IoT: Get Security Right The First Time
Let's start building security into the Internet of Things now, before everything becomes connected -- and hackable.
The Internet of Things (IoT) is weaving itself into the fabric of everyday life, including smart grids, smart meters, connected cars, and devices for the home. Gartner reports there are more than 2.5 billion connected devices today, and by 2020, there will be more than 30 billion.
While there's excitement about IoT's potential to create new business and boost productivity and convenience, the technology community can't forget about security. If there's one thing IT professionals know, it's that if something is connected to the Internet, someone will try to hack it.
Unfortunately, the technology industry has a long history of ignoring security in the rush to open new markets, and we may see it happen again with IoT. We've already witnessed instances of hackers exploiting security holes in smart TVs and baby monitors.
In some cases, IoT may be able to use existing security technology, such as encryption. Encryption can be used to authenticate devices and, when used with VPNs, can safeguard sensitive data in transit.
[All work and no play make the IoT boring. See Playing Games With The Internet Of Things.]
Although VPNs are most often thought of as a technology to secure communications with corporate networks and the Internet, they can just as easily be implemented within devices to support machine-to-machine (M2M) communications and more innovative forms of connectivity.
However, encryption also comes with its own drawbacks. Consider key management, for example. As billions of connected devices get rolled out, there is a looming logistical challenge to secure and manage encryption keys.
A well-designed public key infrastructure (PKI) can cover some requirements regarding rollout and maintenance of large-scale encryption systems. However, IoT is not just a big "blob" in the cloud, but a collection of islands where each service provider -- e.g., electric utilities, set-top box providers, consumer-goods manufacturers, and so on -- has to manage its own keys on its own devices.
In some cases, encryption also may not always be an option. For instance, some low-power devices may lack the computational power necessary to encrypt and decrypt data.
Access control also presents a security challenge in an IoT world. When users are able to access an endpoint device, they're able to access the entire system, so it's necessary to have access control systems that manage user and device privileges.
Network administrators have to see the whole remote-access picture, including endpoints, VPNs, and the rest of the network infrastructure. Limiting network access, securing communications, and securing device access all need to be part of an IoT network security strategy.
There's also the issue of software. As we've learned from years of exploits against servers, PCs, and smartphones, attackers will always find vulnerabilities or weaknesses in software that they can use to their advantage.
Organizations that build IoT devices must use secure software development practices to limit potential exploits. Meanwhile, IoT vendors and customers must ensure mechanisms are in place to apply patches or update software as necessary.
More security will certainly come with increased costs. However, this is the price that must be paid to reduce risks. In the long run, any additional costs will be well worth it to ensure corporate, employee, and customer data remain secure.
The Internet of Things has great potential to transform our lives. However, to provide the highest level of end-to-end security, IoT equipment and software have to be designed -- from the start -- with security in mind, giving consideration to how each component is being used, what type of data will be communicated, what connections will be made, and who will have access.
All communication modes/channels need to be thought through from a security standpoint, and reasonable security guidelines must be established and implemented for all connected devices.
The Internet has taught us the hard way that security has to be baked in, not bolted on afterwards, for maximum effectiveness. Let's hope the technology community will apply this lesson to IoT.
This post originally appeared on InformationWeek.