Citrix Labs continues to explore the effects of the Internet of Things on our customers.
We d 'to hear from you! Please accept our IoT survey and register for our IoT and Security Webinar.
This article is a continuation of a series articles on the Internet of Things from the perspective of Citrix Labs research and development organization. The series began with a discussion of the intersection of the Internet of Things and the company to provide a software-defined workspace. In the next post we presented important security challenges to consider when the influx of connected devices of every size and description is considering in the company. Today we will IoT security explore the topic in more depth.
When I think of security, the first thing that comes to mind is encryption.
While this is certainly important information confidential, is significantly more than cryptography required to secure the IoT. Why? First, there is more security than just the confidentiality as a review of the information security fundamentals will remember. Second, apply a different set of security requirements that each layer of the IoT stack. In this article we will examine how the security model for the actual IoT devices differs from the security model for communication between devices that is different from the security model for the Internet of Things services that the devices all managed and collect their data.
Safety Fundamentals
If encryption is not enough to secure the Internet of Things, then, what else needs? REPLY fast that let us check some well established information security principles, starting with the classic "CIA" security triad. Over the years, the CIA triad has expanded to include other notable safety targets as non-repudiation, authenticity and privacy.
A simple frame IoT
to these safety principles applied to the IoT, we need to define a framework IoT. For purposes of this discussion, we will divide the IoT in a simplified framework of three layers.
to the device layer security
This layer of the frame is the intersection of people, places and things. These things can be simple devices like connected thermometer and lightbulbs or complex devices such as medical instruments and production engineering. can be implemented for the safety of the Internet of Things in full, it must be designed and built in the devices themselves. This means that IoT devices must be able to prove their identity to get authenticity, sign and encrypt their data to obtain integrity and to protect data stored locally limit privacy. The security model for devices shall be sufficiently severe to prevent unauthorized use, but flexible enough to support secure, ad hoc interactions with humans and other equipment on a temporary basis. For example, you want to prevent someone from changing the toll rate on a connected parking meter, but have to reserve a secure interface for the car park for a limited time and pay.
Since IoT devices eventually exist everywhere in the environment, is the physical security is also important. This creates the need for security against manipulation to design equipment so that it is difficult to extract sensitive information such as personal data, cryptographic keys or credentials. Finally, we expect IoT devices have a long life, so it is important software updates to ensure that the inevitable exploits addressing that may be discovered after their release.
, the gateway-layer security
This layer of the IoT framework provides connectivity and messaging between things and cloud services. Communication on the Internet of things are usually a combination of private and public networks, so the traffic is to be secured of course important. This is probably the most understood area of IoT security, ideally suited to the technology as TLS / SSL encryption, to solve the problem. The primary difficulty arises when you consider the challenges of cryptography on devices with limited resources, that is, 8-bit microcontrollers with limited RAM. For example, taking an Arduino Uno to 3 minutes to test payload encryption when using RSA 1024-bit key, but an elliptic curve digital signature algorithm (ECDSA) with a comparable RSA key length is the same payload in 0.3 seconds encrypt. This indicates that the device manufacturer is not scarce resources as an excuse to use security in their products to avoid.
Another safety aspect for the gateway layer that many IoT devices communicate using protocols other than Wi-Fi. This means that the IoT Gateway is responsible for maintaining the confidentiality, integrity and availability while to translate between different wireless protocols, Z-Wave or ZigBee to Wi-Fi, for example.
securing the Service Layer
This layer of the frame is the management system of the Internet of Things and for onboarding devices and users, applying policies and rules, and orchestrated automation on different devices responsible for. Role-based access control user and device identity and the actions to manage them are entitled is to take critical at this level. To achieve non-repudiation, it is also important to keep an audit trail of changes by each user and the device manufactured, making it impossible taken actions in the system to refute. This monitoring data could be used to identify potentially compromised devices if abnormal behavior is detected.
Big data analysis of aggregated data, which is often described as the most valuable aspect of IoT for equipment and service providers alike through the Internet of Things. In contrast, the privacy hurting consumers is also to secure the top of the government agencies with the FTC and the ENISA their respective guidelines released for the Internet of Things. This creates a number of privacy security requirements associated with such: clear data using a notification so that the customer sent the visibility and fine-grained control of data in the cloud service, keeping in the cloud service stored customer data separately and / or encrypted with customer provided keys are available, and when analyzing the data in its entirety to customers, the data should be anonymous.
Conclusion
There are many challenges to secure the IoT, many unique to each layer of the IoT Framework. Robust security starts by building into the device itself. Even small, resource-constrained devices often in the IoT must implement cryptography to protect the confidentiality, integrity and authenticity when communicating over the network. Finally, a balance between consumers and businesses is the privacy and the insight and the value derived from the mountains of the IoT data generated must be found.
We've only scratched the surface of what is needed to secure the IoT. Stay tuned, as we piled deepen in the specific security models and requirements for each layer of the IoT and speculate how the Internet of Things will develop in the future.
0 Komentar