Close
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Menu
eWEEK.com
Search
eWEEK.com
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Latest News
    • Networking

    Cloud Security Alliance Details IoT Security Guidelines

    By
    SEAN MICHAEL KERNER
    -
    October 11, 2016
    Share
    Facebook
    Twitter
    Linkedin
      IoT security

      Internet of things security isn’t just a concern for individual devices; it’s a risk that extends to the cloud.

      In a detailed 75-page report the Cloud Security Alliance (CSA) provides a detailed road map for developing secure internet of things products.

      While internet of things devices are often small embedded systems, IoT and the cloud are heavily co-mingled, as IoT devices make use of cloud services.

      “Whether we are talking about voice-controlled assistants or talking Barbies, these all interact with services in the cloud,” Brian Russell, chairman of the IoT Working Group at CSA and chief engineer, Cyber Security Solutions, Leidos, told eWEEK. “CSA has well-defined cloud security guidelines, with the Cloud Controls Matrix (CCM) and other guidance, but we realized that if the IoT products themselves are not secure, then there will continue to be compromises.”

      Russell noted that the IoT can be thought of as a “system-of-systems,” with many components working together to enable a service. In such a scenario, the system is only as secure as the weakest link.

      “Unfortunately, IoT product vendors are often challenged in their ability to secure their products given they haven’t been exposed to the need for security engineering in the past,” Russell said.

      Adding to the lack of vendor experience with security is a lack of skilled security engineers available to assist IoT vendors. Russell added that developers need a set of best practices to consider within their product development lifecycle, which is where the new CSA guidance is aiming to help fill the gap.

      As part of the report, the CSA has outlined a secure IoT development methodology that will look somewhat familiar to engineers that have worked on cloud and mobile security in recent years.

      “IoT security will have some similarities [to] and lessons learned from the adoption of cloud and mobile devices,” John Yeoh, senior research analyst at CSA, told eWEEK.

      Although there are many similarities with existing areas of security controls, IoT does introduce new areas of concern, for example, the need to understand the role that hardware plays in securing the device or exposing the device to vulnerabilities, Russell said. IoT is also a bit different from some other areas of technology in that it often aims for autonomous interactions between different types of products.

      “This means that developers need to be aware of the other types of products or services that their devices may eventually interact with—and think through the potential security ramifications,” Russell said. “For example, an automobile manufacturer may not have planned for an insurance company to build a dongle that connects to the OBD-II port and connects via Satcom or cellular.”

      A core element of the CSA IoT security approach is a safety impact assessment for a given IoT device to fully understand potential risks. Russell explained that the security impact assessment would need to answer several critical questions that would help expose the true risk.

      The four key questions of such a safety impact assessment for IoT include the following:

      1. Given the intended use of the product, is there anything harmful that could occur if the product stopped working as intended or stopped working completely?
      2. Are there any safety-critical services or other products that rely on the functioning of this product?
      3. If a device is compromised, are there any physical effects that could occur downstream from bad data coming from the device?
      4. For safety-critical devices, what would happen if an attacker disabled the built-in safety features?

      While IoT vendors have work to do in securing devices, users also have a role to play. Yeoh commented that password security is definitely mentioned in the CSA IoT paper. The use of default passwords is something in which the manufacturer can assist, but the reuse of passwords is something the user has control over, he explained.

      “In addition to password protection, over-privileged access of the devices and the applications interacting with devices is something users can control,” Yeoh said. “These devices and interfaces shouldn’t have privileges and capabilities beyond their intended or defined roles.”

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      MOST POPULAR ARTICLES

      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      CHRIS PREIMESBERGER - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Why Data Security Will Face Even Harsher...

      CHRIS PREIMESBERGER - December 1, 2020 0
      Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can...
      Read more
      Cybersecurity

      How Veritas Is Shining a Light Into...

      EWEEK EDITORS - September 25, 2020 0
      Protecting data has always been one of the most important tasks in all of IT, yet as more companies become data companies at the...
      Read more
      Big Data and Analytics

      How NVIDIA A100 Station Brings Data Center...

      ZEUS KERRAVALA - November 18, 2020 0
      There’s little debate that graphics processor unit manufacturer NVIDIA is the de facto standard when it comes to providing silicon to power machine learning...
      Read more
      Apple

      Why iPhone 12 Pro Makes Sense for...

      WAYNE RASH - November 26, 2020 0
      If you’ve been watching the Apple commercials for the past three weeks, you already know what the company thinks will happen if you buy...
      Read more
      eWeek


      Contact Us | About | Sitemap

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Property of TechnologyAdvice.
      Terms of Service | Privacy Notice | Advertise | California - Do Not Sell My Info

      © 2020 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×