How to secure your IoT device in the Cloud

Homepage How to secure your IoT device in the Cloud

There’s little doubt that security is a major concern of almost every IoT device owner, user, and manufacturer. With so many of today’s IoT devices connected to the cloud, security concerns have exploded, and device vendors have been forced to differentiate their products from the competition by pointing to their security bona fides.

But what are we talking about when we talk about IoT and cloud security? What steps are taken to make systems more secure? And what security best practices can be adapted to be sure that devices and systems are as secure as they need to be?

Witekio has been helping clients take secure IoT devices to market for many years and has deep expertise in advising clients on security issues and developing secure IoT and cloud systems. In this article, we seek to answer the questions above and explore IoT cloud security in all its different facets.

Defining IoT Cloud Security

From a high-level perspective, an IoT device connected to the cloud exposes the following attack surfaces:

The device itself
The connection between the device and the cloud, including the connectivity gateway
The cloud, including device management systems

While the threats to each of these areas are perhaps innumerable, they can most often be divided into three groups.

First are threats from the users of the IoT devices themselves. Whether simple tinkering around the edges of the possible by end-users with some technical know-how or so-called script kiddies running their own exploits without always understanding the potential results, these threats tend to impact either single devices on a network or localized elements of a platform.
Second are threats from hacker communities that are targeting the cloud connections and cloud infrastructure of the IoT devices. These communities tend to have limited budgets but draw on near unlimited time and broad expertise to cause sometimes significant problems for device owners and their cloud partners.
The third group, though, consists of genuine bad actors with malicious intent, up to and including state-level actors backed with powerful machines, unlimited budgets, and state-of-the-art expertise. For most device owners or vendors protecting against such state-level attackers is both unwarranted and inefficient.

Device vendors and owners need to prioritize their response to these different threats. The first and second groups, for example, need action in the here and now, while state-level actors with malicious intent need only be prioritized in specific use cases.

The goal should be to establish a realistic and pragmatic security defense for devices, connectivity gateways, and cloud platforms.

Witekio consultants and engineers regularly advise how and where to draw this line when working with clients and work through the cost-benefit analyses that drive such decisions as an integral part of their work with the customers who have come to trust them over two decades in business.

The Biggest IoT Cloud Security Challenges

Different IoT devices present different challenges in terms of the security of the device and the security of the data exchanged with or stored in the cloud. A connected medical device, for example, might expend considerable resources to protect the confidentiality of end-user data in line with regulatory standards and to ensure its availability. Another connected device – say, a consumer kitchen product – might have far fewer end-user data protection worries but need to invest in protecting the intellectual property and recipes that are delivered from the cloud to the user interface of their product.

While these different use case challenges lead to different cost-benefit analyses, there are some general challenges that almost all devices are subject to, and all of these should be considered when developing a plan and investing in the security of the IoT cloud-connected device.

Reputational Risk

While the risk of a data leak or hack has a quantifiable short-term cost, the longer-term impact of a hack can be devastating. With a vendor’s reputation resting in significant part on their capacity to deliver a safe, secure device to market, and with competition in the IoT market hotter than ever, even a single isolated breach can have a marked impact on a company’s capacity to do business in the future. Additionally, there is the risk that a compromised device might inadvertently become part of a botnet, with the flow-on reputational and even societal impacts this can have.

Protection of Intellectual Property

Rare is the IoT device or cloud platform that is truly unique. More commonly connected devices are built from widely available components and connected to public clouds from Amazon, Microsoft, and Google. What differentiates a device from its competitors, then, is the intellectual property that is represented in its code, software, associated applications, and in the original data pushed to and aggregated from the devices. A breach or hack that leads to a loss or diminishment of this intellectual property can have heavy impacts on a company’s bottom line.

Legal Compliance

Regulatory rules and data processing standards vary by geography and use case. No matter the specific legal constraints, however, IoT vendors must ensure that the legal compliance of their device, its software, its associated data transfer, storage, and analytics all remain compliant with local laws. For certain devices and use cases – defense, aerospace, healthcare, or consumer devices – can have associated legal security regulations that must be met to avoid fines or other penalties.

Client Data

Industrial IoT devices often deal with and communicate data that is generated by and owned by end-users. These end-users rely on this data for decision making and much of it is considered commercial-in-confidence, if not even more closely held. A leak or hack can open the device vendor and manufacturer up to significant financial damages, a potentially crippling situation that could have been more easily resolved with greater attention to device and gateway attack vectors.

How to Secure an IoT Cloud-Connected Device

These core reasons – and all the others that might emerge for specific IoT cloud security use cases – should convince device designers and vendors alike to invest in security, but what does this mean in practice?

At Witekio the first step towards determining the investment in security required for a device is a discussion with the client. Driven by a Project Manager and Security Architect, this discussion is focused on core questions, including:

What is the level of criticality of this device and project? Devices that are central to a platform or that are expected to be deployed in sensitive industrial or defense environments generally warrant greater investments in security than those with less critical, less sensitive use cases envisaged.
Is there something to secure? Fundamentally, what is necessary to secure with regards to the device: a physical hardware unit, a connectivity gateway to the cloud, the cloud service itself, an edge AI algorithm, or data stored locally? Mapping the elements to secure upfront can help determine the attack surfaces that will need to be secured later.
How much of the development budget will be devoted to device and cloud security? Security is a trade-off, and one of those trade-offs involves the budget. Financial resources devoted to the development of the on-device software and associated applications will include some budget for security but how much that budget is will determine in large part the level of security that can be delivered on the product.

There is no uniform answer to any of these questions: in each case, it depends on the expected use case for the IoT device, the constraints of the project and the client, and the skill and flexibility of the team charged with delivering the security for the device and in the cloud.

These questions, though, are all directed from the security team to the client; there is at least one question that the client should turn back towards the team, and it is one that Witekio engineers know they must be able to answer on every project.

Clients should be sure to ask their security development teams to prove that the security actions and code that they’ve implemented have a quantifiable impact on the overall security of the device. In other words, as well as advising clients on what is required and why the security engineers should be able to demonstrate clearly that the implementation of their recommendations has delivered a device that is more secure than the alternative where their advice was not followed.

With questions out of the way, Witekio Security Architects can design a security plan and engineers get to work implementing that plan. Witekio’s agile development approach and capacity to develop incrementally ensures rapid delivery and regular communication with the client. When the work is completed, the device is delivered to the client along with advice for their own development teams on the next steps, and the best way to take advantage of and correctly configure the public cloud security options on leading platforms including Azure, AWS, and GCP.

Finally, Witekio experts can connect clients with their expert partners specialized in penetration testing and security certification to instill full confidence in the security of their devices.

Witekio Security Offer →

Act Early for Best Results

No matter the device or industry, the earlier decisions about security are contemplated in the development cycle, the more likely that all angles will be covered in a cost-effective way. Problems that aren’t addressed until late in a development cycle are almost always more expensive to address than those encountered while there is still room for changing direction. Additionally, early in the development process, more people can be brought into the security conversation including UX designers.

Experience has shown that the earlier that UX and security teams can collaborate, the better the outcomes for end-users and device vendors, alike.

Importantly, early on is where hardware choices are made and these have a significant impact on security, too. Indeed, while recent hardware is often built with security in mind and is relatively easy to secure against threats, older or out-of-date hardware is a greater challenge for security teams even if it remains a cheaper buy upfront. Again, engaging with experts early can help decision-makers choose the optimal hardware for their IoT and cloud-connected devices and ensure the balance between hardware savings and security costs is best for the business.