5 Recommendations to Secure the Internet of Things
Former RSA CTO Deepak Taneja has called the lack of IoT security a
“time bomb.” During a panel discussion at the TIE Startup Con panel in May 2015, Taneja said
that technology is advancing at a rate that’s outstripping enterprises’ ability to secure
internal and cloud resources, and then along comes IoT in the form of all sorts of networked
sensors and gadgets. “Organizations aren’t spending that much on security. It’s increasing,
but it’s not enough and IoT only makes it worse. So it is a time bomb.”
Take a hospital as an example. Virtually every medical device — from the bedside machine
monitoring a patient’s vital signs to MRI machines — is connected to a network in order to
effectively communicate, share data, and improve collaboration among medical personnel. Very
few of these have any security technologies to protect them from attackers either stealing
information or easily taking control of these devices.
As the connected world grows, each layer of technology needs to incorporate identity to
secure the object, its access, and every transaction. Once we start to formulate a plan for
each disconnected “thing” morphing into an intelligent and connected item, it becomes
obvious that password security is obsolete and there is a need for a technology that is
compatible, open, scalable, and proven trustworthy.
Firewalls, gates, doors, and fences no longer guard our security. The
new perimeter is our identity. We need to secure this identity to prevent attackers from
accessing our home security cameras and stealing our photo collections, bank statements, and
medical records.
Identity protection must be embedded into the base platform on which our next-generation
technology is being built, so that we can establish trust in day-to-day items and interact
with our connected world confidently.
According to the Open Web Application Security Project (OWASP), a
worldwide not-for-profit charitable organization focused on improving the security of
software, “attackers use weak passwords, insecure password recovery mechanisms, poorly
protected credentials or lack of granular access control to access a particular interface.”
As the connected world expands, each layer of technology needs to incorporate identity to
secure the object and its access.
Securing IoT requires a technology that is compatible with all devices, especially
considering that some existing “dumb” devices can be made “intelligent,” creating a mix of
old and new machines running on disparate systems and technologies that must communicate.
Security must be open, scalable, and proven trustworthy. The solution lies in this equation:
Card + Cert + PIN
According to OWASP, authentication is not sufficient when weak
passwords are used or are poorly protected. However, insufficient
authentication/authorization is common because organizations assume that interfaces will
only be exposed to users on internal networks and not to external users on other networks.
The solution is to implement multifactor authentication, which significantly strengthens the
authentication process since it aims to remove the password. This eliminates many pervasive
methods attackers commonly and successfully execute.
How it works: take something you have (e.g., a smart card provisioned with a digital
certificate) and something you know (your PIN) to gain access to the data you need — or
buildings and networks, for that matter — while ensuring that the organizations you interact
with are secure
Digital certificates are the proven means of securing an identity.
Traditionally a complex and expensive system, certificates are now available from many
vendors that provide them to organizations more cost-effectively via the cloud.
A cloud-based service can deliver a company-owned certificate, an Internet-based
certificate, or a government-generated certificate into any form of credential that will
protect an identity based on whichever standard is adopted by the user.
An identity can be used across different environments using the same technology. The
significant advantage to this method is that it removes the proliferation of passwords,
duplication of identities, and counterfeiting of goods. A digital certificate cannot be
copied, altered, or transplanted from a credential.
From protecting your log-on across multiple sites to encrypting your email and hard disk,
embrace multifactor authentication to avoid being the next victim.