation velocity is outpacing regulations and standards. Typical standards can take 3~5 years from start to ratification. Government policy and regulations can take as long and can be region and country specific. This is hurting a nascent area such as IoT.

Governments have unique capabilities & can serve as catalyst for the development of good IoT security practices & to build cross-disciplinary partnerships through public-private collaboration and interagency coordination

Policy

Policy should Promote the development of secure, open, consensus-based standards E.g: The OPC Foundation developed the open-source OPC Unified Architecture (UA) to enable secure exchange of data in industrial settings, including many of the world’s largest industrial suppliers.

Raise awareness of best security practices and guidelines is another key aspect. E.g Government of Korea published a guide that identifies 15 security principles for the development of IoT devices.

Also, developing enhanced guidance for safety critical sectors is important. E.g Japan’s National Center of Incident Readiness and Strategy for Cybersecurity recommends measures against the physical consequences of IoT security compromises.

 Summary

The Internet of Things is an emerging topic of technical, social, and economic significance. Projections for the impact of IoT on the Internet and economy are impressive, with some anticipating as many as 100 billion connected IoT devices and a global economic impact of more than $11 trillion by 2025. Enterprises should incorporate end to end security strategies in the IoT architecture during implementation. Security model should be built covering devices, communication and IoT platforms. Ecosystem needs to be built to bring security in the center and also government can play a vital role in formalizing the policies and open standards.

Advertisements

About Keep Security Evolving

Secure state of today , may not be true tomorrow… so keep security evolving !!!
This entry was posted in Best Practices for Security, Cloud Security, Security Best Practices. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s