Bench Talk

News headlines about data breaches have become so commonplace that reaction to a massive theft of data one week is quickly overtaken the next week by accounts of an even more egregious security breakdown.

Hackers have stolen information from every type of organization—even three-letter government agencies once considered impenetrable. Throughout all of this, a useful lesson lies less in the notion that no one is immune and more in an important consideration: Security threats and their mitigation are a constant struggle involving not just cyber experts but everything and everyone that touches data. In 2018, one of the greatest gaps in data security lies in appreciating that security is an organizational problem that needs to combine technologies, practices, and policies at each level of the system, whether in enterprise IT or spread through a cloud-based IoT application.

Take data encryption for example. Developers recognize the fundamental need for cryptographic methods to ensure the integrity of data and metadata passed across networks and stored on hosts. Technologies such as elliptic curve cryptography have gained increased acceptance with their ability to provide the same level of security as older crypto approaches but with much shorter key lengths and faster solutions—important considerations for resource-constrained IoT devices. Yet, even the most robust crypto algorithm cannot ensure security without accompanying policies for ensuring the protection of crypto keys throughout the key life cycle, including key creation, device provisioning, and even key revocation.

Use of robust technologies, practices, and policies for cryptography are necessary for security but are by no means sufficient. The overall integrity of an application also requires assurance that data suppliers and consumers are authorized participants in the overall data workflow. This assurance takes the form of authentication protocols such as transport layer security, elliptic-curve Diffie–Hellman, and others in widespread use on the Internet and in web applications.

On the Web, authentication is typically limited to host authentication to assure users that they are in contact with the intended host. Although this one-sided authentication might be satisfactory for web applications, IoT applications typically require mutual authentication, where both IoT device and host each validate the identity of the other. Even so, developers need to combine authentication technologies with suitable practices. For example, authentication protocols might allow reuse of the same session key from session to session—a practice that exposes devices and hosts to man-in-the-middle attacks and session hijacking as recently documented by Carnegie Mellon University's Computer Emergency Response Team (CERT).

Proper encryption and authentication might still not be enough to ensure the validity of data generated by an IoT device, aggregated by an edge device, and eventually consumed by a cloud-based application. Bad actors can exploit device software update delays to install corrupted versions under their control. Thus, devices and hosts might be using recognized crypto keys and authentication practices but the software running on those systems might itself be untrustworthy.

Secure over-the-air (OTA) updates and secure boot methods are meant to protect against these attacks but vulnerabilities can exist at each layer of the software stack. Ideally, developers employ sufficient security measures to ensure the use of valid software at each layer of the underlying software, thereby creating a robust root of trust for all other security features, software applications, and data operations. In practice, however, building this root of trust can fall short in IoT implementations due to a combination of factors ranging from limited device resources for performing security operations to limited understanding of proper security development practices.

With its Device Identifier Composition Engine (DICE) specification, the Trusted Computing Group proposes a multi-phase approach that uses secrets associated with each phase of the boot process to create a root of trust even in resource-constrained devices. An emerging class of hardware devices already support DICE and work with complementary cloud services to help harden security.

Cryptography, authentication, and trusted devices can serve as key enablers for security. Improperly executed, however, those same factors can present additional threat surfaces. Indeed, the development and deployment of any smart device presents multiple threat surfaces, and more so when built into IoT applications. Few applications share the IoT's expansive development on separate communities of developers, technicians, and users. Each participant in the chain maintains a critical role in successful deployment and operation of these complex applications and holds responsibility for maintaining secure practices within their purview, including avoiding exposure to the social engineering-based attacks underlying the most infamous breaches.

The good news is that the industry is beginning to recognize the expansive and collaborative nature of system security. In its recent Security Manifesto, ARM calls for a shared sense of responsibility among technology users and providers alike for reducing the effectiveness of cybercriminals. In 2018, a deep appreciation of the implications of shared responsibility stands as a significant hurdle for achieving security. By approaching security as more than just a technological problem, the industry can begin creating an environment where bad actors find fewer opportunities for compromising securely connected systems.