Security expectations for IoT providers
It isn't self-evident that an IoT portal is secure. The IoT provider may promise that it's properly secured, but this does not mean that it is also arranged well at the back end. There are different methods and levels of security to continuously ensure that the portal is and remains secure.
In this article, we describe the most important security aspects to expect from an IoT provider to ensure the security of your machines and data, and guarantee uptime:
- What an IoT provider should do to prevent data breaches
- How an IoT provider can test his portal for vulnerabilities
- How an IoT provider can avoid downtime
Preventing data breaches
Every day, errors and vulnerabilities are discovered in software, which can cause security issues. In the worst case they lead to a data breach, a hack or unwanted access to your machines or your customer's company network. Keeping software secure is therefore a continuous process and requires vigilance from the IoT provider.
There are 3 methods for solving such software problems structurally:
Patching
An IoT portal is usually built on standard modules. These modules should always be up to date because as soon as a vulnerability is found in one of them, there is a chance that it will be automatically hacked by scripted attacks. Patching the software will reduce those risks.
Monitoring
An audit trail consists of logs that tell you which commands are executed by who. Those should be constantly monitored for abnormalities. The logs tell what events take place, such as logins, connection requests and network traffic so unwanted actions can be discovered quickly.
Vulnerability testing
Vulnerability testing is a process of evaluating security risks in software systems. The purpose is to reduce the possibility for intruders or hackers to get unauthorized access to systems.
A vulnerability test exploits the system’s security procedures, design, implementation or any internal control that may result in the violation of the system’s security policy. Based on the outcome of the test, the IoT provider can determine which issues should be fixed first.
Testing for vulnerabilities
When it comes to vulnerability testing, companies tend to think it’s a big and difficult task. The link is often made with pentesting, which can be very extensive and costly. But an IoT provider can perform vulnerability testing in a couple of other, inexpensive ways too:
Automated test
Every company, big or small, can perform automated tests. They are performed by scanning tools which are often inexpensive or even free. There are two types of automated testing:
External automated test
Vulnerabilities are tested from the perspective of a hacker – from outside over the internet. The automated test server runs scripts (TLS, port scanners, script testing) to find what ports are open to enter and if software with vulnerabilities is running on the web server.
Internal automated test
Vulnerabilities are tested from the perspective of someone within the internal network. The automated test software runs on the server itself and checks whether the firewall is not too open or if users have been granted too many rights. Afterwards the IoT provider knows what weaknesses need to be strengthened and reinforced.
Penetration test
When an external company performs a pentest they look for vulnerabilities and suggest improvements. They use automated tests as a starting point to dive deeper into the security measures of the IoT provider. There are three types of pentests:
- Black box: the pentester receives limited information in advance, such as IP addresses. He has to try to hack into the IT environment as an external hacker usually does.
- Grey box: the tester is given a little more context such as information about the network and a user account. The systems are thus tested from a user's perspective.
- White box: the tester gets full access to the network, the source code, architecture diagrams and advanced rights so the entire network can be evaluated.
Bug bounty
The IoT provider can register its platform on a bug bounty platform. There they can describe what they want to be tested or what they want to know. Private individuals can then try to find vulnerabilities and will receive a reward, depending on the size of the impact.
Finding weaknesses via vulnerability testing is one of the measures an IoT provider can take to prevent security issues that impact downtime of their IoT portal, but there’s more they can do...
Avoiding downtime with a scalable portal design
An IoT provider has to avoid downtime of their IoT portal to ensure a good user experience for their customers. Besides continuous monitoring and testing to detect and remove vulnerabilities, the platform should be designed for growth in traffic, data capacity and peak loads. The IoT provider can avoid downtime by building their portal in a way that's scalable and future-proof, so users can invite more users, connect more machines and collect more data without performance impact.
Furthermore, an IoT provider should ensure backups and built-in redundancy so when, for example, the database goes down, it automatically switches to another database that behaves exactly the same. Same applies for servers. One important consideration; don’t host all servers at the same location/datacenter because when something happens there, all servers are down at the same time.
Choose an IoT provider you trust for security
There are many providers that build or sell an IoT portal, and securing it is their main responsibility. It is therefore important to know how the providers work and whether they take all security measures into account when you want to make use of an IoT portal. By discussing the security topic, you can build trust in terms of security and see which IoT provider protects your machines and data in the best way.
At IXON, security is very important. It’s the cornerstone of everyday business. From management level down, it is implemented throughout the entire organisation and all software is developed in a secure way. We monitor, patch and test for vulnerabilities on a daily, weekly and monthly basis to ensure confidentiality, integrity and availability. Our ISO 27001 certification and IEC 62443 conformance prove we are secure, because we meet their strict requirements.
In our security white paper we’ve explained how we secure our IoT portal and connectivity hardware.