Authentication, Authentication, Authentication!
With IDC predicting there will be 200 billion connected devices operating amongst us by 2020, the IoT is a digital revolution tipped to eclipse any of those that came before it.
However, as with any metaphysical network, there is the very real threat of data breaches, infringing on our personal privacy, security and data. So how can data be safeguarded in this rapidly expanding network of connected devices and what can the companies that build these devices do to convince consumers they are safe to use?
From tiny sensors to mammoth machines, the answer lies in building micro-segmented stages of authentication that in turn makes data more secure but also honour consumer’s right to personal privacy, says Manfred Kube, head of M2M Segment & Offer Marketing at Gemalto.
Smart devices are changing how we work, the way our homes run and how we enjoy our leisure time, but these clear benefits to our lives also come with opportunities for hackers to steal valuable information from personal data to the intellectual property that makes a company or product unique. In the wider context of IoT, this idea of user or device authentication becomes ever more prevalent.
Take a connected car for example, when we go to unlock it using a smartwatch we want to be reassured that only we, the owners, are authorised to do. This means ensuring the users of a device (and/or account) are who they say they are and have the authorised credentials to access the information thereafter, helping form the core basis for securing the communication of a device within these expansive networks.
But there are some challenges and limitations with single user authentication, such as what happens if something goes wrong with the connected device? In this scenario, it’s more than likely that the supplier will need access to deliver any software updates directly to the device by having access remotely – only to be installed once you have accepted the T&Cs and agreed the download to commence.
By allowing this to happen a certain level of trust needs to be established where the consumer has to be clear that the correspondence has come directly from the named source and not someone who poses a security threat to the network.
High profile cyber security attacks such as the TalkTalk and Ashley Maddison sagas, have highlighted the importance for businesses to reassure their customers that these growing networks will be secure and enable the user to take control of their data.
One of the ways companies are tackling this problem of false user authentication is through biometric data – that is, using individual’s unique ‘biology’ to access their data. This includes unique means of identification such as fingerprints and vein or iris scans that are incredibly difficult to replicate.
The use of biometrics and behavioural biometrics (gestures, swipe and pattern predictions), is creating a unique level of user identification; truly establishing the sense of ‘personal’ between the user and a device. This significantly enhances the security credentials of the device and acts as a major barrier between hackers and their access to data.
When “things” communicate in the IoT, credentials residing in tamper-resistant secure elements embedded in devices can not only secure network access and communication but also support secure services such virtual private networks, e.g. for software updates.
In order for the IoT to truly reach its potential, users need to trust that their connected devices are secure and their privacy is guaranteed. Trust in large corporations has fallen away in recent years by the apparent mishandling of customers’ data by previously tried, tenured and trusted brands. Once that trust goes, it can be extremely hard, if not impossible to get back and this can be damaging, and in some case fatal, for brands.
The four best practices for IoT protection:
Evaluating risk – developers need to understand all the potential vulnerabilities. Evaluation processes should cover privacy, safety, fraud, cyberattacks and IP theft. Evaluating risk is not easy as cybercriminals are continually working on launching new threats. As there is no one size that fits all it is advisable to bring in a security expert at this stage.
Security by design – it is key that device security is duly considered at the development stage. This should include end-to-end points and countermeasures, including tamperproof hardware and software. Security should never be an afterthought – and retrofitting security is often hard and costly. It’s best to consider this in the first place.
Securing the data – strong authentication, encryption and securely managed encryption keys need to be included to secure information stored on the device and in motion.
Lifecycle management – security is not a one-off process and then you can forget about it. It is imperative that IoT devices are protected for the lifecycle of the device, be it a stand-alone product or integrated into a car, for example.
The author of this blog is Manfred Kube, head of M2M Segment & Offer Marketing at Gemalto.
Comment on this article below or via Twitter: @IoTNow_ OR @jcIoTnow