A method to the madness: How to think about security and privacy for IoT
As we enter a new year — a year in which IoT is expected to continue its explosive adoption trend — it is important to continue to be mindful of the basic tenets of how to build and deploy connected devices in ways that deliver robust considerations of both security and privacy. It is also important to keep in mind that these are distinct concepts, even though they are often conflated: Privacy is the decision about who can or cannot access data, while security is the integrity of decisions about access being carried out effectively.
Here are some practical and implementable actions that both manufacturers and purchasers of connected devices can follow in an effort to deploy resilient systems. It is imperative, however, to keep in mind that the security architecture around your device will be very much dependent on your use case, and those unique aspects should heavily influence all decision-making you do around both security and privacy.
Security: Ways of thinking
The most effective security model around any given device or architecture will be very much dependent on use case. In that vein, below are some methods for how to approach security, rather than a prescriptive framework. As an outcome of the below domains, both buyers and vendors should thereby be best suited to deploy an IoT strategy that successfully accounts for security; this article defines such organizations as effective security organizations.
1. Think strategically
First and foremost, effective security organizations understand that to be effective requires strategy. Strategy then informs the tactical execution. To best pursue this mindset, effective organization should consider a collection of concepts that support the ability to think strategically about security.
a. Adopt a security mission
Effective security starts with making it a priority. While this sounds simple in concept, it is often very difficult in practice. Historically, the most successful security organizations are defined by executive buy-in to a well-articulated, well-defined, well-communicated security mission. Effective security organizations define the purpose behind why security matters to them, what they do to pursue those objectives and how they pursue the mission.
Contrary to conventional wisdom, effective security is not achieved via solely a collection of products, or through satisfying only the basics of some sort of compliance framework. Rather, security is a combination of people, process and products, all strategically resourced and deployed in the context of a security mission.
To be effective in this domain, organizations should:
- Define why security matters to the unique needs and conditions of the organization,
- Obtain executive buy-in about the security mission, and
- Develop and execute a communication plan to ensure that the highest levels, lowest levels, and all levels in between have a common understanding of the security mission.
b. Be your security champion
Effective security is essentially an exercise in advocacy. Security is often hard to see, touch or feel; it is most often felt as a void, for example, when a breach results from a lack of effective security. In that vein, effective security organizations define at least one person — and in the best cases, many people — to serve as the champion for security in the organization. This individual or team advocates for the security mission, ensuring that it gets integrated into all aspects of decision making across the organization.
To be effective in this domain, organizations should:
- Empower a person or group to advocate for the security mission,
- Ensure that the champion has adequate support, executive visibility and influence to drive meaningful impact, and
- Has security as their top priority, which does not compete with other conflicting priorities.
c. Define risk
Risk is the combination of likelihood — which includes both attacker motivation as well as ease of success — and impact in the event of an adverse outcome. Risk is something that should be defined, measured and mitigated, with an acceptance that it will never be eliminated. Once organizations can accurately understand their risk, they can then make business decisions about how to allocate resources to reduce it.
To be effective in this domain, organizations should:
- Define attacker motivation, as it would be relevant to their organization,
- Define ease of attack success, as it would be relevant to their organization,
- Define impact to business in the event of a successful attack, as it would pertain to their organization,
- Determine how to measure and reevaluate all of the above continually over time, and
- Define a mitigation strategy to acknowledge acceptable risk and reduce unacceptable risk.
d. Allocate appropriate resources
Like marketing, sales, human resources, accounting and legal, security is a core business discipline. Accordingly, appropriate cost-benefit tradeoffs should be considered when allocating resources towards pursuit of organizational effectiveness in this domain. Ineffective security organizations see security as a cost to be minimized and attempt to survive by doing just the bare minimum, while effective security organizations recognize that it requires investment of manpower and financial resources to obtain effectiveness. It should be noted, however, that there is a condition of diminishing returns, after which point additional investments in security won’t deliver correspondingly higher returns on effectiveness. Appropriate resource allocation is the critical aspiration to pursue.
