Data-centric security for the Internet of Things
By Shane Bellos, Enterprise Security Products, Software, Hewlett Packard Enterprise, South Pacific
The Internet of Things (IoT) and its dependence on the cloud has created new, critical security challenges in the escalating fight against cyber-crime, in two key areas:
- Securing data from theft as it is generated, collected and analysed
- Protecting IoT devices from potential use for physical attack
Big data and IoT – an ecosystem with expanded security risks
As most big data projects include real-time analytics for operational insights, and centralised data acquisition or staging for other systems, these projects can include massive quantities of sensitive payment card, personally identifiable and protected health information (PCI, PII and PHI).
These projects alone hold major risk and now, with the advent of IoT, sensor data from devices adds to the sensitivity, risk factors and urgency.
The risk of data breach is high, with HPE Security research indicating that 70 per cent of IoT devices are vulnerable to attack, with an average of 25 vulnerabilities per IoT product analysed.
The research covered a range of popular IoT devices from manufacturers including of televisions, webcams, remote power outlets, hubs for controlling multiple devices, door locks and alarms. All devices analysed had mobile applications which could be used to access or control the devices remotely, and a majority of devices included some form of cloud service.
The first step attackers take is to build a map laying out the network of the target location to identify which systems are located where. Their goal is to set up mechanisms to acquire data over as long a run as possible and monetise it.
When a business builds a big data environment, the target has already done a lot of work for the attacker. With big data, the enterprise has created a single collection location for the data assets the attackers are seeking.
While perimeter security is important, it is also increasingly insufficient. It takes, on average, over 200 days before a data breach is detected and fixed, leaving the most sensitive data assets exposed while attackers funnel data out of their target, with the scale of the breach growing every day.
With IoT connected devices, physical risk is added to the data breach risk. For example, there are Internet-connected devices that allow consumers to open and close the door to their homes from their cell phones. What prevents the attacker from doing the same thing to a business? Imagine an HVAC system, gas appliance or medical device.
If an attacker can control these systems, it becomes an attack on the individual, where the attacker can sit anywhere in the world. This is why everyone needs to be concerned about security in the IoT age.
With IoT devices there are multiple attack vectors such as impersonation of the device user, or of the service provider. These vectors can be protected against through the use of SSL technology, 2-factor authentication, and certificate pinning, so that SSL certificates only enable the device to connect to a server when the certificate matches certain criteria and can be trusted.
IoT devices can be designed not to accept inbound connections directly, but rather to accept a request to "call me now" for connection to the genuine service provider. Device software security can be enabled through best practices in the application development process.
Data-centric protection from the device to the big data platform
To protect sensitive data assets whether in a business or at home, a new approach is needed — one that actually protects the data itself. Consider the most advanced payment security technologies to protect credit card data.
Strong encryption is implemented inside the card reader to protect data as it enters this hardened device and before it ever gets to the Point-of-Sale (POS) terminal. Data passed from the card reader to the POS terminal is thus not usable by attackers.
A similar approach is needed in IoT. Since each device is different in terms of the data it collects and sends to the backend server, it is important to understand what data is sensitive. With that understanding, it is a best practice to use data-centric, field-level encryption to protect individual data fields.
This should be done through a special form of encryption referred to as Format-Preserving Encryption (FPE), implemented throughout the ecosystem — in the devices, the communications channels and the Big Data platform.
FPE is proven and in the process of being recognised by key standards bodies such as NIST (publication SP800-38G). It is a form of AES encryption that has been in use for some time — but unlike AES, which encrypts data into a large block of random numbers and letters, FPE encrypts the original value into something that looks like the original, so that, for example, a credit card number still looks like a credit card number.
Sub-fields can be preserved so that the inherent value of this information can be maintained for analytical purposes. Analytics can almost always be done with the protected data, securing sensitive data from both insider risk and external attack.
Encrypting the Internet of Things
The Internet of Things, with double-digit growth and billions of devices, creates great new opportunities but also new levels of risk for companies and consumers alike. Traditional security measures alone are not enough.
Enterprises implementing IoT strategies need to apply a data-centric security solution end-to-end from the big data platform to the IoT infrastructure. Using FPE to encrypt data values on a field level, from the device to the infrastructure and remote control element, removes risk and enables protection against remote takeover of an IoT device — the biggest threat to IoT security. By Shane Bellos, Enterprise Security Products, Software, Hewlett Packard Enterprise, South Pacific