An Internet of Things (IoT) solution offers a multitude of business benefits from decreased operational costs to new revenue streams. But it also comes with a host of security considerations, including an ever-changing array of regulatory compliance requirements, demanding expert navigation and acute attention to detail.
Below I’ve listed some of the critical questions to ask when deploying a secure IoT solution. To learn more about IoT security, be sure to register for the IoT in Action event in San Francisco on January 13.
How secure are your things?
For starters, the actual devices must be secure. In the next few years, a new wave of innovation will drive down costs and inundate the market with internet-connected devices in every price range, from electronic toys to manufacturing sensors. In anticipation of this, my Microsoft colleagues have identified The seven properties of highly secure devices. I have listed out each of these properties below, along with the fundamental questions you must ask:
- The hardware-based root of trust: Does each device have a unique identity that is inseparable from the hardware?
- Small trusted computing base: Is most of the device’s software outside its trusted computing base?
- Defense in depth: Does your device software have multiple layers of protection built-in?
- Compartmentalization: Are you using hardware-enforced barriers to stop failures from propagating to other components?
- Certificates-based authentication: Do your devices use certificates (vs. passwords)?
- Renewable security: Can the device’s software be updated automatically to a more secure state?
- Failure reporting: Do you have a solution in place to report software failures to the manufacturer?
How secure are your connections?
More to the point, when you’ve got a bunch of devices talking to each other over the internet, how will you safeguard data confidentiality and integrity? When choosing an IoT monitoring and connection solution, make sure that it is using industry-proven data encryption. Solutions like the Azure IoT Suite secure the internet connection between the IoT device and IoT hub using the Transport Layer Security (TLS) standard.
Another question to ask is how you will prevent unsolicited inbound connections from wreaking havoc on your devices? Make sure that only devices are allowed to initiate connections and not the IoT hub. And speaking of the IoT hub: make sure that the one you’re using has the capability of maintaining a per-device queue – meaning that it can store messages for devices and wait for the devices to connect. For more on this topic, be sure to read IoT security from the ground up.
How secure is your cloud solution?
Is your cloud provider following rigorous security best practices? When choosing a cloud provider, make sure you pay careful attention to how they are handling the following areas.
- Network traffic segregation: Is IoT traffic segregated from other network traffic using an IoT gateway or other means?
- Monitoring: How is network traffic being monitored? How will you know if any credentials are compromised or if unmanaged devices are accessing your cloud services?
- Security controls: How well do you know your cloud provider’s SLA (service-level agreement)? Which security controls are being maintained by your provider and which will you need to address internally?
- Encryption and security key management: Does your IoT solution allow you to define access control policies for each security key? Is data in the cloud encrypted?
Have you registered for IoT in Action in San Francisco, CA on February 13, 2018?
These questions only scratch the broad surface of IoT security. To learn more about securing your IoT solution, register for this free, one-day event. You’ll hear from the researchers behind The seven properties of highly secured devices and see an IoT solution come to life before your eyes. You’ll also get insights into how Microsoft addresses IoT security through its Azure solutions. Plus, connect with partners who can help you bring your IoT solution from concept to reality. View the full agenda.