Current Filter: Network>>>>>Feature>

   

With an increasing number of network connected devices gathering data, what happens if a hacker infiltrates the network and collects some data for themselves? An individual householder may not be too worried if a hacker can gather data from their electricity smart meter, but should that hacker repeat that in scale then it could be enough to disrupt or even control the national grid.

The best form of defence in this case is to make certain that all network data is encrypted, which in turn renders it useless. But it still remains important to authenticate all network connections before granting user access, which could prevent data falling into the wrong hands in the first place. Policies governing data access, for example by preventing it being shared, are equally crucial to keeping data secure.

Encryption, identity, and access policy management are essential to protecting the growing volume of data as the Internet of Things (IoT) takes hold. It is also the only way to ensure data sovereignty because it establishes a framework for the way in which governments and authorities can request access to encryption keys. For some equipment manufacturers, security isn't their core strength and encryption key management is outsourced to experts. Security solutions aren't all made equal though and considering the breadth of control that IoT has the potential to enable, we urgently need security solutions that are effective in this hyper connected world.

When assessing IoT security solutions there are two things to consider. Firstly, data needs to be encrypted and decrypted on device, to prevent it travelling over the Internet in plain sight. Once the data reaches the recipient (the person or machine requesting it) the decryption key needs to be authenticated and checked against the policy service. If the user can prove their identity but are travelling in a country where that data could be stolen or legally summoned by a third party, then access could be denied by a policy that prevents keys from being issued into that country or geo-location.

This ability to control exactly who has gained access to what data and where from will ensure that there is a complete audit trail. For some data there will be a policy that restricts it from being downloaded and visible offline, because this is difficult to audit and track.

The second consideration is that access to data should only be granted if the recipient has the entire key, and to prevent snooping by the bad guys or even security forces, this key should be fragmented. This means that a number of data custodians hold a fragment of the key and have to cooperate for access to be granted, for instance by order of a court. Data custodians include the government or a duly authorised agent from where the generating key service is delivered, a tenancy owner or its nominated escrow agent, an auditing firm, and the Key-as-a-Service itself.

Data generated from connected devices is set to inform the decisions of the future, but it also creates an opportunity for hackers. Depending on the data type, the ramifications of compromised data could range from terrorist attacks shutting down infrastructure operations, including power and transportation systems, through to stealing valuable, sensitive or compromising data.

Having a standard security protocol for key management is the only way to maintain the integrity of the open internet and ensure the future of IoT. The internet was designed to be collaborative and this is best achieved when machines can fully interact with each other. IoT is creating a world of possibilities, but all this will be inconsequential if the data created can't be secured. NC