To the casual observer, IoT (Internet of Things) security today seems fractured by any measure. Developers can find bits and pieces of security solutions scattered all around. Often, those solutions turn out to be mere mechanisms—pieces of a puzzle that must be hammered together rather than sliding smoothly into place to create a complete security picture. Although that’s an improvement on the recent past, it’s not the kind of security environment that’s necessary to deliver end-to-end security solutions needed in large-scale IoT applications. The question remains: Will the availability of more of those mechanisms create a sort of emergent security solution, or will security solutions eventually come as prepackaged parts of cloud-based IoT platforms?
IoT security is difficult because IoT applications link together so many different types of systems—from deeply embedded real-time systems at the periphery to cloud-based enterprise-level systems at the top of the IoT hierarchy. Within this layered architecture, data needs to flow efficiently among those systems and combine dynamically with any number of other data streams, enterprise resources, and third-party packages required to meet the overall objectives of an IoT application. Adding to this complexity is the idea that this assembly of hardware and software will by no means remain static, especially as enterprises shift the focus of individual IoT applications in response to greater insight, innovative technologies, market opportunities, and competitive pressure.
From this perspective, IoT security certainly presents itself as a more traditional enterprise problem, requiring security solutions that start in the cloud and work down the stack. In practice, however, the dynamic, real-time nature of IoT systems dictates the need for solutions that begin on the ground level with IoT terminal devices and edge devices. If these devices are not secure, the IoT application itself is at risk—as are the enterprise resources connected to it. For this reason, individual mechanisms such as hardware-based secure storage, encryption, authentication, and others remain vital elements of an overall IoT security solution. Building on these mechanisms, more advanced features such as secure over-the-air firmware updates, firmware authentication, and a secure boot are essential for establishing “the hardware root of trust” necessary to provide a secure foundation for the rest of the IoT application.
Indeed, effective IoT security both trickles down from the cloud and bubbles up from the hardware—melding into a unified framework that neither approach can easily produce in isolation. For this reason, we’ll continue to see tighter integration between IoT hardware devices and cloud platforms. Semiconductor manufacturers already offer preconfigured hardware with keys and certificates for turnkey authentication on IoT platforms such as Samsung’s ARTIK™. IoT device developers can even find direct cloud support for real-time operating systems such as Amazon’s FreeRTOS™. Platform specificity is likely to drive more deeply into hardware with the emergence of IoT offerings such as Microsoft’s Azure™ Sphere. Inevitably, IoT security depends on the application of a combination of separate mechanisms at every level of the hierarchy that act in orchestration as a unified whole. Leading IoT platform providers understand this.
Nonetheless, tying hardware to specific IoT platforms won’t work for every development organization or project. Unique requirements, concerns about lock-in, and fast-moving innovation will drive some IoT applications in other directions. For any IoT application, the effective security solutions will be those that both trickle down from cloud-based capabilities as well as bubble up from hardware-based mechanisms.
Stephen Evanczuk has more than 20 years of experience writing for and about the electronics industry on a wide range of topics including hardware, software, systems, and applications including the IoT. He received his Ph.D. in neuroscience on neuronal networks and worked in the aerospace industry on massively distributed secure systems and algorithm acceleration methods. Currently, when he's not writing articles on technology and engineering, he's working on applications of deep learning to recognition and recommendation systems.