Research Report: Addressing Security Concerns for Connected Devices in the Internet of Things Era

Similar documents
Research Report: Designing an M2M Platform For The Connected World

Accenture and Oracle: Leading the IoT Revolution

Embedded Java & Secure Element for high security in IoT systems

Java and the Internet of Things

Longmai Mobile PKI Solution

OT PRODUCTS AND SOLUTIONS MACHINE TO MACHINE

White Paper. What the ideal cloud-based web security service should provide. the tools and services to look for

IT Networking and Security

SSL ACCELERATION DEPLOYMENT STRATEGIES FOR ENTERPRISE SECURITY

White Paper Delivering Web Services Security: The Entrust Secure Transaction Platform

Understanding the impact of the connected revolution. Vodafone Power to you

Where every interaction matters.

Oracle Solaris Security: Mitigate Risk by Isolating Users, Applications, and Data

Machina Research Viewpoint. The critical role of connectivity platforms in M2M and IoT application enablement

Vortex White Paper. Simplifying Real-time Information Integration in Industrial Internet of Things (IIoT) Control Systems

INTERNET OF THINGS: SCIENCE FICTION OR BUSINESS FACT?

Security Issues with Integrated Smart Buildings

UNCLASSIFIED Version 1.0 May 2012

APIs The Next Hacker Target Or a Business and Security Opportunity?

THE RTOS AS THE ENGINE POWERING THE INTERNET OF THINGS

Car Cybersecurity: What do the automakers really think? 2015 Survey of Automakers and Suppliers Conducted by Ponemon Institute

IDENTITY & ACCESS. BYOD and Mobile Security Seizing Opportunities, Eliminating Risks in a Dynamic Landscape

Ensuring the security of your mobile business intelligence

Stay ahead of insiderthreats with predictive,intelligent security

Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance

Industrial Security Solutions

IoT Analytics Today and in 2020

Developing Secure Software in the Age of Advanced Persistent Threats

Securing the Internet of Things WHITEPAPER

Putting Web Threat Protection and Content Filtering in the Cloud

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

Evaluating IaaS security risks

How To Understand The Internet Of Things

IT Networking and Security

exceet Secure Solutions Smart & Secure Network From Vision to Reality

Cisco Advanced Services for Network Security

Building Secure Cloud Applications. On the Microsoft Windows Azure platform

What Cloud computing means in real life

EU Threat Landscape Threat Analysis in Research ENISA Workshop Brussels 24th February 2015

T r a n s f o r m i ng Manufacturing w ith the I n t e r n e t o f Things

Windows Server 2003 Migration: Take a Fresh Look at Your IT Infrastructure

How McAfee Endpoint Security Intelligently Collaborates to Protect and Perform

Securing Virtual Applications and Servers

Business white paper. Missioncritical. defense. Creating a coordinated response to application security attacks

The State of Application Delivery in 2015

Fighting Advanced Threats

Preparing your network for the mobile onslaught

WHITEPAPER. Fraud Protection for Native Mobile Applications Benefits for Business Owners and End Users

Right-Sizing M2M Security: The Best Security is Security Tailored to Your Application

IBM Security re-defines enterprise endpoint protection against advanced malware

Innovative Security for an Accelerating World New Approaches for Chief Security Officers

CYBER SECURITY Audit, Test & Compliance

A UNIVERSAL MACHINE FOR THE INDUSTRIAL INTERNET OF THINGS. MultiConnect Conduit

WEBSENSE TRITON SOLUTIONS

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 4 Finding Network Vulnerabilities

Security for the Internet of Things

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

Secure Authentication for the Development of Mobile Internet Services Critical Considerations

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

Affordable, Scalable, Reliable OLTP in a Cloud and Big Data World: IBM DB2 purescale

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

RSA Adaptive Authentication and Citrix NetScaler SDX Platform Overview

Does your Citrix or Terminal Server environment have an Achilles heel?

