Asking the Right Questions About IoT Security

Topics in this article

In some ways security is like physics or philosophy. In these disciplines an answer leads to more questions and ultimate solutions hover just outside of our reach. To be successful in these fields you have to be passionate about finding answers, but most importantly, you have to love the questions.

Four men sit around a table having a conversation at a Dell event

When I’m asked about what Dell is doing about security and the Internet of Things (IoT), I talk about the many aspects of our security practice we are bringing to bare on the issues. Our teams, from SonicWall, SecureWorks, to endpoint protection, have a wealth of relatable expertise. I also like to outline the landscape and challenges our industry is facing relative to IoT.  The answers to these questions are what the future of IoT will turn on. Let’s take a look.

What are IoT devices? 

What are the implications of these generally accessible devices and their precious cargos of data? In the IT space we have focused on securing users and their devices for many years but IoT sensing devices are different. While similar devices have been around for a long time doing machine to machine communications behind firewalls, they are now in a new context.  They are also massive in their numbers with protocols and network topologies that are unfamiliar to IT.  The fact that they are not connected to users makes them a special class without identity profiles or connected passwords.

What’s new about IoT data?

Since it will be hard to secure IoT devices as endpoints we need to take up a renewed focus on securing the data itself.  In IoT, data needs to move freely through the ecosystem and be assessable at various steps along the way.  This means the development of new methods for securing the data that allow its free flow to the right locations. This will likely require evolved types of encryption and new challenges for wrapping data. 

This is all quite different than traditional IT, where the network is responsible for getting byte streams from one end point to another without much consideration of what is inside the packets.  Multi-tier aggregation, edge analytics and stream computing require decryption of the data at various steps along the way.  Managing all of this involves a great deal of complexity.

Based on what we are seeing, IoT security will be relatively weak at the sensing device level for the foreseeable future.  As a result, the ability to detect security anomalies in the data stream based on baseline norms and muilti-factor verification of the data will be critical.

Openness and security, what are the implications?

Many in the industry are calling for openness in standards for IoT and we at Dell consider this essential since the real power of IoT is integration of data across device silos and with other sources of Internet data (weather, market, logistics)  and enterprise data (ERP, CRM).  The question is how to allow for the free flow of data while building in security.  Dell is a member of the Open Interconnect Consortium and there are other standards bodies at work.  This question of standards will continue to shape and outline the future course of IoT security.

What are the crown jewels when it comes to IoT security?

One of the first security questions turns on what needs to be protected.  Data can be used in so many ways in IoT.  It can be used to control processes at the edge of a network, as in the case of building automation. It can also be used to make real time business decisions and it can be used for long-term modeling. Understanding what is important to protect, and the best methods for protecting it, are seemingly simple questions that hide a lot of complexity.

What is the security relationship between the components of IoT?

There is a complex series of relationships between devices, gateways, and backend cloud systems.  Determining the appropriate level of security at each step in the IoT data lifecycle, given that the sensitivity of data tends to increase exponentially as the span of aggregation increases, is an important facet of these relationships.

What about security governance considerations?

When data is decrypted at various steps along the path it impacts governance requirements.  How do we maintain chain of custody records and deal with data provenance with so many data touch points?

We will be sharing more about the IoT security landscape as well as some of our solutions soon.  As you listen to the conversations that are swirling around securing IoT, be sure keep your focus on the questions.  IoT is new and questions will be the order of the day for some time to come.

About the Author: Ken Blackwell

Topics in this article