It's great to see the abundance of cyber and information security discussion and activity by regulators of late. Particularly in January, the FTC released a report, Careful Connections: Building Security in the Internet of Things, providing guidance to business for how to approach securing the Internet of Things. While this report is consumer use-case focused, and isn't a detailed technical guide book as to how to secure your IoT ecosystem, it does start to outline some key guiding principles for thinking about and building your IoT solution.
The following covers some of the salient points that resonated particularly with GlobalSign's approach and thinking to secure and manage identity the IoT.
1. Consider security from the start
The first idea and what might be the most critical from the secure IoT playbook is to start with fundamentals, and implement security from the outset. This is an awesome point, even though it may seem to be an obvious opinion. Considering the general approach and constraints facing many IoT focused solutions, security is not the forefront of focus.
Most often, key efforts and investments are made into the value proposition first, with little consideration diverted to ensuring the secure operation of the platform, as adding security often appears to derive marginal direct benefit and value. However, ignoring or delaying security is tremendously short sighted for any IoT practitioner, as it's difficult to envision an IoT solution that generates value without providing an environment that its users trust. To help address the prioritization issue of diverting resources to security, it's a wise recommendation to embrace risk-based approach to identify the most sensitive components of your system and allocate effort and resources in those areas first.
2. Leverage existing technology
The next recommendation I wanted to highlight is the approach of leveraging what experts have already learned about information security. Their example of using standard encryption techniques is particularly relevant to GlobalSign's PKI product portfolio. Building this concept out a bit further, I would propose that we apply this concept aggressively toward IoT security and trust. Although many new IoT devices have constraints that will restrict the options available from existing internet security protocols and approaches, there are many that are perfectly capable to integrate and consume existing standards and best practices. In this area, we're currently working with IoT solution providers to build trust and security using tools like PKI, OAuth, and SAML.
Also in the report, they cover two distinct, but definitely interrelated thoughts. First of designing your product with authentication in mind and secondly considering how to limit permissions - or wording these two in more traditional information security terms - providing authentication and authorization. These two concepts are definitely key pillars that need to be addressed and built into any IoT deployment.
3. Security goes beyond your organization
The last point I'd like to recap, is related to the FTC committee's top level theme of building strong security fundamentals and an organizational culture. This approach is to ensure that when outside service providers are hired, those providers are capable of maintaining reasonable security, and your organization is also equipped to provide appropriate oversight of the providers. One area where we can look to aiding in this practice is by bootstrapping IoT security requirements on top of existing security control mechanisms like ISO or WebTrust compliance. It's given that the IoT will bring its own concerns to the table as it matures, but these existing accreditations and audits will serve as a great initial benchmark to ensure quality and secure providers for the near term.
Overall this report had great themes and opinions that can help the organizations shaping the Internet of Everything to evolve a strong security mindset and initial ecosystem. With great opportunity often comes great risk, hopefully with the right conversations and leadership, we'll move as an industry to build IoT solutions that deliver and capture value while maintaining security and trust.