How to Secure an IoT Cloud-Connected Device
These core reasons – and all the others that might emerge for specific IoT cloud security use cases – should convince device designers and vendors alike to invest in security, but what does this mean in practice?
At Witekio the first step towards determining the investment in security required for a device is a discussion with the client. Driven by a Project Manager and Security Architect, this discussion is focused on core questions, including:
- What is the level of criticality of this device and project? Devices that are central to a platform or that are expected to be deployed in sensitive industrial or defense environments generally warrant greater investments in security than those with less critical, less sensitive use cases envisaged.
- Is there something to secure? Fundamentally, what is necessary to secure with regards to the device: a physical hardware unit, a connectivity gateway to the cloud, the cloud service itself, an edge AI algorithm, or data stored locally? Mapping the elements to secure upfront can help determine the attack surfaces that will need to be secured later.
- How much of the development budget will be devoted to device and cloud security? Security is a trade-off, and one of those trade-offs involves the budget. Financial resources devoted to the development of the on-device software and associated applications will include some budget for security but how much that budget is will determine in large part the level of security that can be delivered on the product.
There is no uniform answer to any of these questions: in each case, it depends on the expected use case for the IoT device, the constraints of the project and the client, and the skill and flexibility of the team charged with delivering the security for the device and in the cloud.
These questions, though, are all directed from the security team to the client; there is at least one question that the client should turn back towards the team, and it is one that Witekio engineers know they must be able to answer on every project.
Clients should be sure to ask their security development teams to prove that the security actions and code that they’ve implemented have a quantifiable impact on the overall security of the device. In other words, as well as advising clients on what is required and why the security engineers should be able to demonstrate clearly that the implementation of their recommendations has delivered a device that is more secure than the alternative where their advice was not followed.
With questions out of the way, Witekio Security Architects can design a security plan and engineers get to work implementing that plan. Witekio’s agile development approach and capacity to develop incrementally ensures rapid delivery and regular communication with the client. When the work is completed, the device is delivered to the client along with advice for their own development teams on the next steps, and the best way to take advantage of and correctly configure the public cloud security options on leading platforms including Azure, AWS, and GCP.