While most think the gist of IoT is about the Internet of Things, those of us following the recent events (heartbleeding shellshocked poodles) in the security space know that NIST is spot on with their recommendation to implement a “Zero Trust Architecture.”
If you’ve configured an Arduino, by now you know that it doesn’t take much to get the WiFi SSID and password from one of these little things, especially if it is equipped with a USB port to connect directly to it with a laptop — which most have as that is both the port used for power and for initial setup to configure it to connect to a network.
Having said that, it begs the question if an Arduino even has the computational power and memory required for adequate encryption of any data that the “thing” is sensing once it is on the network. And if data privacy is not a concern for your use case, then losing control of the things connected to it should minimally be a concern. The simplicity of IoT development is attractive to many developers due to the low cost to enter a very compelling market of wirelessly controlling anything with a switch. However simplicity and security are certainly orthogonal concepts.
While it may seem convenient to be able to turn on your air conditioner as you depart a plane so that your home is comfortable before you pull into the driveway, it would not be convenient to find out that somehow the “thing” was hijacked and had instead cranked up the heat while you were away. These are the types of things that should concern the consumer that is so enamored with a winking hub endorsed by a nesting actor obsessed with the fortune of perfectly dimmed lighting.
What is a Zero Trust Architecture? Start here: i0t
Now that we all understand the value of segmentation gateways at the API layer that offer value beyond simply opening and closing ports like a traditional network firewall, we can discuss enclaves of domains of trust and the ability to centrally manage policies across these zones of control.
I’ll be at Moscone North in San Francisco on October 21, 2014 demonstrating how SOA Software API Gateways can play the role of a segmentation gateway Policy Enforcement Point for IoT API controllers, and how the SOA Policy Manager plays the role of the Policy Administration Point and the Policy Decision Point for each gateway.