Azure IoT - Good Security Practices

Background

Businesses face security, privacy and compliance challenges which are unique to the IoT. Security for IoT solutions includes ensuring that devices are securely provisioned, that there is a secure connectivity between the devices and the cloud, as well as a secure data protection in the cloud during processing and storage. An in-depth security strategy is needed to secure an Internet of Things (IoT) infrastructure.

Internet of Things (IoT) infrastructure

Securing an IoT infrastructure

All of the actors and players involved with the manufacturing, development, and deployment of IoT devices and infrastructure need to be involved in the development and execution of an effective security strategy.

IoT hardware manufacturer/integrator

This includes manufacturers and integrators of hardware. The best security practices for IoT hardware manufacturers and integrators include,
  • Scoping hardware to the minimum requirements
    Additional features can open the device to attack, so only include the minimum features needed for the operation of the hardware. For example, only include USB ports if they’re essential for the device to have.

  • Making hardware tamper proof
    Devices should include the built-in mechanisms which can detect physical tampering with a device. Tamper signals can be uploaded to the cloud and checked frequently.

  • Building around secure hardware
    If possible, security features such as secure and encrypted storage, or boot functionality based on a Trusted Platform Module (TPM) should be included.

  • Making upgrades secure
    Devices should have secure paths for upgrades to help ensure that devices remain secure before, during and after upgrades.

IoT solution developer

This is who develops an IoT solution. A developer can be in-house or a systems integrator who specializes in developing IoT solutions. The components of an IoT solution can be developed from scratch, include open-source components or use solution accelerators. The following are the best practices for IoT solution developers,
  • Follow secure software development methodology
    Security concerns influence the choice of platforms, languages, and tools so it’s vital that security issues are considered and included from the inception of an IoT project.

  • Choose open-source software with care
    An active community attached to open-source software means that the software is supported and that any issues are discovered and dealt with.

  • Integrate with care
    Ensure that all the interfaces of components being integrated are checked for security flaws.

    IoT solution deployer

IoT solution deployer

This involves deploying hardware in the field, ensuring the interconnection of devices and deploying solutions in hardware devices or in the cloud. Best practices for IoT solution deployers include,
  • Deploying hardware securely
    Devices may need to be deployed in unsecured locations. Therefore, it’s important to ensure that hardware deployment is as tamper-proof as possible; for example, securely cover USB or other ports.

  • Keep authentication keys safe
    Authentication keys and devices IDs for each device need to be kept secure. A compromised key can result in a malicious device masquerading as an existing device.

    IoT solution deployer

IoT solution operator

This includes the team who carries out long-term operations, monitoring, upgrades, and maintenance and check that the system is functioning correctly. The following are the best practices for IoT solution operators,
  • Keep the system up-to-date
    All device operating systems, device drivers, and the operations need to be kept up-to-date in order to provide a secure operating system for the IoT devices.

  • Protect against malicious activity
    If possible, install the latest antivirus and malware capabilities on each device’s operating system

  • Audit frequently
    Audit frequently for security-related issues. Event logging should also be reviewed frequently to check for security breaches.

  • Physically protect the IoT infrastructure
    Physical access to devices is often the source of the worst security attacks so it’ important to protect USB ports and other physical access to devices. Physical access can also be logged.

  • Protect cloud credentials
    Gaining access to an IoT system is most easily done through the use of cloud authentication credentials. Therefore, these credentials need to be protected; for example, by changing passwords frequently and not using these credentials on insecure devices.

Device capabilities

The capabilities of IoT devices can vary widely from computers to security cameras. Therefore, the security best practices can only be used in varying degrees. Manufacturers often include security and deployment best practice information which should also be followed.

Legacy devices

Many devices in use may be unable to encrypt data, connect with the internet or provide auditing. In order to deal with these issues, a secure field gateway can be used to collect data from legacy and constrained devices, as well as providing many security features such as secure authentication and receipt commands from the cloud.