We all have secrets we keep on our mobile devices: passwords, customer data, strategic plans. And yet high-profile cyber-attacks – Home Depot, NSA, Sony, Target – continuously remind us of the risks posed to enterprise systems by sophisticated adversaries, trusted insiders, insecure hardware, and single-factor authentication.
Those publicized security incidents notwithstanding, there is a body of IT security best practice literature that we can turn to when it comes to protecting the enterprise in the age of BYOD and cloud computing. What’s lacking is the adoption of the next generation of defensive security technologies.
But when it comes to data security and the Internet of Things (IOT), the threat model is less well understood. Moreover, the industry lacks a standard bag of tricks that we can turn to for risk mitigation in that domain.
Indeed, IOT breaks many previous assumptions about mobile security. For example, in IOT, the concept of identity must be device- rather than user-based. Similarly, provisioning must be completely automatic rather than interactive.
However, there are similarities between enterprise mobile security and IOT. For example, protocols must be standards-based and interoperable. And in all cases, software developers need trustworthy options to choose from – the proverbial bag of tricks – depending on the characteristics of each hardware platform and operating system.
Well-funded cyber criminals are a modern reality and we need systems that are capable of handling sensitive data at massive scale. The good news is that high-assurance IOT security can be achieved using hardware roots of trust, from device to cloud.