To be effective in this domain, organizations should:
- Define what success looks like to the unique situation of the organization,
- Quantify the manpower and financial investments it would require to arrive at success, and
- Make informed, business-case tradeoffs about what to allocate and what to cut, in pursuit of the desired success outcomes as related to security effectiveness.
e. Plan for future
Technology evolves, market conditions change and attackers innovate. As such, effective organizations consider security in a future context, by thinking about how to adapt the security posture over time. IoT introduces particularly notable future state conditions, as many IoT technologies are not designed to be supported or updated by the vendor, but rather by the buyer. In either model (vendor-supported or buyer-supported), effective security organizations understand that bugs will be discovered, security vulnerabilities will be published and attackers will evolve. Thus, effective security organizations make it easy to ingest bug or vulnerability disclosures, and have a plan and mechanism for updates.
To be effective in this domain, organizations should:
- Plan for how to remedy security issues unknown today but that could be relevant in the years to come,
- Implement an easy to use update mechanism across all deployed systems, and
- Empower users and security researchers with an easy communication channel to disclose security flaws, which are received by a human at the vendor who can triage and address.
2. Adopt an adversarial perspective
To defend against the attacker, you must think like the attacker. Effective security organizations recognize this truism and attempt to apply it in a handful of ways.
a. Understand your threat model
No system is ever going to be completely resilient against every attacker and every attack. However, by focusing on the adversaries that an organization is most concerned with, in the context of the assets the organization wishes to protect and the attack surfaces against which an adversary launches malicious campaigns, organizations can design and deploy security programs that are more effective against the most concerning type of threats. Threat modeling is an exercise through which effective security organizations go in order to define assets, adversaries and attack surfaces in the pursuit of optimizing the defense paradigm.
To be effective in this domain, organizations should:
- Define the assets to protect,
- Define the adversaries to defend against,
- Define the attack surfaces, against which abuse and misuse cases can be deployed,
- Communicate the threat model across all internal and external stakeholders, and
- Update the threat model frequently.
b. Understand your trust model
An inverse to the threat model, a trust model is an exercise through which an organization defines who it trusts, why it trusts that person and how trust is provisioned and validated. All organizations must be able to trust certain internal and external parties in order to execute on the business and functional needs; the trust model empowers the organization to do so while adequately understanding and mitigating risk that is associated with allocating such trust.
To be effective in this domain, organizations should:
- Define who you trust,
- Define why you trust that person, and
- Outline a process for provisioning trust, including how to ascertain authentication, authorization and access control, while also considering privilege revocation.
c. Understand how modern adversaries operate
Most modern organizations adopt security models defined by the premise of keeping attackers on the outside of rigid perimeter defenses. However, the concept of a defined perimeter is outdated, and modern adversaries typically do not attack perimeter defenses directly. Instead, modern adversaries typically attempt to exploit trust and access in the supply chain, through stepping-stone attacks. This is a notoriously effective attack model in an IoT context, which typically tends to be overly permissive with trust, which in turn unwittingly enables such attack vectors. Effective security organizations understand this attack model and implement defense mechanisms accordingly.
To be effective in this domain, organizations should:
- Consider stepping stone attack methodologies,
- Review integrations for potential harm in event of successful exploitation of third-party trust and/or access, and
- Perform effective security assessments.
d. Perform security assessments best aligned with your goals
It goes without saying that most or all organizations should pursue security assessments to investigate for security flaws, which should then be remediated. Implied with this concept, however, is that organizations must also best understand what they want to accomplish with a security assessment and why that is important. For some organizations, a commodity-level, low-intensity, automated penetration test will be sufficient to satisfy their security needs. For others, more thorough approaches, such as manual white box security assessments, will be more appropriate. Effective organizations understand the distinction and apply appropriate methodologies accordingly.