Cloud Development of Medical Systems By Oleg Kruk, Embedded Research Lab Leader, DataArt

ARCHITECT S GUIDE: Mobile Security Using TNC Technology

Enhancing Organizational Security Through the Use of Virtual Smart Cards

13 Ways Through A Firewall

In the pursuit of becoming smart

The Necessity Of Cloud- Delivered Integrated Security Platforms

RSA Solution Brief RSA. Encryption and Key Management Suite. RSA Solution Brief

IoT IT Security and Secure Development Life Cycle

Fred Yentz President & CEO ILS Technology, a Telit company. Richard Shepherd Director of Sales Industrial IOT Solutions Group, AT&T

The Evolving Threat Landscape and New Best Practices for SSL

5 Pillars of API Management with CA Technologies

Windows Embedded Security and Surveillance Solutions

Chapter 2 TOPOLOGY SELECTION. SYS-ED/ Computer Education Techniques, Inc.

ITAR Compliance Best Practices Guide

STRATEGIC WHITE PAPER. Securing cloud environments with Nuage Networks VSP: Policy-based security automation and microsegmentation overview

Intelligent Security Design, Development and Acquisition

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

Threat Modeling. Frank Piessens ) KATHOLIEKE UNIVERSITEIT LEUVEN

FWD. What the Internet of Things will mean for business

NETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015

Defending the Internet of Things

Smart Card- An Alternative to Password Authentication By Ahmad Ismadi Yazid B. Sukaimi

Best Practices for PCI DSS V3.0 Network Security Compliance

Sharpen your document and data security HP Security solutions for imaging and printing

Protecting Your Organisation from Targeted Cyber Intrusion

FACING SECURITY CHALLENGES

Deploying Firewalls Throughout Your Organization

SECURITY POLICY MANAGEMENT ACROSS THE NEXT GENERATION DATA CENTER

The introduction covers the recent changes is security threats and the effect those changes have on how we protect systems.

PKI: THE SECURITY SOLUTION FOR THE INTERNET OF THINGS

Transcription:

Sponsored by Oracle Research Report: Addressing Security Concerns for Connected Devices in the Internet of Things Era

Introduction About Survey Respondents The Internet of Things (IoT) and the rise of a machine-to-machine (M2M) ecosystem have been long anticipated. As this ecosystem converges with major trends like cloud computing and big data, businesses need to be prepared to securely address the new wave of connected intelligent device and protect the data that comes with them. To help better understand the realities of security in this coming wave, Beecham Research has analyzed the relevant results of its recent research survey conducted for Oracle of the M2M/IoT market. This analysis of security concerns and methods for the IoT era are enhanced by additional recent studies that Beecham Research has been executing, and focus on some key points: Responses from 193 market players were received over a 10 day period. The breakdown of their business unit s primary role in the M2M/IoT market were as follows: How important is a systems approach in securing any IoT program? How are the latest principles of security for IoT affecting program successes? What are the best practices in strongly securing devices, data, identity and more? If innovation is key to differentiation, how do you deliver innovation without compromising on security, which is often paramount? What are the impacts on device manufacturers and ISV s? More cost or more opportunity? These types of questions required respondents to have detailed knowledge of and experience with the M2M/IoT market, with a particular focus on the connected devices themselves and the expected trends for those devices. As a result, the survey was aimed at market players rather than enterprise users. Source Beecham Research Business Unit Primary Role in M2M/IoT At 41% of the total, there was a particular focus on Product Design/Manufacture and this was made up from a combination of products running user applications and communication hardware devices used for the network connection. In addition there was good representation from Service Providers (12%), ISV/Application Developers (19%) and Solution Providers/Integrators (17%). Network Operators (9%) are an essential part of the connected devices market and were also represented. In addition, in view of the more technical nature of the research objectives, the split between Technical (62%) and Business (38%) roles of the respondents themselves was weighted towards technical but with a suitable business input. A further parameter of interest was the key regional markets served by respondents business units. The largest score to this was Europe, followed closely by North America. AsiaPacific also scored more than 50% of the vote. These findings about security from the survey were presented and discussed in a webinar on November 12, 2013. Follow this link to access the recording of the webinar. This white paper is intended to accompany the webinar and to summarize the key points on the role of security. Copyright 2012 2013 Beecham Research Ltd. All rights reserved. http://beechamresearch.com 1

