IoT security is like cake: It’s best in layers.
One of the fantastic benefits we get from the Internet of Things is that it extends the convenience of digital life into our physical world.
This is in large part due to the many devices that we find on our bodies, embedded in our homes and vehicles, and scattered among various other aspects of our daily lives.
Given the ubiquity of these devices I would make the argument that there are so many devices making up the IoT that there is no single solution to mitigate all threats. Hence, we have to layer our security for optimum protection.
5 Layers of Security
Let's start by acknowledging the reality that attacks are going to happen, despite our best efforts. Now lets make the assumption that some of these attacks are going to be at least partially successful — and address how we can layer IoT security to help limit, if not mitigate, the damage from these attacks.
The objective is to implement security in a way that doesn’t hinder the users ability to access the services offered by the IoT device or network.
I like to take a five-layer approach for both cake and security, but since we are talking about security and not cake, let’s start with authentication.
In many cases, the point of vulnerability in the IoT network comes at the edge where the user interacts with a device, this can be made more secure by implementing some form of authentication for each interaction.
This way the users, or their devices, have to authenticate before accessing whatever service the edge device offers. This might be as simple as a one time authentication the first time the device is accessed and then just passing a token after that.
This adds our first layer of security.
Keep It Anonymous
Next up is what I would consider the most important layer: data anonymity.
Working to keep the data collected anonymous from the very beginning helps to devalue it to an attacker and helps to protect the user and provider in the case of a successful attack.
It’s also just good form. Many users might not understand the risk they are taking with their data and it’s important for companies to take that extra step to protect the users.
The next layer is encryption. There is no reason to have communication between IoT devices traversing your network that is not encrypted.
Leaving IoT communication and data unencrypted is asking for trouble.
Even if you implement the first two layers, letting that data fly around unencrypted leaves it open to interception. Encrypt your communication between IoT devices or between a device and its platform.
Make Sure It's All Up-to-Date
The fourth layer is ensuring that all of your firmware, software and security suites are up to date.
Letting any of these fall behind their newest updates can expose you to vulnerabilities that quickly become known by attackers who are keen to exploit such opportunities.
Having a policy in place to rapidly test and deploy any security updates in these areas can go a long way protecting your IoT network.
Now we get to the last layer. And that is to test and test again.
My grandfather, who was a carpenter, would always say measure twice and cut once. And though I have never had much of an aptitude for carpentry, it has become a concept I use repeatedly in my life as a technologist.
For me the measurement is testing, test everything, and test it twice. The cut is my implementation; if I have thoroughly tested my design and then tested it again it should stand to reason that my implementation should go fairly smooth.
And after I implement it I will keep testing to make sure everything is work, testing every layer of your security is a key task, not just to keep your network safe, but also for your peace of mind.
Though the concept of the IoT, at least in a very early form, dates back to Kevin Ashton’s first use in 1999, there is little doubt that the way we know the Internet of Things today will be the way we know it in a decade.
Taking a multilayered approach to security will allow scalability as the networks grow and evolve over time.
Taking a single approach could leave us pigeonholed if something changes and it is not compatible.
But if we are approaching it from multiple layers, then there is always the opportunity to phase in a new layer if another is not longer functional. When you look at IoT security just think about cake — and those delicious layers.