Security will be a weak link in IoT, if in their race to capitalize on the IoT market, vendors do not give security the attention it really needs. Vendors making their first foray into a connected strategy, may be lacking in-house security experts. This oversight can deter market adoption; one vendor making a poor security implementation decision can affect consumer perception of connected devices across the board.
To mitigate such risks, your IoT platform must be designed with security in mind, and incorporate granular controls, leveraging a pre-built role-based security model. Security must extend from the device, to the cloud, and to the application, starting with encryption at the chip level to prevent spoofing, and key transmission protocols like TLS to get information safely to its destination. There’s a lot to consider, and it’s critical not to underestimate the elevated risk many IoT devices may pose.
IoT platforms have to support multi-tenancy. In a multi-tenant environment, each manufacturer’s data is isolated from the others through a multi-tenant data architecture. Multi-tenancy is enforced with a tenant ID associated with every piece of data and a data access mechanism that enforces the separation of data by manufacturer. For data transfer, security is dependent on the method of transport. The best approach is to use HTTPS as the standard format to ensure the server is fully authenticated using PKI certificate chain verification and each packet is encrypted using AES 128-bit encryption. All user identifiable information should be encrypted when stored. All backups should be encrypted, with the encryption keys stored securely, and only accessible by the IoT platform provider. Some providers use bcrypt salted password hashing techniques to deter various types of password attacks.
That’s why it’s essential to leverage an IoT platform that has end-to-end security built-in. Security must permeate through all aspects of data collection and transmission, from device booting and authentication, access control, firewalling, data transmission and updates and patches. And those requirements will vary from device to device: unlocking the doors of a vehicle requires strong user authentication, while protecting medical data from an out-patient’s heart monitor to the doctor’s iPad requires a rock-solid data encryption solution. The architecture of a connected device platform must understand and be able to multilevel security with end-to-end protection.
If you enlist the help of a third party provider, find one who understands security and has made security a fundamental part and a core functionality of their platform. Be sure the provider you work with leverages third-party auditors who will testify to their integrity. IoT scenarios will continue to proliferate, enabling new use and business cases in every industry. And as they do, new security threats will emerge. Advanced concepts of security must be considered to make sure no breach in software, hardware, communication and physical security jeopardize the acceptance IoT applications, or the privacy of those who use them.
Ayla is an end-to-end IoT Platform that is highly secure, scalable and extensible, covering all three areas of the IoT: the Device, the cloud and mobile & Web Services. Ayla’s customers depend on our ability to provide them with a secure IoT Platform.