IoT Requires Defense in Depth

IoT Requires Defense in Depth

As hackers begin to exploit vulnerabilities deeper in the technology stacks around us, we need to focus on security along multiple vectors. An effective security strategy will address the entire end-to-end application with a defense-in-depth posture that minimizes vulnerabilities at every level of the stack. Incorporating these best practices into the automation and infrastructure processes around DevOps scenarios will provide the best overall outcome.

Recent high-profile security breaches have led to a litany of stories about personal information and financial data being stolen or exposed by hackers. Early publicity often focuses on the human aspect???whose credentials were compromised, what sort of data was collected and how to check whether you were affected. A second wave of articles then focus on the hacker’s methodology, such as brute force, phishing an administrative credential, targeted malware and more. Finally, we get a full post-mortem, following the trail from network entry to infected target to data collection. And that’s where the fun begins.

The Shift to IoT

Over time, the details and targets of these attacks have evolved, to focus less on human interaction and more on technical vulnerability. Convincing a single user to give up a password or credit card number through a phishing attack or social engineering might be effective, but it doesn’t scale. Instead, hackers have realized that scenarios targeting vulnerabilities lower on the tech stack can quickly scale to collect data from thousands or millions of victims; collecting a database of passwords is a lot more efficient than collecting one at a time.

As threats progress down the stack, they start to attack APIs that have been opened without sufficient security and management capabilities. For Snapchat, Moonpig and the IRS, even some basic intelligence about transaction rates could have made a huge difference in the number of victims; more sophisticated API Management solutions could have prevented it entirely. However, hackers aren’t stopping at the API layer. The surge in IoT use cases has brought along new threats at every level, from forcing Point of Sale machines to record customer information as they process transactions, to manipulating the baseband chip that communicates with the mobile network in modern smartphones, to taking over a connected car via its in-dash infotainment system.

In an increasingly connected world, our Things need to be able to talk to one another, and to the rest of the Internet. Checking out at a department store may reach out to 10 different systems for item details, inventory, mobile device-to-POS transaction processing, backend credit card processing, customer relationship management, social integration, and many more. Our cars can get news stories and weather forecasts and streaming music and driving directions and restaurant reservations. Connected medical devices can make changes to body chemistry or heart rhythms based on feedback from other sensors. These IoT scenarios make our lives easier and richer, but the result of vulnerabilities in the connected systems can be catastrophic. For example, the platform looking up movie show times while driving to the theater is often the same system that can lock/unlock the car doors or perform a remote start/stop, as Jeep recently discovered when an insecure entertainment system provided hackers with a way to remotely shut down a vehicle.

Defense in Depth

The sheer magnitude of potential threat vectors in an Internet of Things scenario demands “defense in depth.” This concept is a common one in military and security circles, but is less often applied when dealing with everyday applications. It suggests that security should be taken into consideration at each layer of the technology stack???the layers most commonly included are data, application, host, internal network, perimeter, physical and policies, procedures and awareness. Each of these layers has a set of possible threats and remediation for those threats. A network firewall or security gateway can provide a secure perimeter; SSL can provide transport-layer data security; locked gates and biometric access scanners might provide physical protection to a server in a data center; and tricking someone out of their password using social engineering can be prevented through some simple awareness and standard operating procedures.

A combination of configured security and strict security policies should work together to protect everything, from human interactions to data encryption. If something is missed at one layer, it should be picked up at another layer by risk evaluation or log analysis or any of a number of tools designed to provide operational visibility, threat detection and breach remediation. Defense in depth provides the best overall chance at secure application delivery.

End to End

Beyond looking at every layer of the stack, a truly rigorous security posture must be able to follow a transaction from end to end across every device or system that may have access to critical components, and ensure this same layered defense in depth across each one. With the number of systems involved (phones, cars, peripherals, servers) and the layers to be protected, the complexity of the problem increases. With the expanding IoT market, these issues need to be addressed up front; while nothing can stop the continued adoption of IoT, failure to look at the bigger picture will result in more negative headlines.

