The Internet of Things is being touted as the ultimate in convenience but it also could be the ultimate in loss of privacy and security, and even lead to a more dangerous world.
Picture, for a moment, a connected car with remote start features being turned off remotely by an unauthorized individual, or a clever burglar accessing home sensor information to determine the best time to break in.
The reality of those scenarios has enterprises planning M2M apps with integrated security features from day one, something that hasn't always happened previously in the development of apps and services, says Johan Sys, managing principal, Identity & Access Management, at Verizon Enterprise Solutions , which today unveiled a cloud-based security program aimed at the M2M market. (See Verizon Intros Cloud-Based Security for M2M.)
Due in large part to regulatory compliance issues around M2M, enterprises looking to smart meters, home monitoring services, and connected cars for their future services are taking into account the myriad possibilities for potential monetary damage, loss-of-privacy and general mayhem that can ensue when so many things get networked and thus become vulnerable, he says.
That doesn't mean these enterprises are willing to invest heavily up front in hardware and software to bake in the security they know they need, however, and thus Verizon's approach to securing M2M is a cloud-based Managed Certificate Services offer that lets enterprises pay as they go for the ability to authenticate the objects and machines they are connecting.
"We are looking at anything that gets Internet connectivity -- everything needs to be authenticated because you don't want to be able to introduce a spoofed device" that can connect into the M2M network, Sys says.
Traditionally, this authentication was handled with what are called PKI (public key infrastructure) processes, but those require substantial hardware and software with significant upfront costs. What Verizon has done is create a managed cloud-based service that can authenticate devices to the same degree as PKI solutions but in a scalable manner that does not come with a massive expense upfront.
There are different ways of enabling this approach, depending on the application. For example, to prevent piracy of connected set-top boxes or intrusion into smart meters, the public-private key combination can be baked in via software during the manufacturing process or it can be part of the installation process of the client device in the home. There are also software protections that can be added later to devices.
What is important, adds Sys, is that every part of the M2M value chain be protected, including protection of the networks and devices themselves, the the securing of both physical and logical access credentials, protection of the communications among devices, and securing of the applications themselves and of the portals used for access.
The integrity of data received from the devices must be guaranteed and things such as firmware upgrades must also be authenticated to ensure no malware is introduced, he says.
There are country-specific regulatory guidelines that Verizon is addressing in its Managed Certificate Service as well. Organizations such as the National Institute for Science and Technology (NIST) in the US are already creating rules by which M2M must play.
That is ultimately a good thing, Sys says, because many of the efforts to layer on security after the fact prove less thorough.
Heavy Reading Senior Analyst Patrick Donegan will be discussing more ways to gain insight into mobile security and prevent malicious attacks at the upcoming Mobile Network Security Strategies (see below).
— Carol Wilson, Editor-at-Large, Light Reading
Interested in learning more on this topic? Then come to Mobile Network Security Strategies, a Light Reading Live event that takes place on December 5, 2013 at the Westin Times Square Hotel in New York City. For more information, or to register, click