IoT security part 2 – Cloud considerations
Most people believe that electronic security issues started to appear as we all became connected to the Internet. However, that’s not quite the case; the first recorded instance of hacking occurred in 1878, when the Bell Telephone Company had to fire a group of teenage telephone operators in New York for repeatedly and intentionally misdirecting and disconnecting customer calls.
Although incidents like these show that hacking started earlier than we may have imagined, it remains true that such concerns, now considered as cyber security issues, have grown exponentially since the advent of the Internet. This growth is being driven by ever-increasing connectedness, firstly of people through Internet-enabled computers, then of an increasing array of objects through the Internet of Things (IoT).
Very broadly, any IoT implementation comprises a set of sensor and actuator edge devices, cabled or wireless Internet connections, and a central computing resource, usually cloud-based. It’s this data processing and analysis resource that provides the IoT’s characteristically improved insight and better control of the world around us. The first part of our security discussion focused on the edge devices; here, we look at security concerns related to the cloud.
The IoT increases cyber security risk partly because it multiplies the number of data sources, entry points and data flow into a cloud resource. However there is another critical reason; an ICT team may be well versed in securing workstations, BYOD smart devices and memory sticks associated with mainstream corporate data processing, while not being equipped for or even aware of the dangers from IoT type devices. These devices, unlike the ICT equipment, are probably not in a physically or electronically secure environment. Yet vending machines, thermostats and many other apparently innocuous objects can provide entry points for hackers intending wider penetration and damage.
To understand this threat better, we should think of the cloud resource in terms of what it actually is; a data centre, or, for extra security, a number of geographically separated data centres. Each installation contains racks of servers in a building carefully managed for environmental conditions, secure power and physical protection.
Users relate to these data centres in one of three different scenarios. Firstly, a large corporation can own and operate a data centre as part of an entire IoT strategy that also includes the edge devices, for a complete, internally controlled and managed solution. Amazon is an example of this - a previous article discussed Amazon’s IoT strategy and showed how their implementation covers everything from the Alexa and Dash button edge devices, through their fulfilment centres and computing facilities, and back out to the edge with a push towards futuristic solutions such as delivery drones and autonomous trucks.
In the second scenario, a corporation operates a data centre as a cloud resource, not for their own IoT implementation, but instead as a co-location facility for smaller, third-party organisations wishing to buy cost-effective access to shared services rather than investing in their own data centres. Amazon, once again, provides a good example – as well as supporting their own IoT systems, they offer cloud computing facilities to third parties through Amazon Web Services (AWS).
Finally, there is the perspective of the third-party users just referred to. While not owning a data centre, their responsibility to their customers includes a requirement to operate their cloud resources, as well as the devices within their own organisation, securely.
In the remainder of this article, we look at some of the measures that large-scale data centre operators can take to protect themselves, and then review those available to their smaller counterparts with a shared cloud-based IoT strategy. Next, we consider the underlying technologies that are available for building in to such strategies. Finally, we overview legislation applicable to all enterprises engaged in collecting, processing and storing data on any scale.
Although any reasonable enterprise would acknowledge the absolute need for cyber security in today’s increasingly connected, volatile and hazardous landscape, there may be some resistance to the amount of effort and resources needed to support an effective security strategy. To address this, we preface our strategy discussion with some examples of what can happen without suitable protection in place.
The consequences of insufficient cyber protection
Organisations that fail to protect themselves against the ever-changing and growing threat of cyber-attack clearly run the risk of significant financial and reputational damage if an attack does succeed. On top of this, there is the possibility of a significant fine if legally required standards of care are not complied with.
Data breach examples:
- In 2009, a malicious computer program called Stuxnet penetrated a nuclear reprocessing plant in Iran , took control of 1000 centrifuges linked to weapons-grade nuclear material production and effectively instructed them to self-destruct.
- In 2015, a pair of security researchers demonstrated how easily they could remotely hack into a moving Jeep Cherokee and disable its transmission and brakes. This forced Fiat Chrysler to recall 1.4 million vehicles.
- Online 3D printers in a factory are a potential weak link. Hackers could manipulate them to produce barely detectable defects in the manufacturing process, which would only manifest themselves when it was far too late. Components that break under less than rated strain have obvious and potentially serious consequences for any cars or aeroplanes they are built into.