Focus on User Experience

If we recognize the importance of security across all of these IoT (and non-IoT) scenarios, how can we build applications that still delight our customers? For client-side developers, the Holy Grail is a fantastic user experience. The last thing they want to worry about is implementation of multiple layers of security across the network, application and data layers. That’s why developers should take advantage of IT-managed security infrastructure to enable rapid development without major impediments, so they can deliver apps to market more quickly. Backend IT architects should similarly be able to focus more on the data and logic being delivered than the security implementation, and make use of configuration-driven security infrastructure.

DevOpsSec

Taking this one step further, security should be deployed as part of the larger application development process. For enterprises using DevOps methodologies, this means bringing security to the table early in the process and turning it into “DevSecOps.” It means rolling code testing and vulnerability scans into the deployment process. It means automating the provisioning of security infrastructure right alongside (or in front of) the application architecture. The result is the best possible outcome from a true end-to-end and defense-in-depth strategy.

About the Author

Jaime Ryan?is Senior Director, Product Management & Strategy at CA Technologies, leading integrations between CA API Management and other CA and partner technologies. Jaime was at Layer 7 prior to CA’s acquisition in June 2013, where his responsibilities included technical strategy, partnerships, evangelism, marketing and analyst relations. He has been building secure integration architectures as a developer, architect, consultant and author for the last fifteen years, and currently resides in San Diego with his wife and two daughters.

devx-admin

devx-admin

Share the Post:
Remote Learning

Revolutionizing Remote Learning for Success

Noah Nguyen September 28, 2023

School districts are preparing to reveal a substantial technological upgrade designed to significantly improve remote learning experiences for both educators and students amid the ongoing

Revolutionary SABERS Transforming

SABERS Batteries Transforming Industries

Grace Phillips September 28, 2023

Scientists John Connell and Yi Lin from NASA’s Solid-state Architecture Batteries for Enhanced Rechargeability and Safety (SABERS) project are working on experimental solid-state battery packs

Build a Website

How Much Does It Cost to Build a Website?

DevX Editor September 28, 2023

Are you wondering how much it costs to build a website? The approximated cost is based on several factors, including which add-ons and platforms you

Iran Drone Expansion

Iran’s Jet-Propelled Drone Reshapes Power Balance

Jordan Williams September 28, 2023

Iran has recently unveiled a jet-propelled variant of its Shahed series drone, marking a significant advancement in the nation’s drone technology. The new drone is poised to reshape the regional

Solar Geoengineering

Did the Overshoot Commission Shoot Down Geoengineering?

Johannah Lopez September 28, 2023

The Overshoot Commission has recently released a comprehensive report that discusses the controversial topic of Solar Geoengineering, also known as Solar Radiation Modification (SRM). The Commission’s primary objective is to

Remote Learning

Revolutionizing Remote Learning for Success

Noah Nguyen September 28, 2023

School districts are preparing to reveal a substantial technological upgrade designed to significantly improve remote learning experiences for both educators and students amid the ongoing pandemic. This major investment, which

Revolutionary SABERS Transforming

SABERS Batteries Transforming Industries

Grace Phillips September 28, 2023

Scientists John Connell and Yi Lin from NASA’s Solid-state Architecture Batteries for Enhanced Rechargeability and Safety (SABERS) project are working on experimental solid-state battery packs that could dramatically change the

Build a Website

How Much Does It Cost to Build a Website?

DevX Editor September 28, 2023

Are you wondering how much it costs to build a website? The approximated cost is based on several factors, including which add-ons and platforms you choose. For example, a self-hosted

Battery Investments

Battery Startups Attract Billion-Dollar Investments

Lila Anderson September 28, 2023

In recent times, battery startups have experienced a significant boost in investments, with three businesses obtaining over $1 billion in funding within the last month. French company Verkor amassed $2.1

Copilot Revolution

Microsoft Copilot: A Suit of AI Features

Noah Nguyen September 28, 2023

Microsoft’s latest offering, Microsoft Copilot, aims to revolutionize the way we interact with technology. By integrating various AI capabilities, this all-in-one tool provides users with an improved experience that not

AI Girlfriend Craze

AI Girlfriend Craze Threatens Relationships

Grace Phillips September 27, 2023

The surge in virtual AI girlfriends’ popularity is playing a role in the escalating issue of loneliness among young males, and this could have serious repercussions for America’s future. A

AIOps Innovations

Senser is Changing AIOps

Lila Anderson September 27, 2023

Senser, an AIOps platform based in Tel Aviv, has introduced its groundbreaking AI-powered observability solution to support developers and operations teams in promptly pinpointing the root causes of service disruptions

