Get in Touch
Get in Touch

Blog

Securing things in the cloud

January 4, 2016

Vishak Raman   

Head of the Managed Security Services business

I’ve spoken in previous blogs about the concept of “cloudification” of business, a transformation that has occurred primarily due to widespread smartphone and tablet penetration in the workplace as well as the increased use of cloud-based enterprise applications.

However, cloudification is by no means limited to the enterprise. People can access, purchase and use content delivered on cloud-based platforms on all kinds of devices for their personal use and entertainment: from smartphones to PCs and set top boxes to games consoles.

Furthermore, the evolution of the Internet of Things means more types of device are becoming part of a cloud framework. In fact, the number and type of devices that can connect to the Internet and, therefore, cloud services is being blown wide open.

With IDC predicting that 212 billion devices will be connected by 2020, the growing relationship between the IoT and cloud, albeit exciting, potentially multiplies the number of endpoints connected to cloud environments exponentially, which may have severe security implications.

The traditional security framework has focused on PCs and mobiles, but new age IoT devices, including smart TVs, connected cars, wearables, home appliances, health monitoring devices and smart energy meters pose significant security threats.

“It is possible to hack anything”

Shortly after an experiment that stopped a passenger car in its tracks was carried out in a controlled hacking operation, Russian IT security expert, Eugene Kaspersky used this example to warn against the possibility of Formula One cars being hacked, stating that “it is possible to hack anything”.

Cars are a particularly interesting example. As we move towards the reality of driverless cars and intelligent transport systems, cars will rely far more heavily on on-board computers and communications with other vehicles as well as the broader transport network (traffic lights, satellite navigation systems, etc.)

In the case of Formula One, the number of devices connected within its network makes it an interesting ‘live’ example when trying to understand the challenges of securing an IoT network – from on-board computers in the cars, computers that measure car performance trackside through to the ones connected into the circuit’s network remotely from engineering centres.

Certain questions must be asked, and answered, to ensure the F1 network is safe from attack. Is the purpose-built MPLS network resilient enough to withstand a potential DDoS attack and are there any weak points of entry through which the network could be infiltrated? Are all F1 teams working to the same security standards when it comes to protecting their own networks at a device level?

More doors to close

The considerations I mentioned using F1 as an example is relevant because for businesses, delivering more services to customers through the cloud means connecting with an ever-increasing number of devices. However, while the F1 network can be seen as more of a closed circuit, with fewer parties required to take responsibility for securing their own networks and devices, delivering applications, TV channels and other forms of content to the world brings challenges on a different scale.

IoT devices communicate with little human interaction – mutual authentication is a crucial need. Many Internet-facing services use Bash to process certain requests, allowing an attacker to exploit vulnerable versions to execute arbitrary commands. In doing so, attackers can gain unauthorised access to a device system and execute arbitrary code remotely.

Take the example of distributing content such as TV shows and computer games through the cloud – every endpoint that content is delivered to, whether that’s a smart TV, games console or laptop is a potential vulnerability. Furthermore, while standards of cloud security are well defined – security standards at a device level are in many cases unclear. This means providers must exercise caution when allowing IoT devices to access the cloud.

While the standards of cloud security are way ahead of those in place for IoT devices, it is important for cloud providers to be aware that the cloud is only as secure as the most insecure device it is connected to. While the industry must agree on resilient standards for endpoint devices in the long-term, in the short term processes must be put in place by cloud providers to ensure they are protected against threats from potentially insecure devices. After all, it is possible to hack anything.

Six silver bullets to mitigate IoT threats 

  • Detecting DDoS attacks early by identifying malware caused by thingbots at the upstream tier 1 service provider level can mitigate attacks at the source.
  • Accelerating the evolution of common IoT standards for inter-operability and security.
  • Developing FPGA (Field Programmable Asic) embedded security chips for connected car manufacturers and wearables built at the design stage.
  • Public key infrastructure-based solutions could help to secure exchanging information with authentication credentials across global IoT devices.
  • IoT authentication with biometric data obtained using physical or behavioral features of a person (wearable devices).
  • Improving privacy by design and periodic privacy impact assessments would promote trust in IoT paradigm

Leave your comments below, and read Vishak’s previous posts.

 

Tata Communications was the Official Connectivity Provider of Formula 1® between 2012 and 2019. Tata Communications was also the Official Managed Connectivity Supplier to Mercedes-AMG Petronas Motorsport, and Official Digital Transformation Partner to ROKiT Williams Racing until the end of the 2019 season.