M2M Security, Revisited
October 3, 2013 Leave a comment
- Back in April, I wrote a blog on the growing problem of M2M security and how, in spite of the huge amount of data expected to be collected, transmitted and analyzed over the next five to ten years via a multiplicity of network access technologies, few vendors or service providers had put a stake in the ground with a set of security solutions devoted to M2M.
- Six months later, there seems to be growing awareness of the problem: M2M data is just as likely, if not more likely, to suffer from malware, breaches of corporate data stores, SMS phishing (or use as a medium for malware), denial of service, ‘botnets,’ and stolen confidential company and personal information to be used for a variety of malevolent purposes (including corporate competitors, intrepid hackers, or those looking to sell information for financial gain).
Imagine billions of unmanned sensors and machines with little or no supervision and with no built-in intelligence (or potentially built using an insecure OS). Left to their own devices (pun intended), these sensors and machines amass and transmit vast quantities of information to remote servers in the cloud or behind the corporate firewall, without device and in-transit data encryption, or other traditional forms of security such as VPNs, personal firewalls, remote data wipe, intrusion/malware detection, or anti-virus software. Should this be the future of M2M/the Internet of Things?
Before I make myself overly paranoid with these fantasies, there are some solutions coming to the forefront to address these problems. For example, SilverSky provides ‘security from the cloud’ and is a one-stop security shop for M2M (and IT and mobility in general). Its approach is to guarantee the ‘absence of surprises,’ including designing for failure and resilience (remote diagnosis and upgrade of devices in the field); ‘eternal’ vigilance (continuous monitoring and the ability to respond through alerting, trouble ticket generation, and even self-healing); and risk management (analysis of what adverse events are acceptable and how frequently they can be tolerated). SilverSky believes that security needs to be in the network, the devices, the clouds that collect data, and the data stores themselves. Verizon is also active in M2M security, not only through its private network option, whereby a virtual private network separates out M2M traffic from the public Internet via IPsec VPN tunnels or private NNIs, but also through its data-centric security practice (part of its eCloud practice) that provides security consulting, security as a service, and managed security, including threat and vulnerability management. Sierra Wireless, a leading M2M module manufacturer with a cloud-based app enablement service, believes in a security policy of ‘balanced constraints’ where over-design can ruin the user experience but under-design can ruin the company. It offers security from secure boot to sandboxes, to encrypted storage, to secure download, mutual authentication, ciphered channels, two-factor authentication, VPNs, and data redundancy. It sounds like a lot of work for fully securing an M2M application, but a wider variety of vendors are clearly taking this work on and hopefully can provide these options cost-effectively.