IT security and Internet of Things
Guillaume Crinon Technical Marketing Manager EMEA at Avnet Silica talks about IoT security and how to make the world safe.
In the past 15 years, IT architects have successfully upgraded their security schemes from an all-wiredstationary desktop world to all-wireless-mobile laptop and smartphone fleets without compromising on security, and even improving it. The same thing will happen in the years to come when beyond laptops and smartphones we will connect many more machines and objects to application servers through networks.
We will first see a lot of Intranet-ofThings deployments in the industry, where corporations will focus on keeping full control of the flow, storage and processing of data produced by their own devices without opening them to the outside world. In such schemes, the main challenge of expanding a good security coverage to these devices will be to design security schemes complying with both IT and embedded hardware standards:
This is exactly what Avnet Silica is investing into, providing full security reference-designs encompassing:
- Secure elements with customizable security protocols
- Secure personalization services for making each secure element unique
- Embedded stacks using the secure elements
- Server code talking to the secure elements
What exactly can companies do to protect their digital assets and their smart devices?
I believe that the first thing for a corporation to do is to assess the level of protection they are looking for. Security is like insurance: some will consider they do not need any, some will go for the full coverage depending on what they are seeking to protect, the value and the potential cost of recovering from a breach in terms of image, intellectual property, competitive advantage, retrofitting etc.
There is a path that guarantees the lowest possible risk.
Technical Marketing Manager EMEA at Avnet Silica
The second rule is to strictly follow the rules. There is a safe path, and wandering away from it is always dangerous. Protecting oneself is all about reducing the risk of being attacked. It all has to do with probabilities: It is impossible to reach zero, but for a given level of security there is an optimum path which guarantees the lowest risk of a problem to happen.
Minimizing the risk for a car accident would be following a checklist like this one: check tyres, adjust mirrors, fasten seatbelt, strictly follow the signs, traffic lights and driving rules.
Minimizing the risk of a plane accident requires a similar, but much longer checklist.
Minimizing the risk of a security breach in a connected objects system will be:
- Design for security from day one: no backdoors in software, no unnecessary test modes. You should always take a top-down approach to global architecture
- Use certified security components
- Use standardized cryptography primitives
- Apply standard security protocols
- Take advice from experts if necessary
- Never apply home-brewed solutions; they are less secure than a standard proofed by armies of specialists
Is privacy protection still a realistic goal in a totally networked world?
It is probably not a goal for many businesses who would love to make money out of private data collected in different ways. So the question I would ask would rather be “Is privacy protection still possible in a totally connected world?”
I tend to believe it is possible if people are careful enough to avoid behaviours and applications exposing their privacy, whereas many of these applications will try to trade cool services for personal data: Is five percent off worth giving away one’s personal details to a clothing brand?
We already rely a lot on our smartphones and some websites by confiding personal data to them like passwords we are too lazy to type or remember, credit card numbers, and so on.
All the connected objects, devices, machines around us promising to improve our lives, our efficiency and our well-being will not do it for free. They will ask for data in return and it will be up to each individual and corporation to recognize whom they want to trust for keeping their secrets secret.
What role will breach detection and forensic systems play in the future?
Very important, I suspect. It is said that most corporations being hacked do not realize it right away, and some never do. Being hacked in the life of a corporation is almost 100 percent certain, so the important thing beyond ensuring that the probability is kept to a minimum and everything is in place to ensure a proper recovery is to be able to detect a breach as soon as possible, so you can apply appropriate countermeasures.