- In 2013, a Forbes reporter found that she could use the web to identify and access homes with a now-discontinued home automation system . She called some of the homeowners, and turned their lights on and off while chatting with them on the phone.
- In February 2015, a billion-dollar bank cyberheist affected up to 100 banks around the world. The breaches infiltrated the banks' networks using tactics such as phishing and gaining access to key resources, including employee account credentials and privileges. The cybercriminal ring then used those credentials to perform fraudulent transfers and make hijacked ATM machines appear legitimate as they funneled more than $1 billion into their own pockets.
Examples of non-compliance fines
- In February this year the Financial Services Authority (FSA) fined Nationwide Building Society £980,000 for failing to have effective systems and controls to manage its information and security risks. The failings came to light following the theft of a laptop from a Nationwide employee's home last year. This urged the FSA to carry out an investigation, during which it found that the building society did not have adequate information security procedures and controls in place, potentially exposing its customers to an increased risk of financial crime.
- In 2016, a £15,000 fine was imposed on a nursing home in Northern Ireland after a laptop containing employee as well as vulnerable resident data was stolen from an employee’s home. The data was password protected but not encrypted. The Information Commissioner’s Office (ICO) issued the fine after finding that the nursing home did not have any policies in place for homeworking, storage of mobile devices or encryption, and had provided inadequate training on data security.
The corporate response
An IBM study has shown that misconfigured systems or applications, followed by user error, are the main causes of data breaches.
The study also describes steps that organisations can take to protect themselves. Success depends on careful management and procedures as well as security technology. Key steps include:
Risk-aware culture for employees, suppliers and contractors: Managers need to push a policy of zero tolerance towards security carelessness from the top down, and implement tools to track progress.
Central control of settings for all workstations, laptops and smart devices: All such devices provide a potential opening for malicious attacks. The settings on each device must be subject to centralised management and enforcement. Also, the streams of data within an enterprise have to be classified and routed solely to authorised users.
Manage incidents and respond: Apply intelligent analytics and automated response strategies, company-wide.
Security should be designed in rather than added: Big vulnerabilities in systems arise from implementing services first, and adding security afterwards. The only solution is to build in security from the start, and to carry out regular tests to track compliance.
Ensure that updates and patches can be managed promptly and reliably. A secure system will include a strategy to install patches and updates as they are released.
Control network access: Companies that channel registered data through monitored access points will have a far easier time spotting and isolating malware
loud securityC: A cloud environment will be shared with other users of unknown trustworthiness. Threat monitoring and isolation tools are essential. This becomes an increasing priority if the cloud data centre is hosting an IoT implementation along with corporate data processing systems.
Manage user identity rigorously, with careful assignment and revoking of permissions as users come and go. Such strategies are now formalised into identity and access management (IAM) systems, and are available as packaged solutions form, IBM and other suppliers.
For one example, Amazon extends its IAM service to customer transactions under their Amazon Web Services AWS IAM environment. AWS lets its account holders allow other users to administer and use resources in their account without having to share a password or access key. Granular permissions can also be granted, i.e. different permissions can be granted to different people for different resources.
AWS IAM offers further advantages related to integration with other AWS services. It is also PCI-DSS compliant for credit card transactions, as described under the Security Compliance Legislation section later in this article.
Inventory, protect and encrypt critical data: Scientific or technical data, client information or confidential documents should all be regarded as critical assets, and duly inventoried, and then guarded, tracked and encrypted.
Corporations can take steps as described above to protect their data centre operations, whether provided for their own use or for third parties – but how about smaller enterprises; ones that buy their cloud services from such providers? In fact SMEs, like larger corporations, face significant security threats. Criminals can regard them as soft targets as they are likely to have invested less than large corporations in IT security.
The government-sponsored Cyber Security Breaches Survey 2016 found that 33% of small businesses and 65% of large organisations had suffered a security breach in the twelve months preceding the investigation. The survey also concluded that many smaller companies would benefit from greater awareness of security issues, complemented with better training.
A problem for SMEs is that, while facing threats similar to those experienced by larger organisations, they have fewer resources and less manpower to tackle them. Yet the financial burden is likely to increase, and the challenge is multi-dimensional. Attack frequency, compliance requirements, complexity, costs, and the number of security products that must be managed are all increasing, according to 451 Research . Cloud-based Security as a Service (SECaaS) offers one solution, as it reduces complexity and eases access to services. Like Software as a service (SaaS) and other models, SECaaS allows shared access to a common resource, with cost-effective and scalable purchase of appropriate capacity.
