IoT Security – Part 3 of 3: IoT Cloud and Application Security
In part 1 and 2 of this blog series, we introduced you to the building blocks of an IoT infrastructure and explained how holistic security principles can be applied to the connected IoT devices and gateways.
In this article, we explore how the IoT cloud, applications and PAN/WAN communication can be secured.
IoT Cloud Security
Cloud computing offers several advantages to businesses, including greater technological flexibility, reduced operational costs and easy scalability. When cloud computing is implemented in an IoT network, the cloud platform and connected applications become highly vulnerable to cyber threats. Here are some ways in which the cloud infrastructure can be secured using holistic security principles:
Encryption of data at rest
Businesses embracing IoT for the first time lay a lot of focus on the security of the cloud infrastructure. So, it is crucial to deploy encryption technologies to secure the cloud. Encryption is a process in which legible data (plaintext) is converted into an output (ciphertext) that does not reveal any information about the input plaintext. An encryption algorithm is employed for this conversion. Encryption ensures that even if an attacker obtains access to storage devices with sensitive data, they would not be able to decipher it.
Encryption of data at rest implies that an encryption algorithm is used to safeguard data that is stored on any kind of disk, including backup devices and solid-state drives. Several layers of encryption can be used to protect data at rest. An example of this is the encryption of sensitive information prior to storage along with the encryption of the storage drive itself.Encryption of data in transit
Data in transit is considered to be at higher risk for security breaches. So, whether the data is being communicated over the internet or between data centers, it is crucial to ensure that an end-to-end security strategy is in place. In order to protect data in transit, encryption is enabled prior to moving the data. Encrypted connections such as HTTPS, FTPS, SSL, TLS, etc. can also be used.Device identity
Each device in an IoT implementation should have a unique device identity. When a device comes online, this identity is used to authenticate it and authorize secure communication with other components of the IoT ecosystem.Device authentication using OAuth 2.0
OAuth 2.0 is a powerful open standard that can be used by API developers to protect an IoT ecosystem. It is a token-based authentication and authorization solution that also offers a framework for the decisions associated with authentication.User role and policy
As part of access management, a privileged user management system can be deployed to ensure that stringent authentication processes are followed for user access to IoT data. It is also possible to create policies that can be attached to identities/resources to define their permissions. The administrator defines the policies and specifies the access level of resources.Certificate based authentication
A certificate is essentially a signed digital document that includes attributes identifying its issuer and owner (also referred to as subject). It contains two important fields – a public key that belongs to the owner/subject and a digital signature from the issuer. The issuer is usually a Certificate Authority (CA) and X.509 is a popular digital certificate standard.
The public key can establish a secure communication channel with the subject. The signature is proof that the subject’s identity is verified by the issuer. The subject also possesses a private key that matches the public key, but this is not a part of the certificate. The private key is used for proving the identity of the subject once a communication session is established.
Certificate based authentication is more powerful than password-based authentication.
There are several other cloud security mechanisms that can be adopted as well, i.e., MQTT token-based authentication, maintaining access control lists and IP Whitelisting/blacklisting.
IoT Application Security
Security at the IoT application side can be ensured by adopting the following technologies:
- Capability based access control model, i.e., single token for the access of a group of applications
- Standards like Transport Layer Security (TLS) and Public Key Infrastructure (PKI)
- Organization Based Access Control (OrBAC)
APIs are a set of tools, routines and protocols for building software applications. They also help in securely exposing connected IoT applications to consumers/apps in the IoT infrastructure. It is crucial that the API management process is scalable, flexible and secure. In this context, REST APIs are beneficial as they allow data to be transmitted over internet protocols. They also delegate and oversee authorization procedures.
A unified architectural style (REST) enables a single app to utilize software that is written with several different programming languages. This standardization of the information flow allows interoperable M2M (machine-to-machine) connectivity. REST has now transformed into a de facto protocol for the internet, as it is understood by almost all end point systems out there.
A RESTful architecture for IoT enables data security authentication and SSL/TLS encryption to safeguard sensitive information.Authentication
Authentication literally means employing digital certificates or tokens to prove the identity of the IoT application connecting to the network. Some of the methods that can be used for the authentication are:
PAN and WAN Communication Security
- Spread spectrum signaling – When devices operate in a wide spectrum of frequencies, the signal is more robust as it is spread out. It is also less sensitive to selective frequency fading and interference. Frequency hopping is a type of spread spectrum technique.
- Encrypted transport protocol with TLS – SSL and TLS encryption layers are often used to ensure security of objects in the IoT ecosystem. TLS usually takes the role of a transport layer that reinforces the SSL (which is the secure layer). TLS supports a wide range of symmetrical encryption systems.
- Secure 4G LTE connection with 128-bit encryption keys – 4G LTE is a widely adopted cellular protocol for machine-to-machine (M2M) communication. Through this, it is possible to deliver cellular connection at low power and low throughput for high-speed data. 4G LTE connection can be effectively secured using algorithms that employ 128-bit encryption keys.
- SIM based authentication – Embedded SIM in IoT applications can be used as ‘Root of Trust’ to secure these applications. IoT applications can utilise the SIM capabilities to improve the security of internet protocols such as TLS, DTLS and 3GPP GBA.
Some of the challenges faced in IoT PAN communication are the lack of coverage over a large service area and the inability to handle interference in operating frequencies.
Frequency hopping – This feature enables devices to transmit and receive data over several channels. The device simply changes the receiver channel over different periods of time, based on a random sequence of channels. This helps in combating interference on its operating channels and allows increased coverage.
Apart from the above points, device-based authentication can also be employed to secure WAN communication.
While the issue of IoT cyber security is a growing concern at a global scale, engineers ought to adopt a holistic IoT security approach to safeguard their IoT project implementations. As discussed in this blog series, the security of the infrastructure should be a priority right from the IoT component design and development phases itself.