Security Needs & Threats Top Requirements for Connected Devices Projects The first key question put to respondents asked them to select their top two requirements for projects involving applications embedded in connected devices at the network edge. These were as follows: Security There is a growing trend of increased and more widespread threats to security throughout the M2M/IoT ecosystem. In the device domain, the attacks on embedded devices include installation of malware and stealing of sensitive data. Recent examples of security breaches at the device level in the automotive sector have ranged from vehicle odometer fraud, to remote vehicle control, to location tracking. Flexibility - Device use across Sectors Cost - Bill of Material New value-adding Services Reliability/ Time in-market Time to Market Developer Ecosystem Source Beecham Research 0% Security needs are often classified into the three separate domains of Devices, Networks and Services. This separation helps ecosystem players to understand where their security needs are emerging from and to categorize many of the threats to their operations. There are interplays between these domains across the various trust boundaries and these interplays also need to be considered. 10% 20% 30% 40% 50% 60% Top Requirements for Connected Devices Projects In line with other recent surveys, security was seen as the top requirement. Security has rapidly gained in importance in the market over the last two years as companies begin to use their M2M/IoT solutions for business-critical activities and to share M2M/IoT data more widely across the enterprise. In the network domain, connected devices are already subject to eavesdropping of network traffic and identity spoofing of the devices and related servers. Beecham have seen use of the well-known SQL injection types of attacks in M2M/IoT networks, where wireless connections have been exploited to prompt databases to expose secrets. Data attacks that aim to abuse business logic are proliferating in the services domain. Threats include the subversion of maintenance interfaces for systems of connected devices to gain control, gain information or deny service. Oracle has a holistic view of security generally and multiple touch points across the supply chain. There is device security from small sensors out on the edge, or gateways. Network security what is being transported over the network. As well as the services or applications that are running on the devices, and may in part also be running on the back-end, the interplay between security issues in devices, networks and services needs to be evaluated across trust boundaries. Looking at topology and deployment, there is a need to secure data from enterprise data centers, across networks, and right out to the edge. Copyright 2013 Beecham Research Ltd. All rights reserved. http://beechamresearch.com 2

Systems Approach To Security Securing IoT programs is recognized to be a complex activity requiring a Systems Approach even by those focused on a limited area of the supply chain. However the IoT security supply chain spans areas from the heart of the connected device, in hardware protection through to embedded applications, via many layers to integration with Enterprise IT Systems. Source Beecham Research One driver for that systems approach throughout the security supply chain is the increasing need to match the requirements of the business, the verticals and the M2M/IoT business models. Isolated solutions customized for a limited area of the supply chain run the risk of creating a mismatch with those needs. Collaborations enabling the systems approach to security such as those between Enterprise IT experts and embedded device developers are proving valuable to the delivery of balance between the elements of security. As another aspect of the systems approach, it is increasingly common for M2M/IoT programs to be implemented using an end-to-end security approach. This helps ensure that the solutions move beyond just the required balance between elements of security. It also ensures secure interactions at the boundaries between sections of the overall M2M/IoT supply chain. M2M/IoT brings new challenges to everyone in the value chain. For device and API security it is critical to strengthen security with device fingerprinting and device context-based authentication and authorization. This can mean that before devices communicate with a backend service they need to be securely authenticated, often without requiring any human intervention. Enterprises can improve their compliance and lower their TCO by extending their existing access and identity management services to embedded devices. Risk mitigation and analysis is also a challenge for organizations developing their IoT strategy. Oracle s approach to risk mitigation and management applies from the edge to the enterprise enabling comprehensive security solutions across all 3 domains. Organizations need to consider identity federation and social integration. As this covers services on M2M/IoT platforms, there is also a need to consider the integration and impact of social data (such as Twitter, Facebook) that will also be integrated into devices and IoT services. Identity authentication must extend to third party applications, which will either feed on information from the devices and/or send messages to the devices. Copyright 2013 Beecham Research Ltd. All rights reserved. http://beechamresearch.com 3

