IoT generates constant unstructured data that organizations stream, use for analytics and potentially drown in.
With the exponential growth of unstructured big data, organizations have been unable to keep pace with the processing and storage requirements needed to support IoT data. That leaves the cloud as a scalable resource that organizations can provision as needed for IoT data capture and processing. However, IT admins taking on cloud resources must also address the defense of IoT cloud data from hackers. The urgency to protect IoT data has only grown stronger each year.
In December 2020, a class action suit was launched against Ring and Amazon, alleging that hackers took over users' smart cameras in their homes. In 2021, 20/20 Eye Care Network discovered that data was removed from the S3 buckets hosted in its Amazon Web Services (AWS) environment. The fear was that hackers might have gained access to the names, addresses, Social Security numbers, member identification numbers, dates of birth and health insurance information for some or all of 20/20's health plan members.
As more organizations use the cloud for IoT, the risk of security incursions continues to grow. These risks include unsecure data flows between the cloud and the edge computing environments, lack of IT expertise in configuring the cloud for maximum security and data breaches that compromise data integrity and customer and client data privacy.
What can organizations do to secure their cloud IoT?
IT administrators do not have to secure the cloud alone. Cloud IoT providers have tools and resources to assist corporate IT in implementing and maintaining rigorous IoT security. The key is finding a best fit IoT cloud vendor that can work with an organization to achieve IoT security goals.
1. Request the latest security audits from cloud IoT providers
In a 2021 report, IBM concluded that two out of three security breaches in the cloud potentially could have been prevented by hardening systems with security policies and patching systems.
Not all vendor cloud environments are created equal for IoT security. Organizations must request a copy of cloud IoT vendors' latest IT security audits and a copy of security policies before inking any cloud IoT agreements.
2. Take advantage of the security options that cloud providers offer
Many organizations implement cloud offerings with security features but then neglect to enact the available features that could protect their IoT. The major cloud providers provide IoT device monitoring and security, encryption of IoT data in transit and at rest, checks for security vulnerabilities for IT admins to fix before a data breach and strong network communications security. But organizations using cloud resources must take the time to configure these security options. Alternatively, organizations without IoT security expertise or resources can consult with the cloud vendor and have the vendor do the security setup for them.
3. Use the cloud to further secure IoT devices
Many IoT devices come with limited security presets. It is up to IT admins to reset parameters on devices to enforce the needed security levels. However, above and beyond setting security on IoT devices, the cloud can provide additional help for IoT device security. IoT middleware on the cloud sits between IoT devices and the applications they access. Middleware can monitor IoT device activity and ensure authorization of the devices requesting access to applications and data. Cloud IoT security middleware can also check for security vulnerabilities when logging the connections between IoT devices and applications. If an IoT device exhibits unusual behavior that suggests a security breach, it can immediately issue an alert. These cloud IoT security solutions backup the security configurations of IoT devices that IT admins adopt.
4. Define the division of labor between enterprise IT and the cloud vendor
When enterprise IT and a cloud IoT vendor enter an agreement, a contract spells out each party's responsibilities. It is often in the enterprise's best interests not to go with the default agreement.
For example, if a small company lacks the IT bandwidth or expertise to patrol their own IoT security, they might want the cloud IoT vendor to do it for them. Instead, they could ask for a specialized service contract with the vendor beyond the initial baseline contract.
The service contract should denote the IoT security responsibilities of the cloud vendor and the organization's IT team. The agreement should clarify:
- who monitors all IoT activity and intercedes when security alerts are issued;
- who implements software security updates and ensures that they are working properly;
- who encrypts data that is at rest and in motion; and
- who defines user levels of IoT authorization.
These are a few cloud IoT security responsibilities that IT teams and the cloud IoT provider must decide.
5. Take advantage of the cloud to enact security protocols
Secure network protocols -- including the message-passing protocol, point-to-point encryption and security certificates -- are critical for overall cloud security. Cloud providers grant certificates and private security keys to their users, which must be generated for each IoT device individually.
6. Segment networks
Each company will decide its own cloud IoT architecture, but one emerging best practice is to keep internal corporate and external business partner or customer networks in the cloud separate. Segmentation limits and contains an IoT security issue that surfaces within one network within that network.