Opinion: How IoT device manufacturers should take security to the edge

We’ve come a long way from the mainframe computing environments of the ’50s, and you don’t hear much complaining about it. Renting computing power back in the day required you to physically go to the mainframe — an impractical situation at best.

With the advent of distributed computing going mainstream in the ’90s, people all over the world could use networked computers to take advantage of the power of many. Today, Amazon Web Services, Google Cloud, Microsoft, and others are now the horsepower that everyone can tap into. While it seems easy for the end user, connecting to those data centers and then generating data that goes back to the user is actually quite intensive and requires lots of computing power. Enter edge computing.

Edge computing is groundbreaking because it relies almost exclusively on distributed device nodes to perform computations. These smart devices or edge devices typically don’t need much computing power because they aren’t always in use. They might be in a car waiting to give GPS directions or in a smart home device waiting for a command. With these types of on-demand use cases in which data-processing requirements are small, edge computing is without a doubt the way to go. That doesn’t mean it’s a perfect solution, however.

Being able to leverage the power of many devices at the edge is exciting, but securing these devices is somewhat daunting. In order to encourage the continued evolution of the Internet of Things, device manufacturers must lock down security before their products make it into the hands of consumers. The best starting point is encryption.

Taking Security to the Edge

Today, device manufacturers should assume that hackers will intercept data in some way. Instead of trying to build an impenetrable defense for an otherwise simple device, developers must build protocols to encrypt data and decrypt it when it arrives at its destination by leveraging the processing power of the IoT network.

When it comes down to it, encryption should always be a priority. Whether you think data is useful is irrelevant — by the time bad actors have accessed it, it’s too late. In order to encrypt device data transfer and protect your end consumer, ask yourself these three questions:

1. How is information communicated across OSI layers, and what are the limitations?

Encryption in transit protects data, but devices need a mechanism to relay information. The seven-layer Open Systems Interconnection model is useful because it describes how systems communicate over a network, and IoT developers can use it to ensure they’ve thought about encryption for each layer.

For example, encryption consumes more resources, so devices with power limitations (i.e., local power) need to plan for this or offer compensating protocols, such as network segmentation (OSI layer 3). At OSI layers 4 and 6, devices should enforce the highest Transport Layer Security version and be aware of Message Queuing Telemetry Transport. MQTT payload encryption also protects messaging at the application layer (OSI layer 7). Given the constraints of IoT with little memory, sessions (OSI layer 5) should leverage session resumption to save resources.

2. How does the device get connected?

How does the device connect to the internet? What network is it a part of? The device should be enforcing strong encryption to whatever it’s connecting to, so it needs to have the ability to either make the connection secure or not connect at all.

Recently, researchers discovered a vulnerability in WPA2 protocol that allowed hackers to steal encrypted data and infect devices with malware by exploiting access points with weak defenses. These key reinstallation attacks illustrate the importance of strong encryption for all network-connected devices, from smart thermostats to IoT refrigerators. 

3. How are you encrypting the data that resides on the device?

Devices typically just encrypt data as it’s passed through, but to improve performance, some of them will likely store data in a cache temporarily. For example, a user might store passwords on his or her device for easy login. These storage locations are inherently vulnerable, and they must be permanently encrypted if device manufacturers are hoping to keep stored data safe from outside threats.

The end user shouldn’t have to worry about security no matter what type of device he or she is using or how it’s secured. Instead, IoT manufacturers must endeavour to harden their devices according to the IEEE framework instead of sending them out in a rush.

Interested in hearing industry leaders discuss subjects like this? Attend the co-located IoT Tech Expo, Blockchain Expo, AI & Big Data Expo, and Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London, and Amsterdam.

Original article: Opinion: How IoT device manufacturers should take security to the edge
Author: Brad.Thies