It has been on my mind for a long time and I have been avoiding it too. But it is time to face the inevitable and just talk about it. After all, the more open the discussions, the more answers (and questions) will arise, and that is a good thing.
Yes, it is the big elephant in the room called Data Security. And the concern is going to get much worse as the proliferation of edge devices and fog computing, and IoT technobabble goes nuclear.
I have been involved in numerous discussions on IoT (Internet of Things) and Industrial Revolution 4.0. I have been in a consortium for the past 10 months, discussing with several experts of their field to face future with IR4.0. Malaysia just announced its National Policy for Industry 4.0 last week, known as Industry4WRD. Whilst the policy is a policy, there are many thoughts for implementation of IoT devices, edge and fog computing. And the thing that has been bugging me is related to of course, storage, most notably storage and data security.
Storage on the edge devices are likely to be ephemeral, and the data in these storage, transient. We can discuss about persistence in storage at the edge another day, because what I would like to address in the data security in these storage components. That’s the Big Elephant in the room I was relating to.
The more I work with IoT devices and the different frameworks (there are so many of them), I became further enlightened by the need to address data security. The proliferation and exponential multiplication of IoT devices at present and in the coming future have increased the attack vectors many folds. Many of the IoT devices are simplified components lacking the guards of data security and are easily exposed. These components are designed for simplicity and efficiency in mind. Things such as I/O performance, storage management and data security are probably the least important factors, because every single manufacturer and every single vendor are slogging to make their mark and presence in this wild, wild west world.
Furthermore, the cohesive integration of data security at the edge is also a matter of concern. We are well aware that even in the enterprises, the mish mash of disparate security solutions and best practices often leave gaps, because the integration of these security measures are not always well glued together. Thus, at the edge, where most of the IoT devices and equipment are not physically secured, and are exposed and are not well supervised, the security gaps will be even more rampant. And once these devices and its components are compromised, the security threat and its imminent destruction would be massive.
How to we circumvent this concern and find ways to reduce the data security risks? I am no expert in security and I am putting forth this argument to everyone who wishes to put their valuable comments about it. From the data security at the edge perspective, I have considered these 3 factors.
- Data Checksum
- Data Authentication
- Data Encryption
The 3 factors by no means are comprehensive, and therefore, not 100% holistic to cover every single security aspects for data security and protection. My objective is to make data at the edge less susceptible to security threats and vulnerabilities, and can be quickly implemented to address these risks.
Data is acquired or created at the edge devices. A simple secure hash with SHA-1 or SHA-256 checksum of the data could prevent tampered data to be ingested into the IoT ecosystem.
Most IoT devices at the edge are usually bestowed with one superuser admin account. This has to be authenticated with PAM (privilege account management) technology which can be implemented close to the edge at IoT gateways. I have known of a few PAM solutions such as SecureKi, CA Privilege Access Manager or OneIdentity PAM but unfortunately, I have not seen these companies addressing PAM at the edge. I think that will come eventually.
Last of the 3 points is Data Encryption. Performing encryption on IoT devices is challenging. IoT devices are limited in resources – memory capacity is small; processing power is weak; network bandwidth is narrow; and power supply is low. Thus, data encryption at rest at the edge devices has to be lightweight. Researching the data encryption topic, I found a few interesting block-based (such as PRESENT and Sony’s CLEFIA) and stream-based encryption (such as CryptoLUX) implementations, as well as elliptic curve-based encryption. Expanding further to data encryption in flight (or in-transit), TLS (Transport Layer Security) version 1.3 could be the right fit. Here’s a good article explaining TLS 1.3 improvements addressing the lightweight requirements of IoT communication and data security.
As the ecosystem grows, we are also beginning to see new technology players addressing the data security risks in IoT. Foghorn has been particularly interesting to me, and they were named one of the Top 10 IoT global firms in 2017. I will be attending their technical training soon. This is being organized by the consortium I mentioned earlier. Next week, I will be given a technology dive into Dell Edge Gateways for IoT, again with the consortium. And Dell has a partnership with Foghorn Edgeworx just came out of stealth less than 2 weeks ago, adding a strong catalyst to data security at the edge. And I am sure there will be hundreds more coming to fore as the edge computing and IoT market scene is exploding as we speak.
Still the Big Elephant in the room has to be addressed quickly and affirmatively. Data security is big business, both for the white hats and the black hats. Enterprise solutions moving towards Edge Computing and IoT solutions moving towards the Enterprise have to come to terms that Data Security must be inclusive in all aspects.
It is not about getting more business and grow revenue. It is about protecting data and securing data for the sake of humanity.
NOTE: A few days ago, one of the readers – Tay Chong Yoke of Cisco Malaysia shared this PDF. I think it is a great whitepaper on IoT Security.
Pingback: IoT Storage and Data Security - Gestalt IT