In this month's contribution to the IoT World community site, Ayla Networks' CEO, Dave Friedman, defines the need for strong security for keeping hackers away from the Internet of Things, including 7 enterprise-class security principles when considering an IoT platform to connect your products:
- End-to-end security mechanisms: Mobile apps and connected devices must be authenticated separately. Both the mobile app and the end user's credentials must pass authorization. The identity of the connected device is best maintained in hardware. That is, the device's credentials can be burned into its connectivity module at the factory, so it's not exposed to anyone. This dramatically raises the bar for spoofing. Someone would have to steal your device, your mobile app, and your password.
- End-to-end data encryption: Standard-based encryption from device to mobile app is arguably one of the best deterrents of data theft. Many services encrypt data once it gets to their datacenter, but in many ways data is more vulnerable when it's in transitThe challenge with doing this from end to end is making all the authentication and key management happen without user configuration, so the data encrypts automatically.
- Access and authorization control: This means giving different user types different levels of data access. Consumers might let their utility link to their thermostat to turn down the AC on peak power days. But the utility would be able to using the data for power consumption analysis only. Or maybe consumers would give retailers limited access to monitor their AC for proactive maintenance and repair.
- Activity auditing: IoT device manufacturers and service providers need to keep log records so that any breaches can be traced back to the source. Auditing data is also an important way to identify patterns that can pinpoint problems before they happen. Additionally, it's a way to rate vendors. If businesses could compare the security practices of vendors in an open and honest way, cloud providers and IoT service providers would have a huge incentive to invest in security.
- Hardened cloud infrastructure: Hosting Hosting data in the cloud can be far more secure than keeping it at home or in a company-run datacenter. Cloud providers can invest more money and personnel in strengthening their operations against attack. But you still see hackers gaining entry into well-known organizations. How do you know security best-practices are followed? ISO 27001 is a security certification standard that specifies security management best-practices and comprehensive security controls for datacenters and other environments. For example, Amazon Web Services (AWS) is compliant with ISO 27001.
- Equal protection across multiple platforms: Devices will communicate over WiFi, cellular, ZigBee, Bluetooth, and other wireless (and wired) protocols. Security has to be equally strong across all of them, regardless of whether the mobile app is talking to a connected device over the Internet or locally (e.g. at home, on the same WiFi network as the connected device).
- Education: Vendors Vendors have to be ready to teach consumers and buyers -- through easy-to-read web pages or through their customer service desk -- why security is important and why they need to think about it. Sadly, human error is still one of the biggest cybersecurity vulnerabilities.
You can read Dave's complete blog post here: "7 Steps to Security for the Internet of Things"