Most of the ‘things’ that make up the IoT are produced by companies that have never thought about connectivity security. How are manufacturers of home appliances supposed to know what a good connected version of a refrigerator or coffee maker should be?
The benefits of the IoT derive from connectivity: for consumers, it might mean receiving an alert at work or while watching a football match that there’s a problem with their domestic heating, lighting or security system. Or it may help them to improve their health and fitness by tracking various biometric values, from heart rate to blood sugar levels. For manufacturers of connected products, it means gathering valuable data on how people are using their products – when, where, what features and how frequently.
But the pathways that deliver the benefits also introduce security risks. Without the proper security mechanisms in place, data traversing the public Internet is vulnerable to hackers. Manufacturers of IoT connected products need to not only address the security of products themselves, but also the entire connected pathway. If they’re doing business in the EU, they also need to abide by the strict regulations about the sharing of personally identifiable information.
Starting in the platform
IoT security must extend seamlessly from the connected product to the cloud and to the web or mobile application that controls the product. This means that manufacturers that lack expertise in disciplines such as network security suddenly must figure out which protocols and standards to use, how to balance access with security, and how to integrate handoffs at all steps along the IoT pathway.
In most cases, a wiser approach for manufacturers will be to choose a ready-made IoT platform that provides comprehensive, end-to-end, integrated technology. For example, a good IoT platform will embody the standard Authentication, Authorisation and Accounting (AAA) approach to security that arose in IP-based networking realms.
The three A’s of AAA security are:
• Authentication, which determines who or what you are. It’s the process of identifying an individual person, usually based on a username and password. It’s based on the principle that each user has unique information that can distinguish him or her from all other users.
• Authorisation, which determines what you are allowed to do and see. It’s the process of granting or denying a user access to network resources after the user has been authenticated with a username and password, using the authorisation level to determine what information and services the user has access to.
• Accounting, which determines what you did while connected. It’s the process of tracking a user’s activity while accessing the network’s resources. It can include the amount of time spent on the network, the services accessed, and the amount of data transferred during a given session. Accounting data can be used for trend analysis, capacity planning, billing, auditing and cost allocation, as well as for security reasons.
The IoT platform developed by Ayla Networks includes embedded virtual agents: software that is embedded onto communications chips and modules from leading semiconductor manufacturers, and run on IoT products or IoT product gateways. These embedded agents incorporate a fully optimised, fully tested network stack along with additional protocols to connect products to Ayla Cloud services.
For example, designers of connected products can choose Ayla-specific versions of communications controllers and modules from a range of companies, including Broadcom, Qualcomm, Marvell, STMicroelectronics and NXP Semiconductors, which all sell products with the Ayla virtual agent embedded on-chip.
Systems with these chips and modules can immediately connect to the IoT platform from Ayla. No further financial or other resources are needed for software or hardware design, and there is no need for a smart gateway to provision and control the device.
Security is built into the chips and modules from the get-go. Security at the chip level starts with encryption to prevent spooking, also known as IP address forgery, in which an attacker masquerades as a trusted host for the purpose of hijacking a browser or gaining access to a network. Chip-level security also includes encryption key transmission protocols such as SSL (Secure Sockets Layer) designed to get data safely to its destination.
Once IoT data reaches the cloud, cloud security must encompass both computer and network security protocols and measures. Cloud security must take into account all the cloud deployment models - private, public and hybrid - as well as issues of virtualization. Importantly for manufacturers doing business in the EU, Ayla operates a European cloud, supported by the AWS EU (Frankfurt) Region cloud infrastructure, that is compliant with EU data privacy policies.
Embedding Ayla agent software into Wi-Fi-based modules enables manufacturers to add cloud connectivity along with wireless connectivity for their IoT products, without doing custom coding. Therefore, manufacturers get to market more quickly and cost-effectively with better-performing and more secure connected products.
Now and for the future
Delivering IoT security is not a one-time process. Rather, it is an ongoing effort that must respond to new threats as they emerge and handle new technologies as they emerge.
An ideal IoT platform must include enough built-in flexibility to enable manufacturers to improve the level of security they offer with new products. In addition, however, it must also allow manufacturers to update the security of products already deployed in people’s homes and workplaces.
New security threats are bound to proliferate, and new IoT solutions will surely come to market. A properly designed end-to-end IoT platform should evolve and respond easily to these changes. It must continue to win end users’ confidence that their use of IoT products and applications will not jeopardize their privacy or safety.
An effective IoT platform must also fulfill the crucial benefit to manufacturers of allowing them to learn quickly from their successes and mistakes, using the data generated by their connected products to iterate toward increasingly better versions of their products. And it should do so while maintaining the highest security standards, throughout the entire IoT spectrum.
| Applying and co-ordinating the AAA approach |
An IoT platform can apply and coordinate the AAA approach all the way from connected product to cloud to control application. Ideally, an IoT platform lets manufacturers of connected products:
- Protect the privacy of their end-user customers’ data, for compliance with regulations and to protect the manufacturer’s brand reputation;
- Encrypt all user-identifiable information to protect data in transit to or from the cloud;
- Manage access (authentication), authorisation and accounting for all users and all of a manufacturer’s connected products;
- Prevent distributed denial of service attacks;
- Prevent devices from other manufactures from accessing their connected products’ data;
- Handle lost or stolen products, including the ability to remotely wipe out all or some data or disable products’ connectivity.
Adrian Caceres is chief technology officer and vice president of engineering with Ayla Networks