As my colleague Kevin Sullivan wrote in part 1 of this two-part series, the Internet of Things (IoT) holds great promise for organizations and consumers. But like many new technologies, it brings with it a number of security and privacy challenges. The industry can work to help address many of these challenges by building on some of the lessons learned from decades of experience connecting traditional computing devices to the Internet, as well as understanding the unique challenges that the IoT presents.
Among those unique challenges is the diversity of devices encompassing the IoT, that range from very simple devices that only transmit data, to complex devices with processors and sophisticated software. Before millions or billions of these devices are deployed across the world, some security and privacy fundamentals need to be carefully considered including:
- Insecure design: Some of the early IoT devices I have seen in the market today have not been designed with security in mind. Some of these devices lack basic security capabilities, while others have security capabilities, but they are inappropriate for all the scenarios that the device can be used in. It’s also easy to imagine that some IoT devices have been released with insecure default settings.
- Disclosure of personal information: When devices, sensors, appliances, etc., are connected to the Internet (or when physically accessible), it can raise concerns that everyday activities, preferences, and sensitive information, could be monitored and disclosed without proper authorization. Additional concerns arise with the possibility that data gathered from IoT devices could be correlated with other sources of data and used for purposes, such as the creation of self-learning autonomous systems, without the appropriate consent from the data owner.
- Limited ability to receive updates and change configurations: Keeping systems up-to-date with security updates is one of the most effective security practices today. As vulnerabilities are discovered and attackers attempt to exploit them, it’s critically important that vendors have a well thought through response plan and the capability to update and reconfigure systems to mitigate these attacks. Not all IoT devices are going to be the same. Different devices are going to have different hardware and software, and subsequently different capabilities. Some devices might have limited update capabilities or might not even have an operating system. What’s the plan to update a t sensor that doesn’t have a full operating system installed on it? This type of requirement needs careful consideration.
- Insecure data: How IoT devices store and transmit data is another important consideration. Securing data communications, including authentication, and encrypting data at rest, have become common expectations for systems today. The ability to manage settings for such security features is also a common expectation. Many IoT devices might be connected to networks that are themselves insecure making how well these devices protect data in untrusted or hostile environments a consideration.
What should industry do to help address security and privacy related to IoT? Building software with security in mind during every phase of development has proven to be very effective – something that can inform the development process for IoT devices as well. Among the unique challenges for the IoT is the diversity of devices encompassing the IoT, which range from very simple devices that only transmit data, to complex devices with processors and sophisticated software. Broadly applicable design considerations should include:
- Secure by design, secure in development and secure in deployment (SD3): This is the same mantra we started in Trustworthy Computing at Microsoft many years ago. IoT devices and services should be designed and developed in manner that improves security and privacy during the lifecycle of the device by applying secure software development processes such as Microsoft’s Security Development Lifecycle.
- Secure communications: Presumably, in the future many IoT devices will operate on the public Internet or on other networks where they may face a variety of threats to data confidentiality. IoT devices and services should utilize strong encryption techniques to protect data, and networks should use the latest communication protocols and up-to-date security architecture. On IoT devices that host third-party applications, the security of these communications needs to be addressed as well. Some more primitive IoT devices will lack the ability to perform encryption themselves. In such cases, one possible solution would be to design the device to allow its data to be encrypted by an intermediary gateway device on the local network before the data is sent over the Internet.
- Manageability and security updates: Many IoT devices will likely be built for single purpose applications and will have limited input/output capabilities to manage the device. IoT devices need to be designed to apply important functionality and security updates, preferably with the option of automatic updates requiring little or no administrator interaction. Devices should be designed to respond to security issues impacting devices, services, or applications. Awareness of the security or privacy issues related to other services and devices with dependencies should also be accounted for in update planning. IoT devices lacking the physical requirements for manageability and updates should be designed to allow security management by an intermediary gateway device on the local network before the data is sent over the Internet – as one possible solution.
- Privacy and data use: Because of the potential volume of personal or proprietary data that can be produced and stored by the IoT, both consumers and businesses will insist that the privacy of their information be protected. IoT products should take privacy-impacting collection and use of data into consideration from the earliest stages of design through development and deployment. IoT devices and services that seek to collect data pertaining to people should undergo appropriate scrutiny and evaluation for privacy concerns. Companies should also consider how they manage the commercial sharing of data as the IoT becomes a platform for trading information.
- Appropriate level of cloud service capacity: Cloud services will need to be designed for a significantly higher number of simultaneous connections and greater volumes of data traffic given the expected proliferation of IoT devices. If cloud services are unable to manage the expected data flows generated by the IoT, they could be overwhelmed.
What should consumers do to protect their security and privacy related to IoT?
- Evaluate security and privacy at purchase: Understand what security and privacy controls the device and services provide.
- With updatable devices, keep software/firmware for your devices up-to-date: If the device offers automatic updates, consumers should enable them. Otherwise, consumers should check the manufacturer’s website regularly for new security updates.
- Stay informed: Be aware and learn more about IoT devices and services.
You can learn more about Microsoft’s Internet of Things strategy here.