Overcoming IoT device vulnerability with edge computing
From espionage to competitive intelligence and state-sponsored initiatives, it’s clear that hackers crave fame and cyberattacks are rampant. Security best practices can mitigate risks and safeguard organizations’ most precious digital assets at the edge, in the cloud and within their primary data centers. In the past, organizations have struggled with force-fitting data center security practices into edge computing sites. To overcome this issue, IT is now in the era of learning from the innovation of edge computing and applying these best practices to the data center.
The checklist for edge computing requirements that have historically been considered important include high uptime, low cost, remote management and security. These mandates are now bleeding quickly into other areas such as the cloud and data center. One particular trend on the upswing is the criticality that these benefits bring to IoT devices. These benefits are clearly translated today into other configurations because easier management of data anywhere has become paramount. In fact, 76% of risk professionals believe that cyberattacks on their organizations are likely to be executed through IoT, according to a Ponemon Institute and Shared Assessments survey.
Understanding the inherent security risks in IoT devices
Unprecedented amounts of data are now being distributed from IoT devices in vertical markets such as manufacturing, smart cities and video surveillance. In today’s world, IoT data is frighteningly exposed to the outside world with the simple addition of an IP address.
In addition, the COVID-19 pandemic has given cyber criminals more time to execute malicious attacks and breach mitigation has never been more important. As a result, organizations are more driven than ever before to ensure IoT devices are not hacked. To add to the fear factor, fewer than 20% of respondents from the Ponemon Institute and Shared Assessments study can identify the majority of their organization’s IoT devices.
As more and more compliance initiatives are introduced, IT security solutions that offer more functionality with less dollars are becoming increasingly available. Vendors are rolling out affordable solutions that are flexible, easy to use and provide robust features to manage complex data security requirements.
Why edge benefits translate into easier management of data
Traditionally, device information has been connected to a local server in an isolated configuration. For example, magnetic resonance imaging machines are connected to a single computer or manufacturing device to achieve data management and encryption. In particular, the healthcare IT market must encrypt data to meet compliance regulation pressures. Because IoT devices inherently attach an IP address to the data, that information connects to the external world in an unsecured manner, opening an attack surface for cybercriminals. Essentially, 98% of all IoT device traffic is unencrypted, exposing sensitive personal and confidential data on the network, according to a Paloalto Networks 2020 Unit 42 IoT Threat Report.
Organizations must consider how they got here. For example, smart cities are connected and data from all of the IoT devices are collected by local computers to make it easy to analyze data in real time. This type of technology enables IoT devices to conduct 24/7 monitoring of traffic and traffic patterns along with video surveillance. Though efficiencies have improved because of connectivity, if a city’s system is hacked because proper encryption was not deployed, chaos would ensue. If a manufacturing site such as a vehicle production line’s video surveillance system were to be hacked, one manufacturer would gain access to its competitor’s production line, delivering instant competitive intelligence about how the competitor’s products are made.
It’s a well-known fact that encryption cannot be deployed without a key management system in place. In the past, key management was carried out on large, expensive hardware security modules. There are new ways for IT to deploy key management techniques that are low-cost, easy to use and no longer require a dedicated hardware appliance. A centralized key manager that can support encryption for thousands of IoT devices is critical since there are typically thousands of devices to manage, and the old approach to key management just won’t support this new use case.
How will organizations get there?
Proper encryption within an IoT environment needs to be carefully planned. It should adhere to a defined security policy that implements best practices around key creation, rotation and destruction. It should also include a thoughtful identity management plan that layers encryption across the device ecosystem to reduce points of entry and limits attack vectors. The best practices when implementing key management into organizations’ IoT environment include:
- Generate unique keys for each device. If devices share a key that becomes compromised, then each device is also compromised.
- Implement policies such as re-key operations that replace old keys on a regular schedule.
- Encrypt traffic between devices and their key manager.
- Include role-based access control to implement separation of encryption duties to ensure only authorized users can access the keys.
IoT reveals that capturing all data is useful to learning about customer behaviors, but it undoubtedly opens up the door for various attack vectors. To underscore the criticality of today’s IoT agendas, worldwide spending on software and hardware around IoT is projected to grow rapidly to $1.1 trillion in 2023, according to IDC. In 2020, organization can learn a lot about the innovation happening at the edge and apply these best practices to the data center or cloud.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.