Security Must Be Built into the Design of IoT Devices
Executives from the Internet of Things (IoT) and security industries gathered in Chicago last week for the Smart Card Alliance’s 2016 Security of Things conference, where they provided insights and perspectives on security, privacy and authentication in the rapidly growing IoT ecosystem.
The two-day event featured 40+ speakers, with keynotes, panels and track sessions on the most important aspects of security related to a cross-section of different IoT markets. Experts leading the first-day keynotes kicked off the event with a big-picture look at IoT security, while speakers separated into technology and applications track sessions gave attendees a deep dive into where IoT security is today, its challenges and the necessary next steps to move towards a more secure IoT environment.
Security by Design
Throughout the event, speakers agreed that to effectively provide security that is on-par with the large and complex scale of the IoT, security needs to be built into the design of IoT devices.
Speakers also focused on the importance of securing valuable data generated by connected devices. Craig Spiezle, executive director of the Online Trust Alliance (OTA), said that while it may seem benign now, as data continues to grow exponentially, it could potentially be harmful in the future if steps aren’t taken to improve security and privacy of the entire IoT ecosystem.
Rethinking Security Practices for IoT
Christopher Williams, information transaction assurance for Exponent, made a clear distinction between IoT security and IT security, emphasizing they should not be treated the same. He said that while lack of IT security can cause inconvenience, such as stolen bank credentials, the lack of security in the IoT can present a physical threat to consumers and the industry, for example a hacked connected car.
During a panel discussion, there was a robust discussion about how the practice of building a perimeter, a common and effective practice for IT security, isn’t a successful tactic for protecting data or devices in the IoT.
One solution discussed at the conference was to ensure data is secured both on and off the device. To do this, one speaker said the industry needs to consider securing the ecosystem as a whole, not each individual endpoint.
Not Starting from Scratch
Throughout the event, speakers pointed to several existing technologies that can help secure IoT devices and how they talk to the network – smart card technology, biometrics, the secure element, the trusted execution environment, and others – but there is no one-size-fits-all solution. Instead, one speaker suggested a layered, decentralized, updatable security approach that is still unobtrusive to the consumer will be the most successful.
Another speaker recommended smart card technology as part of the IoT security design because it can be used in almost every link of the chain of trust to make data more secure.
Speakers also suggested that repurposing best practices and considering lessons learned from other industries, such as the payments industry, could help to get the IoT industry on the right track towards stronger security.
Getting Involved and Next Steps
Randy Vanderhoof, executive director of the Smart Card Alliance acknowledged that while IoT security needs to be looked at holistically, focusing on securing the endpoints of the network first provides the building blocks possible to secure the IoT.
“It’s going to involve coming together as an industry, including different perspectives from stakeholders across every vertical industry touched by the IoT to make the secure connected world a reality,” Vanderhoof said.
The Smart Card Alliance launched its Internet of Things Security Council last April to serve as a forum for stakeholders to promote security awareness, encourage the widespread adoption of security standards, and define best practices that will help protect and maintain privacy of IoT devices and the data they generate.
“We welcome and encourage broad participation from IoT technology firms and device manufacturers to join the IoT Security Council to share their voice and take an active role in bringing security to IoT,” Vanderhoof added.
The two-day event featured 40+ speakers, with keynotes, panels and track sessions on the most important aspects of security related to a cross-section of different IoT markets. Experts leading the first-day keynotes kicked off the event with a big-picture look at IoT security, while speakers separated into technology and applications track sessions gave attendees a deep dive into where IoT security is today, its challenges and the necessary next steps to move towards a more secure IoT environment.
Security by Design
Throughout the event, speakers agreed that to effectively provide security that is on-par with the large and complex scale of the IoT, security needs to be built into the design of IoT devices.
Speakers also focused on the importance of securing valuable data generated by connected devices. Craig Spiezle, executive director of the Online Trust Alliance (OTA), said that while it may seem benign now, as data continues to grow exponentially, it could potentially be harmful in the future if steps aren’t taken to improve security and privacy of the entire IoT ecosystem.
Rethinking Security Practices for IoT
Christopher Williams, information transaction assurance for Exponent, made a clear distinction between IoT security and IT security, emphasizing they should not be treated the same. He said that while lack of IT security can cause inconvenience, such as stolen bank credentials, the lack of security in the IoT can present a physical threat to consumers and the industry, for example a hacked connected car.
During a panel discussion, there was a robust discussion about how the practice of building a perimeter, a common and effective practice for IT security, isn’t a successful tactic for protecting data or devices in the IoT.
One solution discussed at the conference was to ensure data is secured both on and off the device. To do this, one speaker said the industry needs to consider securing the ecosystem as a whole, not each individual endpoint.
Not Starting from Scratch
Throughout the event, speakers pointed to several existing technologies that can help secure IoT devices and how they talk to the network – smart card technology, biometrics, the secure element, the trusted execution environment, and others – but there is no one-size-fits-all solution. Instead, one speaker suggested a layered, decentralized, updatable security approach that is still unobtrusive to the consumer will be the most successful.
Another speaker recommended smart card technology as part of the IoT security design because it can be used in almost every link of the chain of trust to make data more secure.
Speakers also suggested that repurposing best practices and considering lessons learned from other industries, such as the payments industry, could help to get the IoT industry on the right track towards stronger security.
Getting Involved and Next Steps
Randy Vanderhoof, executive director of the Smart Card Alliance acknowledged that while IoT security needs to be looked at holistically, focusing on securing the endpoints of the network first provides the building blocks possible to secure the IoT.
“It’s going to involve coming together as an industry, including different perspectives from stakeholders across every vertical industry touched by the IoT to make the secure connected world a reality,” Vanderhoof said.
The Smart Card Alliance launched its Internet of Things Security Council last April to serve as a forum for stakeholders to promote security awareness, encourage the widespread adoption of security standards, and define best practices that will help protect and maintain privacy of IoT devices and the data they generate.
“We welcome and encourage broad participation from IoT technology firms and device manufacturers to join the IoT Security Council to share their voice and take an active role in bringing security to IoT,” Vanderhoof added.