Latest Security Principles & Defending Devices Best Practices for Strongly Securing IoT Solutions A few key principles of security are affecting M2M/IoT program successes. Right-sizing security capabilities are gaining a central role to address the threats but also control costs and the viability of the M2M/IoT business model. Thought leaders are recognizing the need to balance applications security and protect the various internal and external security boundaries. This survey and other recent studies by Beecham Research have investigated best practices in strongly securing devices, data, identity and more. Focusing on the use of Smart Cards and SIMs reveals a history of connected devices success in this area. In our survey the expectation that security in edge devices would increase over the next few years was supported by 74% of the respondents, with only 10% believing it would not. This reflects the growing concern about tamper-proofing of devices. Don't Know 16% The use of such technologies is now extending, as new directions for security are taken in M2M/IoT. The expansion to wider protection at both application platform level and at the embedded systems level is a strong trend. Such extensions of security include support for secure updates, changes of connections etc for high volumes of devices and their connections. These capabilities enable the setting of trust contracts that are maintained. One technology that is a promising enabler for the future is the range of embedded Secure element (ese) solutions. No 10% Yes 74% Source Beecham Research Regarding tamper-proofing of devices, there is a need to ensure that attackers cannot change functionalities, reboot the system, or have access to flash memory. Among other concerns are to prevent them installing malware on devices and signing application code. It is essential to protect data at rest against theft through disclosure, or modification. From a hardware point of view there are some threats that are more difficult that the industry will be looking closely at: Can someone change the device or limit access by either over or under delivering voltage to the device? Can they power on or power off something remotely? Using parameters that are outside the control of the device to change it, such as changing its temperature. One key feature of strong security protection, the need for identity management associated with connected devices at the network edge, was seen by the overwhelming majority of surveyed organizations as being necessary. An increase is expected by 94% with no answers indicating any decrease. Our research has identified an increasing need for protection of personal information in M2M/IoT solutions. We are seeing early moves towards M2M/IoT adoption of connected consumers and the related needs to defend consumer data, identity and privacy. On the network side, Oracle believes that non-repudiation is key, making absolutely sure that the devices that are trying to connect and communicate should be doing so, using methods like mutual authentication, the use of digital signatures, and identity authentication. Oracle also recognizes the need for protection of the data in motion over the Internet, ensuring that it cannot be accessed or modified by unauthorized users. And the protections that are required for normal IP network security issues, like man in the middle attacks, apply to IoT systems as well. On the services side, Oracle examines the different threats and then how those can be addressed. For example, business logic, where the device is required to behave in a certain way and execute code and the commands that were programmed in. Through the use of monitoring and logging in Java, you can make sure that devices are actually working as expected. There is also an ability to do after the fact analysis and troubleshooting of failures and crashes. Availability is also critical. Customers expect that the services are always available and are able to provide the function on demand. You may not consider these things from a security perspective but clustering, performance and heuristics, which enable an application and a service on a device to run 24x7 or meet the designed Copyright 2013 Beecham Research Ltd. All rights reserved. http://beechamresearch.com 4

SLA, are important. If there is a threat that brings that service down, there is a need to ensure that service will run elsewhere in parallel, and that there is a fail-over to another device. Innovation Without Security Compromise Innovation is seen by many as the key to differentiation in the M2M/IoT ecosystem. Delivering the necessary security in the current growth phase where innovations of M2M/IoT devices and services are accelerating brings challenges. Both M2M/ IoT device manufacturers and service providers need an easier route to secure solutions. Adopting development environments that deliver security by default and moving away from potentially insecure native developments can deliver many of those required results. Capabilities such as the Java sandbox and the related execution in a controlled environment are leading examples of this. Implementing device and client specific security policies, such as those available in Oracle s Java ME Embedded, are of immediate interest to current M2M/IoT market players for defense against malware compromises between apps. Such embedded capabilities are also valuable for security in future M2M/IoT multi-tenancy scenarios. These types of integrated embedded security capabilities are a clear market trend, not least in the security strategies of device enablers such as ARM Holdings. Additionally, there is also the example of the One Box IoT gateway platform from Freescale that features Oracle s Java Embedded software. These features contribute to developers having the ability to increase the security level or reduce the amount of custom implementation or integration that they have to do themselves. One key advantage is that this is not an all or nothing model, it is possible to pick and choose the things that are applicable or are convenient to use with Java, with the use increasing over time. They are not mutually exclusive. Take secure socket support as an example. PKI based communications support between devices and services is available with Java out of the box. Signed software is another example. JAR signatures protect, so the software is and remains as the developer intended. A further example is the verifiable code feature, which enables debugging of the code and understanding problems prior to putting that code into production. Just having standard communications methods built into the software has relevant advantages. For example the support for RESTful services and JAX-RS are examples of integration available in the Java platform. The developer not having to implement this themselves reduces the chances of getting it wrong or introducing bugs during development. The Java platform is built on the OpenJDK platform, a full open source environment, so the platform is standards based and developed in the open. It is therefore available for people who either want to take it and extend it themselves or want to have the peace of mind that the platform is out there and will be supported for some time. Many of the features needed for a systems approach to securing IoTprojects have been in the Java platform for quite some time. Largely on the Enterprise side these are taken for granted. From an embedded perspective, embedded developers are not as aware of the security related features within Java and what they can provide. As noted by Oracle, there are 10 security features that have been within the standard Java platform for quite some time, as follows: Java Cryptographic Architecture Web Compatible Verifiable Code Secure Sockets Signed Software Compatible Products Open Source Unified Logging Re-use tested code Support available Copyright 2013 Beecham Research Ltd. All rights reserved. http://beechamresearch.com 5

