Six Questions for IoT Security Expert Dan Lohrmann

Whether you're instrumenting your factory with sensor networks or designing a consumer product that leverages Internet of Things technology, Security Mentor's chief security officer says you need to set your security strategy early.
By Mary Catherine O'Connor

IOT Journal: In general terms, there are many best practices for approaching data security with respect to IoT products and services—people often say things like "bake security into the product design." But what are the most important specific suggestions you'd give, say, a startup that is entering the market, no matter what type of IoT product or service it is developing?

Lohrmann: First, start with picking your secure IoT foundation. What is your IoT platform? I am not advocating any one specific vendor, but one example is Intel's IoT platform, which is a combination software and hardware and uses middleware from Intel subsidiary Wind River and security tools from another Intel subsidiary, McAfee.

Second, think end-to-end. How will your customer use your device or service? Offer a complete solution, or find a partner that can integrate new products or services with existing networks and other systems. This integration could be as simple as accessing a secured Wi-Fi system with an appropriate password, or may involve complex interconnectivity with enterprise-wide databases in another company across the country.

This integration must also address the authentication and access control issues. Who is allowed to do what? Is there a "single-sign-on" system that allows administration from some type of universal controller—almost like a universal remote for TVs, DVD players, etc? Single sign-on systems are usually good; they make products easier to use and administer. The key becomes ensuring that whatever security system is deployed for your IoT devices takes into account the appropriate security controls for that solution. This article details the pros and cons of single sign-on solutions.

Third, look at best-practice deployments in your particular IoT space. Look for success stories to emulate. The website Titans of IoT has some good ones.

IOT Journal: What should governments or large enterprises that are buying IoT products and services be looking for?

Lohrmann: First, have an IoT plan and think through policies that need to be in place to deliver results. Map out a vision for your enterprise and lead the charge. Second, IT leaders must build security provisions and cyber-protections into current and new IoT contracts. From relationships with banks to the purchase of utility services, public-sector business leaders can make a difference.

The best way to influence the privacy of today's citizen data and the future of the Internet of Things is by strengthening the contract requirements in the procurement process. For guidance on ways to strengthen privacy protections, look to the federal government's FedRAMP program, which requires standard contract clauses laying out privacy and security safeguards be included for systems that access cloud-computing resources. You can read more about FedRAMP contract requirements here.

Third, act now. It's not an overwhelming as you might think. When I see the claims and counter-arguments being made about IoT security, it reminds me of the early days of cloud computing. People are still asking: Can we secure the cloud? The simply answer is no, not the entire cloud. Still, you can secure your cloud. We can secure individual computer systems and applications connected to the Internet in your situation. You can secure your corner of cyberspace. Strive to secure your IoT project and not take on the unwieldy global world of IoT.

But don't wait for perfection, because, just as with current Internet apps, we will never have 100 percent secure systems.

JOIN THE CONVERSATION ON TWITTER
Loading
ASK THE EXPERTS
Simply enter a question for our experts.
Sign up for the RFID Journal Newsletter
We will never sell or share your information
RFID Journal LIVE! RFID in Health Care LIVE! LatAm LIVE! Brasil LIVE! Europe RFID Connect Virtual Events RFID Journal Awards Webinars Presentations