*By Rodrigo Fernandes
With the expressive increase in the use of the cloud, the Internet of Things (IoT) has been gaining strength within organizations. According to IoT Snapshot 2019, a study conducted by Logicalis that draws a picture of the adoption and potential of technology in the Latin American market, 35% of Brazilian companies already have some type of initiative in their business, aiming at results such as cost reduction, agility and operational efficiency.
At the same time that the benefits provided by the IoT are expanding, so are the security challenges. Before briefly mentioning some of them, it is worth remembering that, intuitively, we are guided to think only about the daily lives of IT teams, regardless of what requirements, whether functional or not, will really help to achieve an effective risk assessment with focus on product applicability. However, we need to recondition our mindset, in order to comprehensively see the functional and non-functional risks of implementing IoT in companies, considering the likelihood of attacks and business impacts.
There are four important steps in implementing an IoT project before we assess the potential security issues involved. Are they: data collect (we can obtain different types of information depending on the characteristics of each project), its storage and processing (which should take into account whether devices have local storage capacity or not, for which the cloud may be an option for real-time targeting, analysis and control), in addition to their streaming (which can be done through sensors, processing platforms, specific protocols and adequate consumption by users, without errors or interruptions).
It is also worth mentioning the emergence of a new paradigm to meet the needs of low latency, mobility and geolocation demanded by IoT projects. Edge Computing aims to move some cloud-based computing, storage and network resources to the edge, thereby providing improved project performance, which will have a faster response due to low latency, also enabling development new applications, even if internet access is not available.
In this case, obviously, we are not talking about replacing cloud computing, but rather an additional layer for treatment, which will allow new implementation models and applications that could not be used without it.
When we think about these scenarios involving IoT, several issues related to privacy and security arise, which are increasingly real in the daily lives of companies. The most worrying factors for IT professionals - and for businesses - are the changes made daily in technological platforms (be they infrastructure, operation or applications) and development routines that demand a certain level of integration and maturity.
The increase in threats and the quality of the attacks have generated an improvement in the security measures of companies, which demands evolution and adaptation of traditional models of control and data recovery to better meet the needs of the Internet of Things, which has been transforming the Internet. the way companies conduct and control their business.
Major threats in IoT environments include:
1) Cloning devices
2) Interception of communication
3) Replacement of firmware
4) Extraction of security parameters
5) Attacks on communication channels
6) Routing attacks
8) Denial of service attacks
9) Threats to privacy
And while we can deal with problems arising from the physical nature of objects just by adopting secure supply and installation measures, all other threats require secure communication protocols and cryptographic algorithms. This imposes some basic safety properties for these projects:
– Confidentiality: the transmitted data can be read only by the communication terminals;
– Availability: communication terminals can (and should) always be reached;
– Integrity: the data received are not altered during transmission, allowing rapid detection;
– Authenticity: data can always be verified. We complement, here, with the need for authorization.
Within this context, technologies such as authorization, anonymization and pseudo-anonymization are also essential. In addition, as the architecture of smart device protocols takes advantage of the IP architecture, many security solutions currently used by companies can be reused in IoT projects.
And although the market already has possible ways to resolve threats encountered in the day-to-day business, it is important to emphasize that being aware of vulnerabilities is not a precaution that is restricted to the cloud or the IoT. Any and all technology can be threatened when it does not have resources and solutions that shield them from counterattacks. It is like thinking about a house without doors and windows. Would anyone risk living in it?
* Rodrigo Fernandes, Logicalis cloud, app and data security manager
Notice: The opinion presented in this article is the responsibility of its author and not of ABES - Brazilian Association of Software Companies