IoT security fundamentals: connecting securely to IoT Cloud services
threats can arrive in all manner of interactions when IoT devices connect with Cloud services. To protect themselves and their customers, IoT Cloud providers dictate specific requirements for authentication and access rights management. Although providers offer detailed documentation on those requirements and associated specifications, developers can
find that their efforts to implement secure connectivity sometimes leave resources exposed, or conversely, inaccessible. Using development boards and associated software, developers can quickly connect to Cloud services and rapidly prototype IoT applications with end-to-end security.
for dynamic assignment of access rights. Here, other AWS Lambda functions would assign a set of policies associated with a valid token (Figure 7). Other IoT Cloud services allow developers to more efficiently deal with provisioning in large-scale deployments. For example, AWS IoT provides fleet provisioning capabilities, including support for a larger scale deployment of the kind of bootstrap method described earlier. Azure IoT’s Device Provisioning Service provides a group enrolment capability that supports provisioning of large numbers of IoT devices that share the same X.509 certificate or SAS token.
Shared responsibility for security IoT Cloud providers provide a number of effective methods for enhancing end-to-end security for IoT applications. Nevertheless, IoT developers cannot expect that those methods can bear the full weight of security requirements for their particular IoT application. In fact, Cloud service providers carefully outline their specific role and responsibilities in IoT application security with specific models such as AWS’ shared responsibility model (Figure 8). AWS and Microsoft Azure each provide shared responsibilities documents that describe and explain the provider’s own role and that of the customer in securing resources, data, and applications. In its documentation, Microsoft also offers an overview of some of the relationships between shared security and compliance requirements. Ultimately, Cloud providers retain responsibility for the security of the Cloud, while customers remain responsible for applications, data, and resources used in the Cloud.
Figure 7: Developers can use Cloud services to implement dynamic assignment of access rights, which is particularly useful for applications with ephemeral connections or short-lived operations. Credit: Amazon Web Services
Figure 8. As with other leading Cloud providers, AWS describes the responsibilities that it shares with Cloud users to protect the Cloud infrastructure on one hand and customer applications on the other. Credit: Amazon Web Services
Conclusion
IoT applications depend on layers of security built up from hardware-based mechanisms for cryptography and secure key storage. As with any connected product, security
we get technical
30
31
Powered by FlippingBook