When it comes to worries about security of IoT data in the cloud, the sky’s the limit.
That was the inescapable consensus of a LiveWorx roundtable among industry representatives concerned about legal, national-security, financial, and seemingly countless other problems connected with protecting stored and potentially sensitive information.
There was one other clear conclusion: Given the enormous potential and momentum of the Internet of Things, there’s no choice but to address it.
“The benefits are clearly there, so security is something we have to pay attention to, we have to invest in. But we’re moving ahead,” said Rob Leavitt, director of thought leadership at PTC.
“The security challenge for IoT in the cloud is enormous and growing,” Leavitt said. “The scale of what we’re dealing with is getting much larger very, very quickly. It’s easy to get alarmist about this.”
Participants said they fret about what role government will play by regulating, inspecting, and supporting IoT systems, for example—and whether different regulations, imposed by different governments, will be at odds.
They talked about accountability for software altered by a client—a cell phone carrier that adds its own features to the software already embedded in a smartphone, for example—and who ultimately has access to and owns data.
They lose sleep over which partner in a supply chain is responsible for safeguarding collected data, especially because that chain gets hard to follow as it stretches farther and farther around the world. Some recent high-profile data breaches involved third-party vendors; hackers who stole access to 40 million debit and credit card numbers from Target in 2013, for instance, turned out to have gotten into the network through a HVAC contractor working at the stores.
“How do you assure that your partners and your partners’ partners’ as you continue to add to that supply chain are following the right kinds of policies and procedures?” asked John Sorel, security and compliance manager at PTC Cloud Services.
Security concerns in the otherwise giddy world of IoT have become “the wet blanket at the party,” Leavitt said. “Every day we see problematic examples. But the reality is we’re not starting from scratch. This is not all new. We’ve been working in the cloud for many years. We’ve been ensuring security in the cloud for many years. We know what the issues are. We have a lot to build on.”
That doesn’t make things easy.
The complexity of protecting data in the cloud is about “the volume, the scale of what we’re now looking at in IoT, and the complexity of the infrastructures we’re all building and we’re all becoming a part of” in “a far more diverse landscape of different kinds of systems, applications, devices, types of connectivity, and many more players involved that we now need to bring into a more secure environment.”
For example, medical records and devices fall under the restrictions of the federal Health Insurance Portability and Accountability Act, or HIPAA, which imposes fines for unauthorized exposure of PHI, or protected health information. PII, or personally identifiable information, is subject to U.S. privacy laws and in some cases can’t legally be transmitted across some borders. Some rogue states are high risk for cloud security.
The potential of financial payoffs from IoT technology, combined with the threat of financial penalties for violations, is likely to drive new attention to security, the roundtable participants agreed.
“The sheer magnitude of the demand will force them to whole new level of compliance and liability,” said Leavitt.
One way to reach that new level, some people in the session said, was to find the greatest vulnerability among connected products.
“They’re all looking for the weakest link,” Sorel said of hackers. “They’re probably going to start with the end device. They need an attack point to get in there.”
He echoed what other experts have been telling audiences at LiveWorx: that security starts with design.
“What you need, and a lot of companies don’t do this, is to build the security right into the development process,” Sorel said.
One problem with this is that the engineers designing products aren’t necessary information technology people, and the information technology people aren’t security specialists. Finding employees with those skills is one of the looming challenges of IoT, other speakers this week have warned.
Then suppliers need to set up detection and mitigation measures.
They need to “know when it’s happening and what to do about it,” Leavitt said. “You can make a better customer by how you respond to a problem.”
People at the session said they expect industry associations to come up with best practices guidelines for IoT security. So might government agencies, such as the Food and Drug Administration.
That red tape could create more harm than good, some said.
“I wish somehow we could consolidate those,” Sorel said.
He and others also said that it’s important to look for help in one other key place: the cloud itself.
“Look at your cloud provider,” he said. They’re the ones who are ultimately protecting your data. Who has access to your data once it’s in the cloud?”
And, in the worst case, he said, “Always have a strategy to get out of the cloud. Make sure you can pull that data out and continue on.”
View LiveWorx keynotes and breakout sessions.