IoT security and privacy is a focus area for Cylidify. We have posted on IoT history, definition and big challenges in our IoT blog series, but there are many other articles and a lengthy history on Wikipedia for background and details. This post is the next in our IoT series, but less to explore another facet (stay tuned) and more to highlight what we view as an IoT milestone.
For those of you working in or around IoT (or the related embedded systems and mobile devices), you now have more identity, security, and privacy options! Microsoft’s Azure Sphere is generally available providing a security-first reference design (hardware), operating system (OS), and provisioning and management services. Couple that with Azure IoT Hub (device identity and secure, bi-directional communications), other Azure IoT capabilities, the promotion of IoT devices as first-class Azure “constituents”, and we have what seems to be a compelling full-stack offering from Microsoft.
And, Microsoft isn’t just dipping a toe in the IoT pond, they are making a big splash with a multi-year $5 billion dollar investment (started in 2018). So, you will have fewer worries about lingering gaps and issues, or surprise end-of-support announcements. We’re not saying Microsoft has provided the perfect solution for IoT or that it’s right for every IoT business — there are simply too many levers and dials on the technology and business aspects to make such bold claims. Our point is that this is a milestone for IoT where a major technology company has made a significant investment to provide an end-to-end, full-stack offering. And, it covers most of the IoT challenges that Cylidify has been posting about. (Note: we do not have direct experience with all the Microsoft offering nor its performance or cost.)
We’re also not saying that à la carte IoT solutions can’t work (Microsoft will encourage and enable you to use their IoT platform in this fashion). Rather, it’s good to have end-to-end options, or at least a roadmap to follow. In the spirit of bold claims, we can make a few:
An à la carte solution has some specific challenges especially when it comes to security and privacy (true of IoT and its cloud services). All of the technology “seams” or boundaries present opportunities to attackers. They will probe the accessible interfaces and boundaries looking for weaknesses. Performance, cost, and “vendor lock” aside, end-to-end offerings have big security and privacy advantages.
IoT is behind the curve on identity, security, and privacy in general and relative to other components in a solution and the ecosystem (PCs, servers, mobile devices, and cloud services). We are not placing blame — like with many other industries, security and privacy in IoT have taken back seat to capabilities and profit. Plus, IoT is relatively new, has been through a couple of re-definitions, and is very agile as an industry. IoT just has some different challenges compared to other solution components such as playing a less visible, supporting role, being more difficult to keep updated, and having a very long service life.
If IoT doesn’t catch up to the curve, it will be exploited via direct attacks or as component in a chained attack against systems and solutions. There will be direct attacks, but the larger worry is indirect, chained attacks which are challenges for IoT on the detection and response fronts. IoT components don’t always have parity with other solution components in terms of monitoring and alerting capabilities or coverage. As other components are hardened, IoT will become even more attractive as an attack surface and exploited as a “weak link”.
An IoT business must strive to reduce attack surfaces by using security-first hardware and software platforms in new development and as part of migration or transformation efforts. No matter your business path, having the below as requirements will make your solution more “robust” and have measurable security and privacy advantages:
Individual device identity with proven provisioning, revocation, authentication, and authorization mechanisms. This includes the ability of the device to securely managed the associated keys, credentials, and sessions.
Attention to firmware, hardware, and overall "physical" security. Any devices which are out “in the field” where they are readily accessible (authorized or unauthorized) are at much greater risk.