Internet of Things: Connecting the security dots from application design to post-sale
The age of Internet of Things is upon us. While it’s still early days, Gartner predicts that by 2020, the Internet of Things will be made up of 26 billion connected devices and IDC estimates that $7.3 trillion in revenue will be generated by IoT components by 2017. Both of these statistics, understandably, have generated great interest from entrepreneurs and enterprise owners alike, leading to a flurry of new innovations to hit the market.
This sudden spell of application development and design has provided the consumer market with a huge range of new technologies, and the commercial market a vast expansion of customer data possibilities. However, there is widespread concern that IoT could be brought to its knees rapidly if manufacturers fail to consider security implications in their rush to hit the market place with ‘the next big thing’.
Research from HP in 2014, showed that:
- 90 percent of devices collected at least one piece of personal information via the device, the cloud, or its mobile application.
- 80 percent of devices along with their cloud and mobile application components failed to require passwords of a sufficient complexity and length.
- 70 percent of devices along with their cloud and mobile application enable an attacker to identify valid user accounts through account enumeration.
The Internet of Things has come a long way in the last year, but security is still seemingly low on the industry agenda. Many IoT security failures can often be traced back to poor decisions about the type of ‘smart’ features to implement and their scope for hacker invasion.
The consumerisation of IT means that technologies designed and marketed to consumers often find their way into workplaces. This makes understanding how a technology will be applied once it has been marketed and sold an extremely important process. Most connected devices are now very much linked to the cloud and this can introduce another layer of security risk. As collectable data becomes ever more varied and includes extremely private information relating to health and even finances, it’s simply not acceptable to introduce security risks at any given stage of the product development process or its post-sale life.
So how exactly do developers ensure the privacy of their customer’s data is upheld and in turn protect and increase customer trust in their product and brand? It takes patience. It requires a strategic and well thought out approach.
Initial due-diligence pays dividends
At the start of an app development, basic steps must be taken and will have an impact on later design decisions. The very first thing any developer must do is to consider and be honest about the pros of ‘connected’ features against the cons of the security holes they might open up. IoT applications should be capable of assessing the security and privacy implications of connected features like messaging and social media integration. An email proxy requires clear and concise directions on secure configuring, with strong administrator credentials, shielding it from low-level attacks and port scans. This upfront security assessment of ‘smart’ features will increase the cost of development, but this initial outlay will save money, time and brand reputation in the long run.
‘Security through obscurity’ is a dangerous approach
A common assumption is that hackers won’t be interested enough or dedicate the time to infiltrate IoT devices. However this is an extremely optimistic idea. Products must be designed with the assumption that they will be purchased, dissected and studied. Security shortcuts such as embedded private keys or weak authentication might save time and speed up deployment, but there is a fine line between a global IT ecosystem and a global botnet network.
Implement protective measures at every stage
It’s also essential that software updates or modifications, require administrator authentication and the use of signed executable files to verify the integrity of the software that is being installed. Devices must be able to register activity which could indicate an attack and robust logging features are a must if administrators are required to recover compromised systems.
In today’s IoT world, it’s not enough to require end-users to use their own initiative and set strong passwords. There’s a ‘set and forget’ mentality among users which is not sufficient for ensuring around-the-clock security. Regular password updates and updatable firmware by way of authenticated, signed software updates are steps towards a more resilient IoT deployment.
Keep your supply chain in check
You can’t underestimate the importance of screening supply chain partners closely to make sure contracts and service provider agreements protect you. Low-cost and powerful embedded device platforms with ready-made APIs and open source software libraries that can be quickly integrated can accelerate development, but they also bring security risks which can be hard to pre-empt. In order to mitigate this risk, companies must manage partners using ‘least privilege’ principles to keep them from gaining access to things they don’t need.
It’s clear that the design, manufacture and post-sale of a new IoT product is a complex and risky process. As with most things, speed does not equal security and in the connected devices world, ‘security and privacy risk’ is a multifaceted challenge. One that requires a robust security policy for each and every decision – ideally with a project supervisor who can help to enforce this at every stage.
IoT platforms-as-a-service can help smaller companies to address security and data integrity issues that infest poorly designed IoT products. These tools enable you to streamline secure communications based on industry-standard encryption protocols and extend fine-grained user provisioning to IoT products. This approach will also improve time to market, and avoid serious headaches down the line.