Industry View: Demystifying Device Security, Part Two

The Internet’s profound potential lies in its ability to connect billions upon billions of smart sensors, devices, and ordinary products into a global “digital nervous system.”  Already, people are able to purchase products directly from their cell phones, or receive automated, real-time traffic updates while driving in their cars.  As devices continue to proliferate and connect to a global network, it is increasingly important to ensure the security and integrity of those devices.  With the right security infrastructure, companies can not only address the integrity issues but also facilitate new, automated context-aware applications and services.

With this “Internet of Things” connectedness, there is a dramatic change in the network landscape and the nature of emerging threats or security attacks upon it.  For instance, today’s malware including viruses, are spreading easier and more effectively than ever before.  The type and number of threats is increasing exponentially and attacks are becoming much more sophisticated, making them harder to detect and near impossible to remove.  It is estimated that the cost of malware and attacks to the industry is over $100 billion dollars a year.

 Companies need to better understand their device security options and address this changing threat landscape with the right security approach. But, how?

Software designed for PCs and servers simply cannot be repurposed and applied to the Internet of Things.  There are different and unique challenges such as scalability and automated provisioning that must be addressed with a new approach. For example, the use of digital certificates to tie a certificate identity to a device becomes more complicated. With devices, provisioning requires dealing with tens of thousands of connected heterogeneous devices. This is very different than dealing with hundreds or thousands of homogeneous PCs or servers.

Likewise, the anti-virus model that is pervasive on PCs simply will not work for other classes of connected devices.  Instead, a new behavioral-based approach is needed; one that is much more efficient, less memory and CPU intensive and can prevent zero-day attacks.  Device security should be able to detect in real-time if software on the device is not running the way it was intended to, with no false positives.

To truly protect devices, organizations must employ an extensible security framework that secures all aspects of device data access and communications in a standard way that, ideally, is designed and architected from the beginning for non-PC devices. The framework should include software that is resident on the device, plus offer capabilities delivered across the network.  Device security software must be high-performance to deal with voice, video and data applications on any connected device. It needs to have a small footprint because the majority of devices don’t possess excess memory or CPU resources.  Security software must also be asynchronous and event-driven so that it is able to process tasks in parallel to drive efficiency and performance of the device. 

Lastly, it needs to be affordable and extensible.  The software must work across any operating system or CPU combination because there is no dominant operating system like there is in the PC world.  The evolving nature of the device industry requires that companies have the ability to update and add security capabilities over time and as needed.

When companies understand both the security and identity of the device and the network, they can surface that information to applications to enable much more automated, context-aware applications and services to run across them. With complete trust and confidence in the identity and integrity of devices, enterprises will be able to automate provisioning and achieve greater gains from these devices. 

For consumers, proper device security and identity will enable new richness in applications particularly in the areas of personalized provisioning. For example, consumers will be able to automatically and seamlessly deliver their personal preferences (such as their unique preferences, settings, profiles and address book) to their new cell phone without going through the set-up process.

With the right security infrastructure in place, complete device security is possible and becomes intertwined with device integrity and identity, operating behind the scenes without annoying or obstructing the user.  Done correctly, security is not just an “insurance policy” for businesses against malware and attacks; it is the foundation for developing interesting new applications and services to drive new revenue streams in our Internet of Things world. #

Adrian Turner is the founder and CEO of Mocana. See Part One of this article here.