The Big Elephant in IoT Storage

It has been on my mind for a long time and I have been avoiding it too. But it is time to face the inevitable and just talk about it. After all, the more open the discussions, the more answers (and questions) will arise, and that is a good thing.

Yes, it is the big elephant in the room called Data Security. And the concern is going to get much worse as the proliferation of edge devices and fog computing, and IoT technobabble goes nuclear.

I have been involved in numerous discussions on IoT (Internet of Things) and Industrial Revolution 4.0. I have been in a consortium for the past 10 months, discussing with several experts of their field to face future with IR4.0. Malaysia just announced its National Policy for Industry 4.0 last week, known as Industry4WRD. Whilst the policy is a policy, there are many thoughts for implementation of IoT devices, edge and fog computing. And the thing that has been bugging me is related to of course, storage, most notably storage and data security.

Storage on the edge devices are likely to be ephemeral, and the data in these storage, transient. We can discuss about persistence in storage at the edge another day, because what I would like to address in the data security in these storage components. That’s the Big Elephant in the room I was relating to.

The more I work with IoT devices and the different frameworks (there are so many of them), I became further enlightened by the need to address data security. The proliferation and exponential multiplication of IoT devices at present and in the coming future have increased the attack vectors many folds. Many of the IoT devices are simplified components lacking the guards of data security and are easily exposed. These components are designed for simplicity and efficiency in mind. Things such as I/O performance, storage management and data security are probably the least important factors, because every single manufacturer and every single vendor are slogging to make their mark and presence in this wild, wild west world.

Picture from https://fcw.com/articles/2018/08/07/comment-iot-physical-risk.aspx

Furthermore, the cohesive integration of data security at the edge is also a matter of concern. We are well aware that even in the enterprises, the mish mash of disparate security solutions and best practices often leave gaps, because the integration of these security measures are not always well glued together. Thus, at the edge, where most of the IoT devices and equipment are not physically secured, and are exposed and are not well supervised, the security gaps will be even more rampant. And once these devices and its components are compromised, the security threat and its imminent destruction would be massive.

How to we circumvent this concern and find ways to reduce the data security risks? I am no expert in security and I am putting forth this argument to everyone who wishes to put their valuable comments about it. From the data security at the edge perspective, I have considered these 3 factors.

  • Data Checksum
  • Data Authentication
  • Data Encryption

The 3 factors by no means are comprehensive, and therefore, not 100% holistic to cover every single security aspects for data security and protection. My objective is to make data at the edge less susceptible to security threats and vulnerabilities, and can be quickly implemented to address these risks.

Data is acquired or created at the edge devices. A simple secure hash with SHA-1 or SHA-256 checksum of the data could prevent tampered data to be ingested into the IoT ecosystem.

Most IoT devices at the edge are usually bestowed with one superuser admin account. This has to be authenticated with PAM (privilege account management) technology which can be implemented close to the edge at IoT gateways. I have known of a few PAM solutions such as SecureKi, CA Privilege Access Manager or OneIdentity PAM but unfortunately, I have not seen these companies addressing PAM at the edge. I think that will come eventually.

Last of the 3 points is Data Encryption. Performing encryption on IoT devices is challenging. IoT devices are limited in resources – memory capacity is small; processing power is weak; network bandwidth is narrow; and power supply is low. Thus, data encryption at rest at the edge devices has to be lightweight. Researching the data encryption topic, I found a few interesting block-based (such as PRESENT and Sony’s CLEFIA) and stream-based encryption (such as CryptoLUX) implementations, as well as elliptic curve-based encryption. Expanding further to data encryption in flight (or in-transit), TLS (Transport Layer Security) version 1.3 could be the right fit. Here’s a good article explaining TLS 1.3 improvements addressing the lightweight requirements of IoT communication and data security.

As the ecosystem grows, we are also beginning to see new technology players addressing the data security risks in IoT. Foghorn has been particularly interesting to me, and they were named one of the Top 10 IoT global firms in 2017. I will be attending their technical training soon. This is being organized by the consortium I mentioned earlier. Next week, I will be given a technology dive into Dell Edge Gateways for IoT, again with the consortium. And Dell has a partnership with Foghorn  Edgeworx just came out of stealth less than 2 weeks ago, adding a strong catalyst to data security at the edge. And I am sure there will be hundreds more coming to fore as the edge computing and IoT market scene is exploding as we speak.

Still the Big Elephant in the room has to be addressed quickly and affirmatively. Data security is big business, both for the white hats and the black hats. Enterprise solutions moving towards Edge Computing and IoT solutions moving towards the Enterprise have to come to terms that Data Security must be inclusive in all aspects.

It is not about getting more business and grow revenue. It is about protecting data and securing data for the sake of humanity.

NOTE: A few days ago, one of the readers – Tay Chong Yoke of Cisco Malaysia shared this PDF. I think it is a great whitepaper on IoT Security.

Tagged , , , , , , , , , , , . Bookmark the permalink.

About cfheoh

I am a technology blogger with 20+ years of IT experience. I write heavily on technologies related to storage networking and data management because that is my area of interest and expertise. I introduce technologies with the objectives to get readers to *know the facts*, and use that knowledge to cut through the marketing hypes, FUD (fear, uncertainty and doubt) and other fancy stuff. Only then, there will be progress. I am involved in SNIA (Storage Networking Industry Association) and as of October 2013, I have been appointed as SNIA South Asia & SNIA Malaysia non-voting representation to SNIA Technical Council. I was previously the Chairman of SNIA Malaysia until Dec 2012. As of August 2015, I am returning to NetApp to be the Country Manager of Malaysia & Brunei. Given my present position, I am not obligated to write about my employer and its technology, but I am indeed subjected to Social Media Guidelines of the company. Therefore, I would like to make a disclaimer that what I write is my personal opinion, and mine alone. Therefore, I am responsible for what I say and write and this statement indemnify my employer from any damages.

One Response to The Big Elephant in IoT Storage

  1. Pingback: IoT Storage and Data Security - Gestalt IT

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.