Organizations are discovering new ways to deliver goods and services, with the Internet of Things (IoT) opening up new possibilities — but there are also new security challenges. It is critical to understand the security implications when it comes to recording, consuming, storing and transporting data securely, especially at the development stage of an IoT project
We invited, Gary Alterson, VP of Security Services and Amir Kashani, VP of Cloud Native Development & IoT Solutions at Rackspace Technology® to the Cloud Talk podcast. They chatted with technology evangelist and host Jeff DeVerter to share how IoT solutions can be secured.
Tune in to hear about the following topics:
- Best practices for protecting IoT applications in a public cloud environment
- The role of device authentication, identity management and communication encryption
- The importance of determining vulnerabilities and testing communication paths
- Security considerations to make throughout the lifetime of an IoT project
- How to secure hardware and software in an IoT initiative
“Organizations need to take IoT security into account in two ways,” said Gary. “Number one is ensuring equipment manufacturers and the application follow good security practices. Number two is layering security controls for a defense-in-depth approach to protect critical technology. It has to be a chip-to-cloud security solution, as any step in the value chain can be exposed.”
Part of this complete end-to-end security involves securing communications as Amir explained: “We don't want open communication where anyone can snoop, so end-to-end encryption is critical. This can be a challenge because IoT devices are resource-constrained. Traditional encryption methods for applications or the cloud aren’t applicable. Creativity is required for secure communications. But there is a lack of creativity, which is one of the reasons there are so many IoT device security breaches. Over the years, people have been cutting corners because securing communications is challenging.”
Every device requires security protocols — even thermostat controls for a residential swimming pool. “It may seem like a low-risk activity,” said Amir. “But if it's your pool, it’s a big problem if someone's running up your gas bill or getting into your home network. It's a little bit scary but it's not that hard to fix if you consider security from the beginning.”
Gary detailed how a threat model can be used to embed security into a project from the beginning. “It's worth using the viewpoint of an adversary to take into consideration all the ways someone could do something nefarious. Think through the ways devices can be potentially misused.”
Security vulnerabilities may be identified once the IoT application has been deployed. “We’ve seen many organizations that can't update IoT devices if a vulnerability is found,” said Gary. “The organizations that practice security well can update the device firmware to fix vulnerabilities. They have strategic security practices but recognize that things are going to go wrong.”
When a security vulnerability is identified, Amir explained why remote access is of critical importance. “Now, it might seem counterintuitive but if you've secured communication between your device and your cloud, you can reliably authenticate both ends without letting in any third-party malicious folks.”
Security was not the only thing discussed, as Amir explained how Rackspace Technology helped consulting firm Century Engineering manage stormwater and protect local ecology. Traditionally, water was released into ponds after a rainstorm to prevent flooding, but for wildlife it’s better to retain water until it cools down. A device was built that monitors the pond’s water level and is paired with local weather forecasts. “We’re adding that extra level of technology to benefit the environment,” said Amir.
On the subject of devices, Amir ended with the following advice. “Don't be afraid to move slowly and deliberately. We're in this agile world where we want to move fast. But when you're dealing with hardware, be deliberate because once it's out there, it's hard to get back. Test your devices and make sure you're getting the data and the value you are expecting.”