Why Securing IoT will be a HUGE Reality

What are Things?

Over the past few years there has been a growing buzz around IoT or otherwise known as Internet of Things as the next major step in the evolution of utilizing computers and data to communicate between types of items. With IoT we are talking globally interconnection devices or other things to intercommunicate for a variety of functions. One of the main deriving definitions in IoT is “smart devices”. Smart devices are objects and things that intermingle in order to perform a specific function. A good example is in general emerged with the RFID technology, and this concept has considerably been extended to the current vision that envisages a plethora of heterogeneous objects interacting with the physical environment. Smart homes where you can set your ideal room temperature during the winter months via a key FOB or smartphone is another example of how IoT is and will be implemented. When it comes to home security and making sure access is restricted it isn’t hard to imagine how a hacker could clone source information or even hijack a session to control facets of the smart home’s functions. This is at the heart of why securing IoT needs to be at the forefront of the revolution in how we implement the features.

One of the biggest proponents in moving the IoT revolution forward is Intel. Intel head of business marketing Stuart Dommet said, "When we look at consumers, they don't really care about privacy and security. They think they do, but they don't really understand it. They are really offended when you lose their data, but at the end of the day when we look at the cloud - and this is something where BYOD is coming from - you have to start to trust the entry points, and that means a whole new security model for this to work.

"You're going to have to secure the device or the sensor, you need to secure the data, and you're going to have to secure that across an open network - it really is a massive, massive change." Dommett added that the Internet of Things revolution and the debate surrounding personal data will have a huge impact going forward, and said that businesses need to pay attention.

"The access to personal data is probably one of the biggest changes we've got going forward - and it can destroy your company. It's very important [that] we understand what that security model is going to look like, because we can't afford to run private networks," he said.

So in the spirit of following the logic from Intel in combination with my years and years of IT security experience and expertise, one should honestly consider what the risk factor is for end points within the IoT model, protecting the transport of data between smart devices, insuring the integrity of the data, and effective reporting down to every bit within the exchange. Connecting billions of things to the public Internet (including clouds) presents a high set of potential risk factors that can result in exploitation and harm. Breaches via unauthorized access or misuse of data become a serious truth and force to deal with within IoT. This is all just the sheer nature of the beast.

Let’s look at where security is as a whole right now. We have legacy on-premise or hosted security solutions with your basic firewall, access control, proxies, authentication, SIEM, IDS/IPS, and DLP. We also have the organizations that have gone with the trend and migrated to an “aaS” or better known as “as-a-service” model. Then we have the organizations who have gone beyond “aaS” and employ private and public Cloud solutions. All of these depend heavily on infrastructure investments to protect the perimeter, interior, data integrity,  intellectual property theft, and tools to provide effective reporting. The cost differential is vast between each option, but the primary objective is still the same. Protect the end points as if there is no perimeter Internet security and protect the perimeter as if there is no endpoint security. IoT has just augmented these models and technology options and presented a new challenge; the unknown.

The right way to approach securing IoT involves these approaches:

1. No “Raw” Internet but instead Clouds – The type of cloud and the embedded security policies will determine the type of data traversing it and how this data is secured. A private cloud will involve heavier encryption over the network on top of the end point encrypting each sensor, device, or other IoT node packet sent on the wire. Public clouds will need to rely heavier on legacy AAA or authentication, authorization, and accounting plus data encryption to protect the integrity of the communications. This is why some sort of subscription agreement between the IoT user (who utilizes vendor-built technology with embedded smart functions) with some sort of certified cloud provider. Just like Internet Service Providers have had an SLA and OLA, so should the cloud provider with security proficiency being an audit-enabled function for their services. Angie's List is popular for rating service providers of many types. The same philosophy will need to apply to cloud access providers.
2. Stronger Endpoint Security – We have HIPS or better known as Host Intrusion Prevention Software on laptops and even some mobile devices. What we don’t have is the same protection embedded in smart-chip devices like key fobs. Hardware-based encryption is plentiful within the scope of the market, but there is not dynamic “Smart” connection-based security within the device for guaranteeing the transport of data is on a secure connection from the endpoint and thus is not completely compliance-negotiated. Although gateways solve much of the problem, the end point still needs to be validated and not end up being a spoofed system or smart device. Spoofing occurs way too often with Internet-enabled devices so knowing who is on the wire, who should be able to transmit, who is allowed to transmit, and end-to-end status checking is a must.
3. Dynamic and REAL-TIME Traffic Policing – Specific traffic patterns for the transmission of IoT normalized data will become a key component in how we distinguish between what is a normal data pattern and what looks like a malicious attempt. Currently DDoS or distributed denial of service is the biggest nemesis of large organizations’ sites and services due to the disabling nature of the attack. What if a hacker group decides to render a core services component that handles AAA for IoT-enabled devices from functioning by connection or DDoS attack? Devices are rendered useless because of lack of communication to integral pieces of the infrastructure. A key without a lock is useless and the lock without a key makes no sense. End-to-end is the answer Active policing via private, public, or hybrid cloud provider will be mandatory to a point.
4. Services, Services, Services – Some entity needs to constantly police the other pieces of the IoT security model. Who else will have the ability to respond to actual threats and ignore but log false positives but a Security Operations Center or SOC? I know what my company is doing with this function, but the masses require dedicated analysis for incoming security threats. We have to educate the masses on how IoT as a technology root concept is the same as traditional security. We need eyes on the devices, eyes on the alerts, eyes on the usage, eyes on the communications, and eyes on the transaction per transaction. Who best to do this than a dedicated team of professionals on a cloud subscription basis?

To Be Continued