Four security tips for IoT application developers
Calum Barnes, Xively
As we count down to 2016, we can safely say we are living in an IoT age, writes Calum Barnes the product owner of Xively by LogMeIn. A few years ago, the idea of the Internet of Things sounded like science fiction, but it is quickly becoming reality. Due to the rapid growth of this market, entrepreneurs and big businesses alike are bringing amazing IoT innovations to market on what feels like a daily basis.
Unfortunately, the rush to be first to market could have disastrous consequences. Often in this rush to be first, critical components, like security, hit the cutting room floor. This is becoming such an issue that across the pond, the US Department of Homeland Security’s Silicon Valley Office (SVO) will be looking exclusively at how to deliver IoT security.
There still is not a clear path or best practices in how to develop secure IoT solutions, but there are a few steps you can take to ensure your IoT project is on the right path.
Rule 1: Safety first
It is not enough to have great security, IoT devices and systems must be designed with compromise in mind. Ensure that critical functions cannot be affected or compromised by any smart features you are adding in. This holds especially true for devices that have critical applications including automobiles and medical devices.
Rule 2 Long live strong authentication
As much as we may hate the hassle of changing passwords, setting a user password once is not enough to secure a device. Device level security is required to ensure your product is truly secure. The IoT is bringing about new ways to secure physical devices originally only used for military or government assets. Hardware security chips (such as TPM) allow devices to securely authenticate themselves by using Public Key Infrastructure (PKI), the same technology used to secure online banking and other websites. This ensures your users data is safe and secure and can help companies prevent clones or fraudulent devices.
Rule 3: Think you’re too small or boring for hackers? Think again…
Products must be designed with the assumption that they will be purchased, dissected and studied. One of the most common mistakes at the development phase is the assumption that hackers will not be interested enough in the product to find and exploit security flaws. Security shortcuts such as improperly embedded private keys or weak authentication might save time and speed up deployment, but being first to market won’t mean a heck of a lot if your company is splashed all over the newspapers for a security breach.
Rule 4: Don’t let sexy innovation make you blind to security pitfalls
Before embarking on any project, designers should weigh the pros and cons of creating a connected product or features. What security holes does it open up? A good way to do this is to apply the STRIDE threat-modelling framework, originally developed by Microsoft. It provides a way to rigorously asses the security implications of specific smart features. While it may decrease the speed of development at the start, it will save a lot of heartache and brand tarnishing if something goes wrong.
As IoT continues its momentum, many companies will learn the hard lesson that that designing, building and deploying a connected device is not as easy as it looks. There is a lot on the line – not least of which is the reputation of the brand. As you rush to bring your next great IoT innovation to market, make sure you wrap a robust security policy around every decision. If security is not in your core competency (as it isn’t for most of us), finding the right IoT partner can help you avoid serious pitfalls which could cause huge damage to business reputation – before you’ve even begun.