Data-Centric Security for the Internet of Things
The Internet of Things (IoT) creates new, critical security challenges in the escalating fight against cyber-crime, in two key areas:
- Securing data from theft as it is generated, collected and analyzed
- Protecting IoT devices from potential use for physical attack
BIG DATA AND IOT—EXPANDED ECOSYSTEM EXPANDS SECURITY RISKS
As top use cases for data science/Big Data projects include real-time analytics for operational insights, and centralized data acquisition or staging for other systems, these projects can include massive quantities of sensitive payment card, personally identifiable and protected health information (PCI, PII and PHI). These projects alone hold major risk and now, with the advent of IoT, sensor data from devices adds to the sensitivity, risk factors and urgency.
The risk of data breach is high. The first step attackers take is to build a map laying out the network of the target organization to identify which systems are located where. Their goal is to set up mechanisms to acquire data over as long a run as possible and monetize it. When an enterprise builds a Big Data environment, the target has already done a lot of work for the attacker. With Big Data the enterprise has created a single collection location for the data assets the attackers are seeking.
While perimeter security is important, it is also increasingly insufficient. It takes, on average, over 200 days before a data breach is detected and fixed1, leaving the most sensitive data assets exposed while attackers funnel data out of their target, with the scale of the breach growing every day.
With IoT connected devices, physical risk is added to the data breach risk. For example, there are Internet-connected devices that allow consumers to open and close the door to their homes from their cell phones. What prevents the attacker from doing the same thing? Imagine an HVAC system, gas appliance or medical device. If an attacker can control these systems, it becomes an attack on the individual, where the attacker can sit anywhere in the world. This is why everyone needs to be concerned about security in the IoT age.
With IoT devices there are multiple attack vectors such as impersonation of the device user, or of the service provider. These vectors can be protected against by the use of SSL technology, 2-factor authentication, and certificate pinning, so that SSL certificates only enable the device to connect to a server when the certificate matches certain criteria and can be trusted. IoT devices can be designed not to accept inbound connections directly, but rather to accept a request to “call me now” for connection to the genuine service provider. Device software security can be enabled through best practices in the application development process.
DATA-CENTRIC PROTECTION FROM THE DEVICE TO THE BIG DATA PLATFORM
To protect sensitive data assets, a new approach is needed—one that actually protects the data itself. Consider the most advanced payment security technologies to protect credit card data. Strong encryption is implemented inside the card reader to protect data as it enters this hardened device and before it ever gets to the Point-of-Sale (POS) terminal. Data passed from the card reader to the POS terminal is thus not usable by attackers.
A similar approach is needed in IoT. Since each device is different in terms of the data it collects and sends to the backend server, it is important to understand what data is sensitive. With that understood, it is a best practice to use data-centric, field-level encryption to protect individual data fields. This should be done through a special form of encryption referred to as Format-Preserving Encryption (FPE), implemented throughout the ecosystem— in the devices, the communications channels and the Big Data platform.
FPE is proven and in the process of being recognized by key standards bodies such as NIST (publication SP800-38G). It is a form of AES encryption that has been in use for some time—but unlike AES, which encrypts data into a large block of random numbers and letters, FPE encrypts the original value into something that looks like the original, so that, for example, a credit card number still looks like a credit card number. Sub-fields can be preserved so that the inherent value of this information can be maintained for analytical purposes. Analytics can almost always be done with the protected data, securing sensitive data from both insider risk and external attack.
The Internet of Things, with double-digit growth and billions of devices, creates great new opportunities but also new levels of risk for companies and consumers. Traditional security measures alone are not enough. Enterprises implementing IoT strategies need to apply a data-centric security solution end-to-end from the big data platform to the IoT infrastructure. Using FPE to encrypt data values on a field level, from the device to the infrastructure and remote control element, removes risk and enables protection against remote takeover of an IoT device— the biggest threat to IoT security.
1 “Improve your data security and keep the hackers out”—Dick Bussiere, Tenable Network Security
About the Author:
Reiner Kappenberger is Global Product Manager (Big Data/Hadoop) at HPE Security – Data Security, with over 20 years of computer software industry experience focusing on encryption and security for Big Data environments. His background ranges from device management in the telecommunications sector to GIS and database systems. He holds a Diploma from the FH Regensburg, Germany in computer science.
Recent articles and comments on IoT and Big Data by Reiner:
Protecting Your Data against Cyber Attacks in Big Data Environments – Authored article in ISSA Journal, Feb 2016
Rethinking Data Center Security – Comments in The New IP article, Jan 2016
Nissan Leaf app deactivated because it’s hackable – Comments USA Today article, Feb 2016
Are connected cars safe? World’s best-selling electric vehicle, Nissan Leaf, is hacked – Comments in Tech Digest article, Feb 2016
5 encryption myths that are putting your data at risk – Comments in HPE Business Insights, Dec 2015
Upcoming IoT Webinar:
Data Engineering for the Internet of Things – learn about successful approaches to building and managing a data supply chain that can create business value from the Internet of Things. Reiner Kappenberger will be part of the Database Trends and Applications round table in this special webinar March 24. Register Here: