Olympic high diving requires concentration and self-control. Before divers jump off a 10-meter platform, they pause at the edge and concentrate on their goal: elegantly perform the acrobatic maneuver and gracefully pierce the water causing minimum surface disturbance. This same disciplined approach is required when adopting new and revolutionary technologies, such as those now available through the Internet of Things (IoT). Decision makers must assess the risks and benefits, consider potential difficulties, and then take the jump.
In this and the accompanying blog written by our colleague Charles White from our technology partner Fornetix, we discuss the three most important things you should do before you dive into IoT, and how you can identify common pitfalls to ensure you adopt this new technology with confidence.
Interconnected IoT devices are deployed primarily to collect data. Algorithms analyze numerous data parameters and identify trends that then enable applications to deliver innovative services. Because data is at the center of IoT, and because this data is often associated with the people who are ultimately the recipients of the services, keeping the data confidential is paramount. From the point where data is collected to the on-premises and cloud-based datacenters where it is stored and processed, three things must be true:
- IoT devices must be trusted to be authentic
- The integrity and confidentiality of the data they collect must be preserved at all times
- The enterprise must maintain control across the entire process
The growing dependence on the services delivered by Internet-connected IoT devices means that we must trust the devices, the data they collect, and the decisions they make for us as consumers of their services. Ever wondered if your smart phone and ride-share application have accurately determined your location, and if your ride really is just around the corner? Or more importantly, are insulin doses delivered by connected medical device accurate and timely?
Trusting devices starts by ensuring they are authentic and authorized to be part of the specific service ecosystem upon which you have come to depend. To ensure this, digital credentials are injected in IoT devices to give them identities that can be authenticated once the devices become part of a service. And it does not stop with deployment! Software and firmware running in IoT devices is regularly updated, and this presents a perfect vector for malware to infect devices and compromise entire systems. Therefore, code signing is also critically important to ensure continued confidence in devices.
Keeping data collected by IoT devices confidential and unaltered across the complex networks it may traverse requires encryption and hashing techniques to mask data from unauthorized entities and to ensure it cannot be changed. While keeping IoT-collected data confidential is important, so too is maintaining its integrity to ensure applications make the right predictions and decisions and ultimately deliver the specific services consumers expect.
The scale and distributed nature of the IoT makes maintaining control of devices and data daunting. Nevertheless, it is imperative that enterprises adopting IoT technologies maintain control over their devices, the data they collect, the services they deliver, and the cryptography that protects the data. This ensures the technology does not compromise the privacy, security, and safety of end users.
Underpinning the techniques we have described above (credentialing to authenticate devices, code signing to validate integrity of software and firmware, encryption to protect data confidentiality, and hashing to preserve data integrity), are cryptographic keys that must always be protected to ensure the security of these processes. The exponentially growing number of IoT devices and data makes safeguarding and managing keys at scale challenging. Fortunately, tried and true technologies exist to provide trust, integrity, and control. Hardware security modules (HSMs) play a critical role in safeguarding and managing keys used to sign device and code credentials, and to encrypt and hash data.
Safe Diving with a Root of Trust
As we entrust the IoT to help run our lives and enhance our well-being, we need a strong root of trust we can depend on to protect the data critical to all IoT ecosystems and to extend control of IoT key management services from data center to the cloud and on to the edge of our network.