Bebop Charging Stations

Check Out The New Bebob Battery Charging Stations

Noah Nguyen September 27, 2023

Bebob has introduced new 4- and 8-channel battery charging stations primarily aimed at rental companies, providing a convenient solution for clients with a large quantity of batteries. These wall-mountable and

Malyasian Networks

Malaysia’s Dual 5G Network Growth

Jordan Williams September 27, 2023

On Wednesday, Malaysia’s Prime Minister Anwar Ibrahim announced the country’s plan to implement a dual 5G network strategy. This move is designed to achieve a more equitable incorporation of both

Advanced Drones Race

Pentagon’s Bold Race for Advanced Drones

Johannah Lopez September 27, 2023

The Pentagon has recently unveiled its ambitious strategy to acquire thousands of sophisticated drones within the next two years. This decision comes in response to Russia’s rapid utilization of airborne

Important Updates

You Need to See the New Microsoft Updates

Johannah Lopez September 27, 2023

Microsoft has recently announced a series of new features and updates across their applications, including Outlook, Microsoft Teams, and SharePoint. These new developments are centered around improving user experience, streamlining

Price Wars

Inside Hyundai and Kia’s Price Wars

Grace Phillips September 27, 2023

South Korean automakers Hyundai and Kia are cutting the prices on a number of their electric vehicles (EVs) in response to growing price competition within the South Korean market. Many

Solar Frenzy Surprises

Solar Subsidy in Germany Causes Frenzy

Lila Anderson September 27, 2023

In a shocking turn of events, the German national KfW bank was forced to discontinue its home solar power subsidy program for charging electric vehicles (EVs) after just one day,

Electric Spare

Electric Cars Ditch Spare Tires for Efficiency

Jordan Williams September 27, 2023

Ira Newlander from West Los Angeles is thinking about trading in his old Ford Explorer for a contemporary hybrid or electric vehicle. However, he has observed that the majority of

Solar Geoengineering Impacts

Unraveling Solar Geoengineering’s Hidden Impacts

Noah Nguyen September 27, 2023

As we continue to face the repercussions of climate change, scientists and experts seek innovative ways to mitigate its impacts. Solar geoengineering (SG), a technique involving the distribution of aerosols

Razer Discount

Unbelievable Razer Blade 17 Discount

Grace Phillips September 26, 2023

On September 24, 2023, it was reported that Razer, a popular brand in the premium gaming laptop industry, is offering an exceptional deal on their Razer Blade 17 model. Typically

Innovation Ignition

New Fintech Innovation Ignites Change

Lila Anderson September 26, 2023

The fintech sector continues to attract substantial interest, as demonstrated by a dedicated fintech stage at a recent event featuring panel discussions and informal conversations with industry professionals. The gathering,

Import Easing

Easing Import Rules for Big Tech

Jordan Williams September 26, 2023

India has chosen to ease its proposed restrictions on imports of laptops, tablets, and other IT hardware, allowing manufacturers like Apple Inc., HP Inc., and Dell Technologies Inc. more time

Semiconductor Stock Plummet

Dramatic Downturn in Semiconductor Stocks Looms

Noah Nguyen September 26, 2023

Recent events show that the S&P Semiconductors Select Industry Index seems to be experiencing a downturn, which could result in a decline in semiconductor stocks. Known as a key indicator

Anthropic Investment

Amazon’s Bold Anthropic Investment

Johannah Lopez September 26, 2023

On Monday, Amazon announced its plan to invest up to $4 billion in the AI firm Anthropic, acquiring a minority stake in the process. This decision demonstrates Amazon’s commitment to

AI Experts Get Hired

Tech Industry Rehiring Wave: AI Experts Wanted

Grace Phillips September 26, 2023

A few months ago, Big Tech companies were downsizing their workforce, but currently, many are considering rehiring some of these employees, especially in popular fields such as artificial intelligence. The

Lagos Migration

Middle-Class Migration: Undermining Democracy?

Lila Anderson September 26, 2023

As the middle class in Lagos, Nigeria, increasingly migrates to private communities, a PhD scholar from a leading technology institute has been investigating the impact of this development on democratic

Show More