Marc Kassis, Cyber Security Director, Ingram Micro Middle East and Praveen Joseph Vackayil, Ingram Micro Cyber Security Consultant and Trainer, discuss how data management can be a game-changer when it comes to IoT security.
IoT Security – The three building blocks
The Internet of Things is already making grand in-roads into business and technology landscapes around the world. Fundamentally defined as a connected network of heterogeneous components that are sensing, collecting, transmitting and analyzing data to make “intelligent” decisions, the Internet of Things is seeing practical deployments across multiple sectors of industry, ranging from education to banking and construction to road transport.
However, deep security continues to elude most IoT deployments. To be effective, IoT Security must be founded on three building blocks.
Measurable and Comparable Security
While specific IoT vendors have their own proprietary IoT security standards, a universally accepted vendor-neutral IoT Security standard is required. This will facilitate the incorporation of metrics and benchmarking mechanisms across different IoT ecosystems to gauge and compare their security postures.
Given the very diverse nature of the Internet of Things, and how engrained it is in creating a functional ecosystem for “heterogeneous things” to talk to each other, a wholistic, cross-functional security platform is difficult to design. A wholistic, multi-layered and integrated security approach is a critical success factor for a truly secure IoT environment.
Inherent security requires identifying security requirements and planning for them right at the drawing board of the application (security by design), emphasizing security over functionality and incorporating secure application development standards.
Data Management is a collection of processes and activities to implement end-to-end governance and control of an organization’s data assets across its entire lifecycle. Its key objectives include ensuring formal classification of data, application of data security controls in proportion to applicable risk, maintenance of data quality, etc. In fact, many of these objectives are compliance requirements across multiple security and privacy regulations including the recently enforced EU-GDPR.
Data Modeling holds the key to resolving the IoT security conundrums described above. Data Modeling is the science of analyzing and typecasting data into “frameworks” that are aligned with specific and customizable formats.
Using pattern detection and cross correlation, data modeling introduces a level of “consistency”, “quality” and “predictability” into raw and unorganized data structures. This enrichment of raw data can be used effectively to improve the security levels of an IoT Ecosystem. Let’s find out how.
The need for vendor-neutral cross-platform IoT security standards
By analyzing the data residing within an IoT ecosystem, data modeling will help to identify and predict security strengths and weaknesses, failure points and performance levels of the IoT components. This will help to define security metrics and benchmarks across multi-vendor environments, thereby paving the way for vendor-neutral cross-platform IoT Security standards.
The need for a wholistic and integrated security approach
A wholistic, multi-layered and integrated security approach can be derived by modeling attack vectors. This will require crunching threat data including threat actors, threat outcomes, threat motives, and most importantly perpetration methods. With this information at hand, it is possible to identify security controls and develop a cross-platform and vendor neutral integrated approach to security.
The need for inherent security – security by design
By documenting the design lifecycle of the multiple components in an IoT ecosystem, vendors can identify common phases and define the key milestones where security requirements and metrics will need to be injected. Data modeling can assist in analyzing design processes across multiple components and vendors and identifying the right points to inject these security metrics.