To be effective in this domain, organizations should:
- Define objectives for security assessment, in accordance with their defined threat model and trust model;
- Understand that different methodologies are best suited for different objectives and their correlating outcomes;
- Vet partners for security pedigree, including contributions to security research, talks and technical capabilities; and
- Invest appropriate financial and manpower resources.
e. Understand the role of compliance
Most organizations are likely to face some element of a compliance framework somewhere across their own organizational needs or the needs of their customers. Depending on the framework, compliance typically does an adequate job of establishing the baseline requirements for the foundation of a security program. However, compliance should not be seen as the entire security program unto itself. Effective security organizations recognize the role of compliance as being important to satisfying stakeholder needs, but will go beyond the outlined minimum if delivering a robust security posture is important.
To be effective in this domain, organizations should:
- Identify which compliance frameworks are important to the organization and why;
- Define what a successful outcome of the security model looks like; and
- Define the delta between compliance and the desired outcome, and mobilize accordingly.
Privacy: Ways of thinking
Merriam Webster Dictionary defines privacy as “freedom from intrusion,” yet in a modern context, the application of the term has really come to be more about the decision by individuals about who has access to their data — a concept around which regulators and activists are rallying around. To best protect both end users and the companies that accumulate their data, privacy should be considered from the outset, so as to best integrate well-reasoned decisions about privacy into all subsequent business decisions. Here are a handful of strategies for how to think about privacy in an IoT context:
1. Consider privacy a leadership issue
As with any domain across the business, what the executive leadership prioritizes is what flourishes. From the standpoint of the marketplace, the industry and, in many cases, regulators, a well-designed approach to privacy is an expectation for leaders to deliver. Well-defined privacy policies are core to an organization making strategic business decisions that protect customers and do not unnecessarily expose the company to risk.
To be effective in this domain, organizations should:
- Engage senior management in developing a privacy approach,
- Create a plan for how to design and implement privacy,
- Establish a way to measure success,
- Educate and continually train your employees, and
- Institute oversight of privacy policy.
2. Consider data collection
Organizations benefit from various types of data that can be collected from their customers and users, including by discovering emerging trends, better serving the customer and uncovering new revenue streams. However, with such collection of data comes some risk of regulatory issues in some cases and brand damage issues in other cases. As such, organizations should think carefully about the kinds of data they want to collect and why they want to collect that data, and make informed decisions about the value of collecting the data versus the potential reputational and financial impacts of violating privacy later as a result of possession of that data.
To be effective in this domain, organizations should:
- Clearly inform the individuals about the purpose for which data will be collected, used or disclosed and obtain their consent in writing;
- Provide choice. The best model is to require individuals to opt-in to be granted access to their data, but at least offer them the ability to opt-out;
- If you collect personal data from third parties, ensure the third party has obtained consent from the individuals to disclose it for your intended purpose; and
- Identify what kind of and how much personal information your organization handles.
3. Consider data usage
Once an organization possesses data, the organization now must consider how it will use that data and how it will safeguard the data. To ensure the latter, organizations should consider the many elements introduced previously in this analysis pertaining to security. To ensure the former, organizations should have a well-defined approach to data usage that considers how to best achieve the desired outcome of obtaining and using the data in consideration of the potential risks that such data usage introduce.
To be effective in this domain, organizations should:
- Ensure that the purposes for which you obtained consent to collect personal data must indeed be the only ones for which that data is used;
- Ensure that any changes in the disclosure and use of the personal data collected should receive a new and separate consent in writing; and
- From legal, regulatory and common sense industry perception standpoints, understand your organization’s obligations and risks as it pertains to how you intend to use data collected; and
- Ensure that there is a formal procedure in place to handle requests for access to personal data, including their purpose, an evaluation of their data security measures, storage locations, access rights (individuals and other companies) and disposal mechanisms.
Call to action
IoT is often considered to be such an innovative and disruptive technology migration that many consider it to be something completely new, like nothing ever seen before. In some ways, that is true — at least from an innovation perspective. But from a security perspective, and from a privacy perspective, the challenges that IoT vendors and buyers face are the same that have afflicted the many technology migrations that have preceded IoT. Hopefully by considering some of the approaches outlined in this article, buyers and vendors can best address these challenges to ensure that IoT is adopted in a manner that effectively integrates attack resiliency and privacy protections.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.