Grounded in the Cloud
cancel
Showing results for 
Search instead for 
Did you mean: 

Your Internet of Things is connected to the Cloud - and both need security

SimonLeech

The Internet of Things, a computing model where connected ‘things’ ranging from connected toys to fridges to vehicles are able to communicate, collect, and share information with centralized systems, is becoming more and more an aspect of our daily connected life. In fact, Gartner expects there to be more than 20 billion connected devices by 2020, with other analysts quoting similar statistics.

IoT.JPG

 I think it’s fair to say that the increase in effectiveness and therefore popularity of IoT is due in no small part to the ability of cloud to provide a scalable back-end that allows organizations running IoT projects to offer mass data storage and analytic processing capabilities. And as with any cloud project, it’s important to consider all of the potential security implications of the new architecture before cybercriminals beat you to it.

  From an IoT specific perspective, I split the main security challenges into the following categories:

 

  • Security of the infrastructure – How are devices authenticated to the infrastructure? Are secure communication protocols in place to allow end points to exchange information securely? ‘Things’ can be connecting from anywhere, so the use of encrypted protocols should be a minimum security control to avoid potential man in the middle style attacks, as well as authenticating the devices as they connect.
  • Security of the applications – Have both the client/thing applications and back end applications been checked for security vulnerabilities? Has the security team signed off on any identified risks? Remember that once code has been released and installed on a ‘thing’, the ability to regularly access and update the code may be very limited.
  • Security of the data – What information is being collected and how is any potentially personal or sensitive data being protected? Especially in a consumer-oriented environment, privacy regulations may prevent certain types of information from being stored, unless you can demonstrate specific countermeasures that have been taken to encrypt that information.
  • Operational security around the IoT network – What steps are being taken to identify any malicious threat actors trying to exploit the system? How quickly can you respond to any potential threat? Having a clear picture of what is going on inside an IoT network is a very important step in being able to preempt any potential malicious activity from causing any lasting damage.

 

These challenges in some ways are very similar to the security challenges we have identified in a hybrid cloud security model elsewhere in this blog. But the main difference in an IoT world is scale – the fact that the ‘things’ can be very numerous, and could be located absolutely anywhere in the world, very often in an environment that is way outside of your control and inherently insecure.

In terms of the risk, whereas a breach in a traditional cloud environment can lead to the mass loss of customer data or the uncovering of corporate intellectual property, the very fact that IoT is designed to make our lives more comfortable means the impact on the individual consumer can be a lot higher, or, in some cases, even life threatening – take for example a home monitoring system that monitors for fires – if a hacker were to breach the system and change the alarm notifications, a fire situation could be identified too late. Or how about a hacker breaching an IoT connected car and disabling the brake control system? Something already demonstrated in a proof of concept by Charlier Miller and Chris Valasek last year.

At Hewlett Packard Enterprise we are investing in the Internet of Things, helping customers to gather data insights and business value from the proliferation of connected devices and machines in a secure way. We have products and solutions ranging from the Edgeline IoT compute platform to secure networking solutions based around our Aruba technologies. But we’re also doing a lot of work around secure IoT use cases that we can use to help demonstrate to our customers the IoT security capabilities of the HPE Security range of products together with a HPE Helion cloud.

As an example of this work, I invite you to take a look at two recently released videos created by my colleague Angelo Brancato, Chief Technologist within HPE Security, covering the security of data and dealing with malware in an IoT environment, and how HPE tackles these with innovative solutions:

 

  

 

For additional information on how HPE thinks about the Internet of Things, please visit the corporate IoT landing page, and if you want to learn more about cloud security, please check out the HPE Hybrid Cloud Security page.

 

0 Kudos
About the Author

SimonLeech

Simon Leech is a Certified Information Systems Security Professional with a specialisation in Security Architecture (CISSP-ISSAP), Certified Information Security Manager (CISM), Certified in Risk and Information Systems Control (CRISC), Certified in Cloud Security Knowledge (CCSK) and Chief Technologist Security within the Hewlett Packard Enterprise EMEA Hybrid IT Team. Within Hewlett Packard Enterprise, Mr Leech is responsible for influencing and evangelising the security strategy of the Hybrid IT team. Simon is active on Twitter as @DigitalHeMan

Events
28-30 November
Madrid, Spain
Discover 2017 Madrid
Join us for Hewlett Packard Enterprise Discover 2017 Madrid, taking place 28-30 November at the Feria de Madrid Convention Center
Read more
HPE at Worldwide IT Conferences and Events -  2017
Learn about IT conferences and events  where Hewlett Packard Enterprise has a presence
Read more
View all