Security for the Internet of Things

There is a great deal of buzz about the Internet of Things (IoT) these days as the concept of ubiquitous computing promises to deliver capabilities to connect our lives with everything. Even though the possibilities are endless, there are concerns about security. Scrutiny in the information security space is a healthy thing for any industry and the technological capabilities of the IoT have already been seen in small scale deployments for years now. So it will be beneficial to get more attention for the IoT in order to mold innovative capabilities into something that has standards and frameworks and help drive this connectedness responsibly. The hype of benefits and drawbacks can help to propel the velocity for standards that include security as important considerations of new architectures like the IoT. All the attention can also open discussion to expose the fear, uncertainty, and doubt (FUD) that can at times restrain innovation in computing solutions. Security, or the perceived lack of it, can be one of the biggest detractors to adoption of new paradigms because of FUD. The considerations for functional use cases must include non-functional requirements such as quality, security, and performance as part of the equation. But interestingly, new computing capabilities like Cloud or BYOD have been introduced with similar concerns about protection. Subsequently, different types of security advances have been introduced that improved capabilities and, in some cases, added to the layers of security and increasing assurance levels. The most important considerations in information security is the sensitivity or classification of the data. Other factors that become part of the equation includes how the data is “processed”, where the data is going or how it will be stored. Properly classifying the type of data and determining the acceptable assurance levels help to define appropriate security controls to allowing the data to be processed securely throughout its life-cycle from inception to its end-of-life.


As with any computing solutions, security requirements should be a part of the design and defined as part of the requirements. Processing information of a sensitive classification will need appropriate security mechanisms which can be integrated into the design based on protecting levels necessary. In many cases with the IoT, physical data points such as temperature, humidity, vibration, or sound decibels could be the non-sensitive information collected from the end-point and with proper analysis could help improve industries and create smart agriculture or smart air quality solutions.

In Francis daCosta's "Rethinking the Internet of Things: A Scalable Approach to Connecting Everything", a perspective is presented that most IoT endpoint devices will be conveyors of very small (chirps) pieces of non-sensitive information from a physical setting that will only become interesting through analysis once aggregated into larger sets. One misconception of the IoT is that IP based protocols can be used for all end-to-end communication or that IPv6 will be used as the common address space to connect the massive number of IoT devices. But the practical assertion is that even IPv6 does not scale in addressable space of the billions of endpoint connections expected in the IoT, nor will it provide the low cost memory space or low bandwidth requirements of such small insignificant chirps to/from these IoT devices.

There are forecasts that extend into the billions of these episodic, or loosely connected, devices comprising of the IoT. Endpoint connections in the IoT will likely use different protocols such as Bluetooth, infrared, radio signals, and line-of-sight, many of which are widely used today to control or send/receive information to smarter, Internet connected devices. Other types of communication may take precedence such as the wireless sensor network (WSN) which consists of spatially distributed autonomous sensors that can be used to monitor physical or environmental conditions. Their data will need to be passed on to a network or the Internet to a centralized location which could be in the cloud. Therefore, gateways that translate endpoint communications into IP packets would be essential to providing the necessary control and security. Endpoints devices that communicate over non-IP protocols could be considered behind a layer of inherent security through protocol isolation as they would be invisible in the IP addressable space. For those endpoint connections that collect to distribute information of more sensitive nature, it could be necessary to build in secure and reliable communication directly on the endpoint which would demand more powerful processing capabilities.

Getting the information into larger collections will be one of the purpose of an Intelligent Gateway that could be used to wrap a collection messages into IP packets so that the tiny bits of information collected from multiple endpoints can transfer to some kind of Integrator functions offering intelligent analysis, control, and may be interaction mechanism to the IoT. With these Intelligent Gateways, communication to and from IoT endpoints can allow for filtering to help determine which data to save and which to send to the cloud with greater assurance levels through the isolation of encrypted channels. These innovations are just the beginning but really offer product manufacturers more options for a standard set of devices within a price point that allows scalability to upgrade to more powerful intelligent gateways when needed. Additionally, manufactures will have the opportunity to innovate new ideas without the difficulty and expense of building the IoT solution from the ground up.

Find Andy on LinkedIn.

See previous content from Andy_Good

Start a conversation with Andy on Twitter