By Ellis Lindsay, Senior Principal, IoT Strategy, Nokia.
The internet of things (IoT) is complex with many participants and stakeholders. Conversations about the IoT are increasingly about security, but rarely are they about a bigger and much more important topic: trust.
Why is trust so big and important? Because it is the foundation of success for all systems. Organizations, products, societies, governments and kingdoms have risen and fallen because of trust. For the IoT to become truly secure and effective, all of the different entities involved, including end users, must trust the IoT as a whole.
Key challenges to trust
There are three significant challenges to trust in an IoT environment:
1. Devices tend to become more vulnerable to security threats over time
IoT devices are typically designed with specific purposes in mind and are in service for several years. Security threats evolve and become more sophisticated over time, and do not have any sort of permanence in the physical world. Device software is not always updated once threats and defects are identified, which leaves them vulnerable to attack. At the same time, decommissioning and replacing IoT devices is out of the question as they are usually deployed in environments like factories or on another larger device, where long life is paramount.
2. Signaling storms are becoming increasingly frequent
A signaling storm is when the application server or device is overwhelmed with requests. This disrupts smooth service and prevents the device or application from communicating effectively with the server.
3. Antivirus software is generally not viable
IoT devices are generally low-powered and cannot accommodate antivirus software that would provide an extra layer of protection.
For the IoT to flourish, it needs to evolve into the “internet of trusted things” and, eventually, into the “internet of trust.” To build this ecosystem of trust, our focus should widen to include the broader relationships between devices, services and the identities that interact with them.
The trust ecosystem in individual interactions
For an end user to assume a high degree of trust, there are many layers at work. Take online banking for example: a secure HTTP connection, identity verification and login requirements, network monitoring and other back-end activities all help ensure secure communication.
IoT players can learn from this to build end-user trust in the IoT:
1. Employing networking and endpoint security
Encryption using public key infrastructure or certificates can help make connections more secure. Evolving to chip-level, rather than software-level, cryptography can also help ensure that a device is less susceptible to being compromised. Deploying solutions over a managed or private network is also an option for end to end solution deployment.
2. Leveraging behavioral analytics and machine learning
Having knowledge of what the network traffic is and what it should look like is vital. For example, there are products that can identify malware behaviors when they are trying to attack equipment or other users in the network, by identifying these behaviors, malicious communication between the affected device and the service can be isolated. Using machine learning to recognize the communication patterns of viruses and threats, it is possible to perform behavioral analytics for threat and anomaly detection. Identifying anomalies can help flag connections, isolate devices, identify sources of threats and ultimately help increase the level of trust at the network communication level before it escalates to the application level.
3. Improving device and identity management
Most IoT devices are unmanaged today, leaving them vulnerable. An unmanaged device is essentially an unknown device and thus inherently not trustworthy. Determining the unique identity of a device before it is deployed enables management and tracking of changes. Coupling device management with the identities of software services and authorized end users creates a trusted relationship between device and service. Only when the identity of a device is known can it be looked at specifically to identify issues related to performance and behavior.
Establishing trusted relationships between device and application through a device management function helps enhance the value of the application. In many cases, devices are simply collecting data. Robust device management helps enable the decoupling of devices from applications so that best practices can be maintained at scale, without impacting the application itself.
4. Leveraging intelligent end points
As processor costs decrease and their capabilities increase, there is an opportunity to embed more intelligence such as security analytics into the end points. Developers could include security as part of the requirements from the beginning and install more capable software on devices.
Building an internet of trust can’t happen at the press of a button. No one organization can make it happen either – we have to work together. However, as we build the internet of trust, the organization that can deploy security capabilities at multiple levels to ensure trust among devices, applications and identities will likely have a higher level of success.
More than that, in the near future, trust could become the competitive differentiator for companies in the IoT world.
Legal disclaimer: The views expressed are those of the author only and do not represent the views of any of the member firms of Ernst & Young Global Limited.