Securing the Internet of Things

When a device comes knocking on the front door, how do you know when to let it in?

We’ve all seen the incredible growth stats for IoT. And the market is already flooded with solutions to address all kinds of challenges that accompany these types of devices, but are we all talking about the same thing?

In a Forbes article from late last year, which summarized IoT studies, respondents believed “the IoT is associated with ever-greater levels of connectivity; more intelligence built into devices, objects, and systems; and a strong data and applied learning orientation.” This same article also stated that across different surveys, respondents that felt they were well prepared for the security implications of the IoT varied between 30 percent and 57 percent.

The risks of connectivity

That’s a pretty wide margin and low by security standards. Each of these devices are connected to the Internet, and therefore, susceptible to being hacked.

I was recently visiting a friend who had the Amazon Echo. I had seen this advertised, but never gave it much thought until I played with it for 5 minutes. Now I have to have one. It’s a very cool and useful device for the tech-savvy homeowner, but also a liability, because it expands the attack surface with all its connectivity.

Authentication and the IoT risks of connectivity

The biggest security issue with the IoT is authentication. Before the device performs a requested function, how does it know that the request is from the owner of the device, and not from a hacker? The device needs some way to identify the user.

In the example of the car, there may be an interface (the navigation screen), where you could prompt the user to authentication, but in the case of devices like Echo, there is no interface; it is voice-activated. The obvious answer is to leverage an out-of-band or push notification mechanism to the user’s mobile device. The question then becomes how often do you use this mechanism? Too much, it becomes annoying; too little, it doesn’t protect the user.

Risk Authentication to the Rescue

User behavior is a strong indicator of an individual’s identity, and it can be used to detect when a user’s behavior differs from normal patterns. For example, a user normally requests news and weather every morning before requesting that Echo open the garage door. The user rarely uses Echo to open the door in the evenings, so a request to open the garage door at 3am would be out-of-pattern.

This may be viewed as a risky request, so Echo initiates an out-of-band authentication request. On the other hand, a different user may work the late shift. For this user, opening the garage door late in the evening would be quite normal. A behavior model learns the patterns for each user, and gauges risk based on that user’s unique patterns.

In addition, simply adding risk analysis provides greater assurance that the user is who they claim to be, and because this is transparent to the end user, there is no impact unless the transaction is deemed too risky. And this allows you to enhance security without introducing significant friction.

How are you securing your IoT devices?

About the author

As product marketing manager in Broadcom’s Enterprise Software Division, Rob is responsible for messaging, positioning, and go-to-market strategy for the Layer7 Privileged Access Management portfolio.  Rob has over 18 years of experience in the identity and access management space.  Prior to enterprise software, Rob worked in aerospace, telecommunications, and management consulting.