For CIOs, the Internet of Things (IoT) represents an incredible new opportunity to generate rich data insights about the organisation. By leveraging the ability to connect everything to the cloud and the organisation’s network, it’s possible to generate deep insights about everything from how employees move around in their working day, through to how efficient the logistics operation of the organisation is, and how the end customer interacts with the brand.
The efficiency and productivity promised by connected workplaces and operations will see organisations spend $US745 billion on IoT in 2019, according to research by market intelligence company, IDC research. By 2022, it will surpass $US1 trillion.
However, despite the value IoT solutions present, there are some significant concerns about the security of some IoT devices, and their presence on the network. Security vendor, Symantec, said, in its recent annual security threat report: “Targeted attack groups increasingly focus on IoT as a soft entry point.” It previously reported that, in 2018, attacks towards IoT had increased by 600 per cent year-on-year.
Azure Sphere as the IoT security solution
CIOs are aware of the security threats around IoT and are seeking best fit solutions. Analyst, Gartner, reported that IoT security spending reached $1.5 billion in 2018. However, while a business is ultimately the one culpable in the event of a breach in the eyes of regulators, it’s at the hardware manufacturing end where the vulnerabilities tend to lie with IoT, because IoT security requires a new approach and, for some in the industry, that’s a struggle.
“It’s an entirely new challenge. If you think of traditional IT and mobility management scenarios where there’s well defined approaches to data protection and access management, coming to IoT, where those methods don’t apply, it is an entirely new world.” Danielle Damasius Principle PM, Azure Sphere, Microsoft, said. “With IoT you’re looking at devices that are always on, unmanaged from a traditional sense and unattended in a lot of cases, so often there are not many indicators that a device has been compromised – there aren’t the traditional watchdogs in place.”
With so many devices in production, and no unified platform for IoT security to operate on, hardware manufacturers have previously been left to their own security practices. By the time the end-user has a few IoT devices in their environment, security has become a patchwork of differing standards provided by a wide range of different vendors that have vastly different levels of resourcing available to provide security. Hackers only need to find one vulnerability to gain access to the organisation’s network – and such an environment is ripe for finding weaknesses. It is why IoT is seen as a “soft target.”
As a result, Microsoft has developed Azure Sphere to create a highly secured IoT devices.. A Linux-based embedded OS and cloud service for microcontrollers, Azure Sphere addresses the most critical challenges facing IoT by presenting a uniform platform for security that all device manufacturers can access.
Manufacturers implement the Azure Sphere platform onto their devices, and can then rely on the built-in security provided by Microsoft’s security practice. Connected to the cloud, Microsoft brings its considerable weight in security to provide failure reporting to identify threats and automatic updates to address vulnerabilities as they are revealed.
IoT security best practices
In looking to address the threats, Microsoft developed a design philosophy in approaching IoT security, called the “seven properties of highly secure devices”. These properties are a blend of hardware, OS, and cloud-based security properties, creating an end-to-end security solution, and highlighting the need for IoT security to be approached as a whole-of-industry challenge.
“Foundationally, we believe that when you start building devices you should immediately have security in mind,” Damasius said. Azure Sphere is designed to make it easy and affordable for manufactures to build renewable security into their devices from the outset.”
Microsoft also has a network of hardware and design partners that it works with to help other partner manufacturers build security into their devices.
“Some manufacturers in IoT still think they can solve for security later,” Damasius said. “No manufacturer sets out to make insecure devices, of course. Nobody wants to be the one with the botnet refrigerator. But if they’re not being proactive about security from the outset, then they are unintentionally being insecure and putting their brands and customers at risk.”
CIOs need the value that IoT brings to the business. In an increasingly data-driven world, IoT represents the opportunity for data differentiation. However, the sensitivities over data also means security around IoT needs to be paramount. One of the best things a CIO can do to ensure they are approaching IoT with a security best practice frame of mind is confirm that all the devices being brought onto the network are built on a uniform platform that was designed with security in mind from the outset.
For more information on IoT and security, don’t miss Danielle Damasius’ presentation at the IoT in Action event in Sydney on March 19. Register to attend here.