Internet of things: Finding security in the cloud
Technology Update: So what’s the best tool for implementing security and locking down our devices? The answer is the cloud. The cloud doesn’t have to be insecure or expensive; centralized data collection and management is the key to securing Internet of things devices.
The cloud has the potential to help, more than hurt, cyber security for connected devices, the Internet of things (IoT). With all of the talk about the security, or insecurity, of the IoT, there’s one thing we can agree on: security is both complex and critical. In the next five years, the Internet will become a larger global connection of computers, as well as an interconnection of everyday devices collecting data on their surroundings. With over 20 billion connected devices estimated in use by 2020, information and data will become ubiquitous, and our future applications will easily gather data from any source.
So what’s the best tool for implementing security and locking down our devices? The answer is the cloud. Some would have us believe that the cloud is insecure and expensive, but I’m here to tell you that both of those accusations are not true. In fact, centralized data collection and management is the key to securing IoT devices.
When a company or individual is trying to manage thousands of devices independently, it’s not going to be easy. One strategy for monitoring and securing connected devices is to centralize them; a central repository provides the ability to see how all devices are working, and allows a successful shift of security intelligence from each field or device into the cloud.
While the cloud may be an aggregated layer, it also delivers greater intelligence. In other words, rather than the cloud being a tempting target for hackers, it’s very secure and can protect itself against attacks. The cloud delivers continuous monitoring of all devices and the capability to turn off web services with a click of a button so that the devices are no longer listening to the Internet-thereby mitigating risk. By shifting security from individual purpose-built devices to the cloud, you actually have more controls and functions over each individual device. Another benefit of the cloud is its cost-effectiveness: by deploying the right tools to predict malicious activities and identify patterns, security increases while cost decreases as individual devices can only do so little without driving huge costs. Many devices working together en masse in the cloud is "smart."
For example, if someone attempts to attack your connected refrigerator, you can monitor that activity from the cloud and mitigate the risk. If the cloud manager notices abnormal activity-such as a user logging in from a remote area-the refrigerator can quickly be disconnected from the Internet and refrain from sending out data.
Another recent example is the Heartbleed vulnerability. Devices using OpenSSL were at risk; however, those devices running from a device cloud allowed you to turn off your web services and immediately disable your devices from listening on the Internet-therefore, the device was not exposed to the threat.
This process is very similar to what happens in an IT server room: when an attack on a computer or network server is exposed, there are tools that IT personnel are able to quickly deploy to combat the attack. In a cloud environment that is aggregating data, it is possible to look for the same warning signs and respond just as if it were a server. By connecting devices to the cloud, specialized protection is easy, accessible, and behind the scenes.
Another key factor tied to the IoT and the cloud is secure password protection. You should have one centrally managed password to best protect your devices. By using one central password, tools, auditability, and security are much more effectively managed in the cloud, which drives home the concept of identity. If someone gains access to the account, you are notified immediately and can lock down all devices.
It’s not if, but when an Internet-connected device will be attacked. If you want real protection, you must connect your devices to the cloud. With the cloud, you have the technology and capabilities to freeze and lock out all devices that are under attack within seconds. The ability to remotely update security functions is one of the main benefits of cloud-connected hardware. If devices are connected to the cloud, a simple fix can be applied to ensure devices are secure. As the IoT continues to grow and develop, security must be considered at every point throughout the network. Connecting your device to the cloud fulfills this need and can be used to deliver security to your devices and keep data secure.
– Donald Schleede is information security engineer at Digi International. Edited by Mark T. Hoske, content manager, CFE Media, Control Engineering, firstname.lastname@example.org.
www.controleng.com/archives in August has more information with the online version of this article.
- As the Internet of Things expands, cyber security must be considered at every point.
- Connecting devices to the cloud can deliver security to your devices and keep data secure.
Would the cloud-based tools described here help lower your device cyber security risk?
Don Schleede: Donald "Don" Schleede, CISSP, is a senior information security engineer working for Digi International. He has held positions as a software developer, IT operations director, and IT security architect. Schleede’s areas of expertise include Unix security, network security, and web application security. Today, he works with devices and the Internet of Things in conjunction with device cloud security.
About Digi International: Digi International combines machine to machine (M2M) products and services as end-to-end solutions to drive business efficiencies. Digi provides the industry’s broadest range of wireless products, a cloud computing platform tailored for devices and development services to help customers get to market fast with wireless devices and applications. Digi solutions are tailored to allow any device to communicate with any application, anywhere in the world, the company said.