IoT Security: Still a Work in Progress
July 21, 2016 Leave a comment
- Security is still the top concern and often prevents companies from launching deployments that would otherwise provide benefits, according to a recent IoT survey conducted by Current Analysis among 1,000 businesses worldwide.
- Operators are finally addressing some of these fears with assorted services and technologies – either their own or through an assortment of partner solutions.
A survey conducted recently by Current Analysis among 1,000 enterprises on their investments in IoT technology disclosed a fact that should not surprise anyone who follows the IoT market: security is still a key concern. One-third of the businesses surveyed listed it as their top worry, and 17% of the companies surveyed that had evaluated but chosen not to implement an IoT project cited security concerns as the primary reason.
Service providers are finally putting together portfolios of security services and technologies that may help reassure prospective customers. But, it is happening more slowly and less consistently than one would expect. Two years ago, operators were mostly concerned with the security of their own networks, noting that secure APNs – with which IoT devices can connect to customers’ MPLS networks rather than the public Internet – would ensure network layer security. The implication was that securing the device, the data, and the application was someone else’s concern. Today, operators are realizing that they need to provide an end-to-end solution, or at least an end-to-end security vision, to guide customers. Some are putting together comprehensive IoT security portfolios through partners while others are building their own solutions. For example:
- AT&T notes that the network, the endpoint, the data and application, and the threat management environment are all parameters that need to be addressed. It states that its global SIM protects the device, while its network can be protected using AT&T VPNs, NetBond, Commercial Connectivity Service (CCS), and/or custom, private access point names (APNs). To protect IoT data and applications, AT&T offers cloud-based and on-premises firewalls, encryption, DDoS, and Cloud Web Security. To manage threats, AT&T uses behavioral analytics to understand how and where devices are being used and who is using them.
- Deutsche Telekom just launched a new protective layer to the device network using certificates from the T-Systems Trust Center. The certificates update themselves automatically, which means IoT customers are able to determine exactly how a digital identity is set up and the level of authentication required.
- Verizon offers a secure credentialing service that provides an over-the-top layer of security for applications and data, as well as trusted authentication, so only select employees and devices have access to IoT apps. Data privacy is provided through encryption.
- Telefonica’s ElevenPaths subsidiary offers continuous vulnerability ‘pen testing’ through its Faast service, providing both detection and response to vulnerabilities. It combines the information obtained and the vulnerabilities discovered the same way a real attacker would do, exploring new attack vectors.
While some of these appear to be point solutions, most operators provide custom security beyond their networks and many have cybersecurity groups that provide security for not only IoT, but all applications regardless of access technology. For example, Orange notes that it can secure apps, websites, and access, leveraging 400 consultants, eight security operations centers, and 15 R&D facilities. While operators are not always in the best position to provide end-to-end security for IoT with their own services and software, customers often go to them to assemble end-to-end solutions.
This is a fast-moving area, where all members of the IoT ecosystem are talking about providing privacy and security for the billions of IoT devices anticipated to be connected in the near future. It is complicated by the intricacy of the ecosystem, where network and infrastructure vendors, carriers, and security software vendors own different parts of the solution and need to collaborate more effectively to relieve the customer from having to integrate disparate platforms from multiple parties.