In my last post, I spoke about the Internet of Things (IoT) in terms of trust, security and privacy at a high level. Here, I will take a deeper dive in terms of how IoT security and privacy can impact an ecosystem interconnect.
When we talk about IoT, we think about the process we implement as we migrate to sensor-driven infrastructure for automated processes.
Looking at economies and technology ramp-up trends from a financial perspective, we will expect that there with be standardization around policies and processes, as well as implementing interfaces that are expected to connect sensors to networks, platforms, and application systems, or a combination of services.
It can all appear to be complex and large scale, especially in the borderless world of IoT. However, if as security and privacy professionals we ask ourselves, “What are the major areas we should focus on?,” my perspective is that we will have to look at:
- Device security and settings
- Security device and system physical access (IAM)
- Securing our communication network systems
- Dealing with the large volume of data we will have to process, leveraging big data analytics, risk scoring and criticality metrics aligned to a system, user privilege, and the business functionality.
IoT PriSec Model
The team at The Cyber Policy and Security Governance Institute have been developing an IoT PriSec Model. This model:
- Combines best of breed practices based on network, system and application security, which integrates functionality to meet data security lifecycle expectations as well as data privacy requirements for in-border and cross-border migrations.
- Is built on the premise that an IoT infrastructure ecosystem consists of a self-healing, secure network infrastructure and systems that exfiltrates data for analysis from system-system connects and sub-system interactions. This system will have a big data capability to build an analysis of permitted, potentially dangerous and malicious activities, allowing for event-driven capabilities, driving a mindset of adaptive security.
- Will be further enhanced to adapt to blockchain technologies.
- Integrates privacy definitions that are tied into the IAM and privilege access management which is tightly tracked and auditable.
- Promotes an effective combination of cryptography and smart analytics integrated into sensor security mechanisms which can quickly assess, measure and score attack attempts and attack paths for smart attack detection.
One area that will have an impact on IoT environments, given that the growth of cloud and big data are enablers of IoT, is that of unikernel security.
In the paper “Unikernels: Library Operating Systems for the Cloud,” A. Madhavapeddy and team describe a unikernel as follows: “In the context of virtual machines and cloud computing, it makes sense to describe the whole virtual machine as a unikernel.”
Bratterud, Happe and Duncan presented a paper on “Enhancing Cloud Security and Privacy: The Unikernel Solution,” which lists six observations exhibited by Unikernel systems as follows:
- Choice of service isolation mechanism
- The concept of reduced software attack surface
- The use of a single address space, shared between service and kernel
- No shell by default, and the impact on debugging and forensics
- Microservices architecture and immutable infrastructure
- Single thread by default
In a following piece, I will present further details on this aspect, as well as other areas that we are seeing leading IoT vendors focus on from a security and privacy best practice perspective.
Jon Shende, MSc., FBCS CITP, CISM
[ISACA Now Blog]