The survey also found that the most desired cloud-based security capabilities were data loss prevention, network access control, and encryption, followed by threat management, application control, SSL decryption, and URL filtering. More than 60 percent of the survey respondents cited legacy IT as the greatest barrier to improving visibility and control within their networks, followed by lack of budget at 27 percent.
Packaged security solutions are also available for SMEs without in-house IT teams. For example, Kaspersky’s Endpoint Security Cloud covers the specific needs of small to medium sized businesses, and can be managed from a centralized, cloud-based console.
Tools for cloud security
Organisations of all sizes can do much to protect themselves by carefully designed and rigorously enforced operational practices, along with adequate staff training, as described above. However, strategies must also be supported by a range of robust technologies appropriate to the deployment.
- Building security into software development: Security functionality should be designed in before deployment rather than trying to add it later. Microsoft has developed a security assurance process called the Security Development Lifecycle (SDL) that is focused on software development. SDL introduces security and privacy throughout all phases of the development process, and aims to reduce the number and severity of vulnerabilities in software.
- Multi factor authentication and adaptive authentication: Because passwords are easily compromised, multi-factor authentication (MFA) is critical for strengthening security. But traditional MFA tools use static rules that can’t keep up with today’s constantly evolving security risks. Adaptive authentication uses machine learning to score the risk of each login attempt and challenges users making high-risk logins to authenticate using MFA.
- Encryption provides a further protection layer – scrambling the data and rendering it useless to any hackers who succeed in accessing it. The highest commercially available level of encryption is AES 256-bit. AES (Advanced Encryption Standard) was established by the US National Institute of Standards and Technology (NIST) and is used by government and private organisations worldwide.
- AES is a symmetric-key algorithm, which means it uses the same key for encrypting and decrypting the data, providing high performance and scalability.
Security compliance legislation
Any organisation, of any size, that handles personal data has a legal obligation to safeguard it. Merchants, financial institutions and other entities handling financial transactions have extra responsibilities.
One international standard for security compliance that can be applied across industries is the International Standards Organisation's ISO 17799, known as ISO 27001 in Europe. This is a formal process that helps an organisation demonstrate a high level of IT security management. It covers 10 major areas, including business continuity planning, physical and environmental security, compliance, personnel security, asset control and security policy.
The Payment Card Industry Security Standards Council operates the Payment Card Industry data security (PCI-DSS) standards. These set the operational and technical requirements for organisations accepting or processing payment transactions, and for software developers and manufacturers of applications and devices used in those transactions.
The PCI-DSS standards include PCI Data Security, PTS PIN Transaction Security, a DSS Data Security Standard for software vendors and others who develop payment applications that store, process or transmit cardholder data and/or sensitive authentication data, and a P2P Encryption standard which establishes a comprehensive set of security requirements for point-to-point encryption solution providers.
The cyber threat landscape can seem to be daunting, especially as the number and types of threat are growing. Certainly, the task of identifying likely threats and their sources, and then installing and maintaining the systems to combat them, is demanding.
However, help is available from many sources. One starting point is a publication from the National Cyber Security Centre - part of GCHQ - called ’10 Steps to Cyber Security’ , now used by the majority of the FTSE350. This describes how to set up an effective organizational risk management regime, together with the specific procedures, such as network security, user education, malware protection and others.
In seeking to implement these procedures, organizations can buy in resources to complement their own, either as a service or as packaged products such as Kaspersky’s. IoT devices can be protected by incorporating off-the-shelf security components, and hardened operating systems designed specifically for use in IoT devices are available.
As well as providing advice for combating security threats, the National Cyber Security Centre is operating on a large scale to diminish the sources of threat as far as possible. They are using the state as a guinea pig by toughening up security on 5,000 government web domains , and intend to open-source many of the tools they are developing to help others implement the same thing.
Engineering and Technology Magazine, April, 2017, ‘Hacking through History’ article
Engineering and Technology Magazine, April, 2017, ‘Securing IoT in your smart home and your connected enterprise’.
IET Engineering & Technology Magazine, April 2017, ‘If you’re not doing it, why the hell not?’
IoT security part 2 – Cloud considerations. Date published: 19th July 2017 by Farnell element14