[BreachExchange] Security as a Top Priority in the IoT Era
Audrey McNeil
audrey at riskbasedsecurity.com
Mon Mar 26 19:45:05 EDT 2018
https://dzone.com/articles/security-as-a-top-priority-in-the-iot-era
Security needs to be addressed in every part of the IoT system, whether we
are talking about hardware, connectivity, backend software and databases,
or post-market service. That is why IoT companies should minimize these
potential problems by implementing security at the design stage. It should
include creating hardware-based security, developing authentication and
access control and secure APIs, guaranteeing safety and quality assurance,
evaluating security architectures.
Securing the Device and Data in Transit
Naturally, some form of security must be built in at the manufacturing
level. Endpoint security is often focused on, but these mass flows of data
must also be secured during transport as a new priority. Sensors collecting
data and sending them to the cloud could leave communication channels and
hardware security at risk, as data is more vulnerable when it is in
transit. The lack of encrypted communication makes device susceptible to
third parties, allowing them to access data that is sent over the network.
The focus is on building robust architectures by adding protocols, hardware
security models, trusted execution environments, trusted platform modules,
SEs, repurposed secure microcontrollers, etc.
Securing the Database and Addressing Privacy Issues
Another major component of the security puzzle that demands to be addressed
is the privacy of the data stored in databases. IoT developers need to
understand potential security threats and address them to ensure that
companies’ data, or that of their customers, is not compromised. Privacy
concerns are already a core issue with cloud systems, and this will grow as
IoT becomes mainstream. Objects will continually be collecting and
aggregating data in real time, which must be stored securely for reporting
and review.
Securing the Application
Applications serve as an excellent source of data, providing users an
insight that could make their businesses more relevant and beneficial. It
is also a source of numerous attacks. The most common vulnerabilities are
injection flaws, broken authentication, cross-site scripting (XSS),
insecure direct object references, and security misconfiguration. IoT
developers should decide which security feature to include in further
development, and it depends on several factors: availability of software
development tools, type of hardware, and OS. Implementation of a secure
software development lifecycle and secure coding is the best way to go in
the application development process.
Securing the Lifecycle Management
Companies which decide to embrace IoT will require their IoT systems to be
operative for many years, during which they will expect continual
monitoring and upgrading. Developers are faced with a challenge - they must
have a detailed plan for the whole lifecycle, from the design stage,
through deployment, management and, eventually, decommissioning. For a
buyer, this means assurance that security can be regularly monitored and
updated appropriately (when a new vulnerability is detected, patches can be
pushed). To build a sustainable security lifecycle management framework,
you need to include security services within it: secure communication and
storage, key generation and administration, authentication and
identification, and credential/device lifecycle management.
Conclusion
In a nutshell, there is no doubt that security is a must in the Internet of
Things era. It has to be implemented in every part of the IoT ecosystem -
from hardware to end-user applications. Adopting a secure IoT solution
enables relevant market insights and the maximization of resources while
protecting your data and infrastructure assets.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180326/95d121ab/attachment.html>
More information about the BreachExchange
mailing list