Opportunities Emerging Summary Our survey and related studies looked into the opportunities emerging from security in M2M/IoT. The impacts on device manufacturers and ISVs are emerging more as opportunities rather than costs, as outlined below. Security is at last moving away from its image as a necessary but resented cost. There is a wide range of these opportunities emerging, as illustrated by the following. As noted earlier, respondents identified security as their top requirement for connected device projects. With more real time decision making and data analysis at the edge, it is perhaps not surprising that three quarters of respondents also expected the need for security to increase in edge devices. As well as this, respondents were also asked if they saw the need for identity management associated with connected devices at the network edge to change. 94% expected this to increase, with the remainder expecting it to stay the same. Nobody expected it to decrease. Many opportunities are emerging for combining the strengths of Enterprise IT security teams and the advanced M2M/IoT security capabilities that are coming available. Rewards through increased market share are expected as security becomes a must-have in M2M/IoT solution procurement. IoT device manufacturers can gain market leadership through use of integrated, embedded security capabilities. We are also seeing the potential for emergence of Security as a Service markets based on standardized embedded security capabilities in M2M/IoT devices and solutions. It is clear that security is critical in M2M/IoT and there are benefits to the current widespread awareness of the important role that security plays. A company s ability to securely integrate devices and to apply the right level of security will open up their ability to provide services for a specific industry. Healthcare for example, will have different degrees of security than Home Automation. You have to be able to understand the market that you are developing a service for, and then understand and build the right level of security that is applicable for that market. Java ranks very highly against these security requirements as it was built with security in mind. From its sandbox security model to its support for advanced data encryption and identity management, Oracle is well positioned to support end to end M2M/IoT security. Everyone is excited about the M2M/IoT opportunity, and Oracle believes that Java can provide a very strong building block and foundation for organizations, not only when they are considering security, but when they are considering a development platform for their organization, moving forward into M2M/IoT. Java has been around for quite some time and it does span the range from devices, to network support, to backend service, as well as the services that will be deployed on them. Companies ability to develop software, to have that software be versioned, deployed, managed across a large environment is key, and Java has the ability to provide such functionality and flexibility. It is important to note that Oracle is investing significant time, money and resources into the platform, into partnerships and the ecosystem to ensure that all the way across the value chain, the benefits of Java can be embraced to provide a very solid platform for M2M/IoT. Combining that with Oracle s technology stack, such as what has already been delivered for identity management, represents a very strong offering that can help organizations overcome some of these security challenges. If you can get this security story correct, and you can build it into your platform from day one, then you will have competitive advantage going into that market. There will be a minimum requirement for security in every industry, and they will vary by industry. Your ability to build that into your offering at the right level for that industry should lead to tremendous success. Copyright 2013 Beecham Research Ltd. All rights reserved. http://beechamresearch.com 6

About Beecham Research Beecham Research is a leading market analyst and consulting firm that has specialized in the development of the rapidly-growing M2M/Internet of Things market worldwide for over a decade, since 2001. Based in Cambridge UK and in Boston US, we actively participate in initiatives aimed at achieving M2M market development and growth. Recent research has included two market-leading and widely supported studies on M2M Cloud-Based Platform Services and a study of the worldwide Satellite M2M market contracted by the European Space Agency. Ongoing research includes new business models for the Internet of Things, Smart Cities, ehealth and a particular expertise in Wearable Technology as it applies to IoT. A particular specialty is primary research surveys involving users (adopters) and market players worldwide, in multiple languages. Contact us at: Website: www.beechamresearch.com Email: info@beechamresearch.com Tel: +44 (0)845 533 1758 Fax: +44 (0)845 533 1762 M2M blog at: http://blog.m2mapps.com Copyright 2013 Beecham Research Ltd. All rights reserved. http://beechamresearch.com 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information