The Five Pillars of IoT Security

The Five Pillars of IoT Security

Unless you’ve been living under a rock for the past 8 years, you’ve been exposed to the concept of IoT. For enterprise organizations, it’s a key component of Digital Transformation (DT), primarily because it enables companies to capture huge amounts of data.

And “data has value” is one of the fundamental principles of digital transformation. The classic example of data having value is a tire company embedding sensors in its tires that can measure not only wear and tear but travel patterns–and then discovering that the value of the data to its customers that operate fleets (like trucking and car rental firms) vastly exceeds the value of the tires themselves. The tire company thus morphs from selling tires to selling data–thanks to IoT.

If IoT is fundamental for DT,  security is fundamental for IoT. But thus far, most of the thinking about securing IoT is too high-level for enterprise organizations to do much with. But there are five core “pillars” of security that every infosec professional involved with IoT–and every IoT professional–should be aware of:

  1. Pillar 1: Device authentication.  For any IoT implementation, architects need to be sure to ask “how is this device authenticated to the network? To the application? To the data store?” The oldest hack in the book is to hook up an unauthenticated device.
  2. Pillar 2: End-to-end encryption. Most IoT networks are wireless, which means network encryption is a must. But don’t neglect encryption at either end: the sensor itself (how is the data it collects encrypted?) and at the data store. A great discussion on the challenges and solutions of IoT encryption is here. 
  3. Pillar 3. Network segmentation. It should be–but isn’t–blindingly obvious that you shouldn’t run your IoT network over a general-purpose network. Why? IoT traffic needs to be handled separately (see Pillars 4 and 5). It’s got different requirements for availability and reliability (much IoT data is both highly latency-sensitive and has high availability requirements) and bandwidth (much IoT data is relatively low bandwidth compared with conventional back-office applications and traffic. And then there’s the fact that IoT traffic has unique security requirements. How best to implement that segmentation? There are some good pieces here and here, but a few options include physical segmentation (totally separate network) and virtual networking technologies like NfV and SDN.
  4. Pillar 4: Application protection. If you’re getting the message that IoT isn’t just another “color of bits”, good. Often IoT data feeds a special-purpose analytics application–and that application requires its own attention to security protection.
  5. Pillar 5: IoT and the cloud. In many cases, IoT data is funneled to cloud-based applications or data collection engines (even before it meets the applications in Pillar 4). That means standard cloud-based protection and security such as CASB (cloud access security brokers) isn’t good enough. Infosec and IoT professionals need to be thinking about how the data is protected from the sensor through to the cloud aggregation point, and from there on to the applications.

Bottom line: IoT security is, indeed, something new. And IoT and security professionals need to take special care when architecting their IoT security solutions.