End-to-end encryption is key for securing the Internet of Things
The Internet of Things (IoT) is one of the hottest buzzwords these days. It seems like almost everything is being connected, including cars, streetlights, oil rigs, wearables and more. By the end of this decade, Gartner estimates there will be 26 billion IoT devices in service, while IDC predicts 28.1 billion.
There’s no safety in those numbers. Just the opposite: Every IoT device is an endpoint, like a PC or smartphone, which means every one is a potential back door for hackers. Worse, many IoT devices are connected to mission-critical equipment, such as switches at electric utility substations, or telemedicine monitors in patients’ homes. Those roles make IoT devices tempting targets for terrorists, rogue nations and others who want to wreak a lot of havoc with a single attack.
Those attacks are in addition to those that leverage the IoT to steal credit information, corporate secrets and other data. The Ponemon Institute’s 2015 Cost of Data Breach Study: Global Analysis says the average cost of each lost or stolen record containing sensitive and confidential information increased from $145 in 2014 to $154 this year. IoT will drive that cost even higher simply because it increases the number of attack opportunities. In fact, IDC predicts that by the end of 2016, 90 percent of all IT networks will have experienced an IoT-based security breach.
There are other consequences when businesses, organizations and entire industries don’t take IoT security seriously – and fast. One example is a IoT-enabled attack on railway infrastructure so big and embarrassing that results in onerous, expensive new regulations that the industry could have avoided by being proactive. Another is an automotive brand sullied by the public’s perception that its smart vehicles are easily hacked.
Securing the IoT begins with understanding why it requires a fundamentally different set of strategies and tools than those currently used in IT, telecom and other domains. IoT networks are typically not behind a firewall, but rather mobile or spread over too large of an area. SSL/TLS is not sufficient for small devices with the need to protect the data in use, in motion and at rest. SSL was simply not designed for the challenges facing IoT Therefore, firewalls and SSL won’t be able to keep up with IoT’s scale and device fragmentation, which spans everything from wearable health devices to smart vehicles to industrial controls. And although IDC estimates that there are already more than 9 billion IoT devices in service today, it’s still a relatively new space, where many standards and best practices that would aid security are still in development.
For some perspective, consider how enterprises currently struggle to keep up with evolving attacks on a relatively small set of familiar devices, such as servers, PCs and smartphones. IoT makes that look like a walk in the park.
Next-gen encryption for a new paradigm
Within the next five years, 90 percent of all IoT data will reside in third-party clouds, IDC predicts. That statistic is just one example of why enterprises, government agencies and other organizations should take adopt an “encrypt-everything” strategy to protect against IoT-enabled breaches.
This strategy maximizes protection regardless of whether the data resides in a public or private cloud, on an IoT endpoint and when it’s in transit. Encrypting everything also complements the traditional focus on network security because even when that initial line of defense fails, the data remain protected. That wasn’t the case in several recent, high-profile attacks such as Anthem, where hackers accessed unencrypted personal information for 80 million policy holders.
For every organization, network breaches are a matter of when, not if, and IoT means more of them simply because it’s increasing the number of endpoints exponentially. So why don’t more organizations encrypt everything? One reason is because standards such as AES and IPSec are so processor-intensive, making them a poor fit for laptops, smartphones and IoT devices such as wearables. It’s not just battery life that suffers. The IoT market is notoriously price-sensitive, so those devices have limited processor capabilities in order to keep the bill-of-materials cost low enough to enable the widest possible adoption.
That’s why organizations should build their encrypt-everything strategy around next-generation technologies, which are much less resource-intensive but with no trade-offs in protection. For example, instead of encryption methods based on blocks or files, look for solutions that encrypt and compress data in real time in a single pass at the byte level. This design also ensures that the user experience isn’t compromised, such as slow performance.
Network data efficiency is also essential for any large scale IoT solution – if the IoT devices send too much wireless data then the costs become too high. For example, many IoT devices will use cellular or wireless connections, so compression becomes an important feature to reduce the cost that the user pays for that connectivity or bandwidth. The sheer amount of IoT devices also will create traffic loads large enough to overwhelm even the most robust wired network. An efficient low-latency data compression technology can be an effective means to minimize the workload for wired and wireless networks alike.
The ideal next-gen solution also adds synchronized data to the standard encryption key, making it impossible to decrypt the information remotely even if the key is compromised. Secure device authentication with near real-time speed to reduce latency is another key to IoT security and efficiency. Device authentication and packet encapsulation can also mitigate DDoS attacks to reduce service interruptions.
Best of all, an encrypt-everything strategy can be applied to non-IoT devices and applications. That broad applicability increases the return on those encryption investments by expanding that protection throughout an organization.
In the Internet of Everything, data will reside everywhere, which means a lot of that data can’t be protected by traditional, network-centric devices such as firewalls. Only end-to-end encryption can provide the security necessary to minimize IoT-enabled breaches. However, the encryption technology must be designed for modern use cases and devices, such as by making the most efficient possible use of processors and batteries. Organizations that choose the right encryption solution and then apply it everywhere will be best equipped to address IoT-enabled threats.