This is a guest blog by Godfrey Chua, Principal Analyst at Machina Research.
The M2M and IoT markets are seeing rapid growth as efforts to improve operational efficiencies, enhance customer service, build new business models and generate new revenue streams drive the industry forward. As enterprises become ever more dependent on IoT for building a competitive advantage, securing their IoT systems becomes all the more paramount. To be sure, concerns around IoT security is hindering adoption, prolonging the process by which solutions are evaluated and implemented.
Security is a multi-faceted concern
Security is one of the most multi-faceted problems an IoT user or solution developer will face. This arises from the fact that solutions are comprised of multiple components, each of which must be carefully secured on its own, and from the notion that security is a multi-dimensional issue.
At the most basic level, a solution can be broken down into device, network, platform, application, data processing and storage components. Each of these must be effectively secured via traditional authentication and encryption technologies to ensure solution integrity. Any vulnerability in one component can compromise the system as a whole: a solution is only as strong as its weakest link. This complexity is amplified by the fact that each component may have several subcomponents. For example, a solution may be comprised of a variety of devices, each manufactured by a different firm. Another example is the application layer. As systems are opened up to developers, it also increases the number of potential instances where new vulnerabilities may be introduced. Thus, when considering each of the component categories and the potential permutations that may emerge as the solution expands, the task of keeping up with each category only gets more difficult.
To be sure, there are technologies for securing each component category as well as more holistic systems (e.g. in particular those being introduced via big data and analytics for anomaly and intrusion detection) that promise to effectively wrap security around a M2M and IoT solution and mitigate the risks. However, these technologies must also be carefully evaluated and understood, with vigilant ongoing oversight implemented. Security is a constantly moving target.
Beyond components and technology resides the multi-dimensional challenge of security itself. These include issues such as data privacy and protection, human operations and the business model behind the M2M and IoT solution. Data privacy and protection, which naturally have regulatory implications that vary from one country and market segment to another, represents a highly complex issue. Questions surrounding ownership of data (and thus who can monetize it) persist, while even more simplistic issues related to data handling can create challenges to solution design and implementation. Recent high profile breaches in both the private and public sectors have also made data security an ever more visible issue.
The human aspect of M2M and IoT also plays a big role. New procedures and policies for employees interfacing with a solution are required as employee error and negligence may compromise a system. For example, M2M and IoT implementations require some degree of computer knowledge and passwords to secure them. Often cited in our conversations with enterprises is the difficulty they have in instituting secure passwords and better protecting them. In fact, recent high profile data breaches involved compromised passwords. Thus, when considering the components that comprise a M2M and IoT solution, it is critical to consider the human elements involved – how to ensure they do not become the weakest link in the solution. In addition to careful planning of new procedures and policies, technology can also help overcome these challenges (e.g. biometric solutions as a substitute for passwords).
Finally, the business model must be factored into the security considerations. Efforts in M2M and IoT solution security must align from a cost-benefit point of view. Thus, the investment in security should consider the value of what exactly is being protected. For example, mission critical and high value data, such as those involving key infrastructure operations, financial/banking, public safety, and medical information, naturally warrant greater investments. On the other hand, less critical and sensitive information, such as anonymized fitness data from wearables or tire pressure readings from an automobile, see reduced business value in comprehensive security measures. The business case for security must be calculated from the outset.
4 key takeaways
Deep partner collaboration is a must. The many components that comprise an IoT solution means that it will be imperative for a solution developer to have deep collaborations (in order to fully understand the security implemented at that component layer) with their ecosystem partners. This requires developing the kind of trust that gives the solution developer confidence that their partner(s) has sufficient knowledge of security technologies and can execute on it.
‘Security by design’ is key. Security must be table stakes in the design of any IoT solution. Considerations should be taken at the outset of the solution design process, with the architecture and system taking security into account every step of the way. Security design considerations must also be extended to factor the human interactions that will occur.
Consider the business model when securing the solution. The application should be built so as to properly align the time and finances invested into security with the overall value (and thus profits) that the solution will deliver to customers. Security should be approached with a sense of practicality and common sense, but certainly never ignored.
Contingency planning. What may be the most difficult to admit is that 100% security may not be practical nor actually possible. At the end of the day, security is a constantly moving target. Malicious activity and the search for system vulnerabilities is constant, especially in fast scaling systems. It is imperative, especially for mission critical IoT infrastructure, to have risk mitigation systems that identify anomalous activities and prevent it from propagating across key components within the solution. Contingencies should thus be in place to account for the vast variety of “what if” scenarios that could arise.
Watch this recent webinar on Security and privacy for the Internet of Things (IoT) for more info.
Please share your thoughts on this topic by replying below – and join the discussion with @nokianetworks on Twitter using #telcosecurity #IoT #mobilebroadband #NetworksPerform.