IoT Security: Cloud Security Alliance Shows a Way

CSA hopes its move will provide actionable and useful IoT security guidance

Late last week the Cloud Security Alliance (CSA) released an IoT security guidance report, Future-proofing the Connected World: 13 Steps to Developing Secure IoT Products, that  aims to help IoT devices makers and service providers to better understand the most essential security measures they must incorporate if their devices are to be reasonably hardened against attack. 

This is one of the most important topics in IT and cybersecurity right now. As covered in our post, the IoT will soon become the biggest vector of attacks on companies, as the number of connected devices is set to reach between 20 billion and 50 billion units by 2020. And that Gartner predicts by 2020 more than 25 percent of identified attacks on enterprises will involve the IoT.

Last month, the security news site KrebsOnSecurity.com was hit by the largest distributed denial-of-service (D-DoS) attack the Internet company Akamai had witnessed. The attack was based on the attackers having hijacked hundreds of thousands, perhaps a million, IoT connected devices and converted them into bots used to create the traffic in the tremendous attack.

Not good. Because our manufacturing, supply chains, transportation, and healthcare devices will be connected at at-risk IoT security is something we have to get right. Brian Russell is Chair IoT Working Group, and the group consists of 30 group members who contributed to development of the 80-page guidance.

Russell said in this statement on the nature of the guidance. “It is often heard in our industry that securing IoT products and systems is an insurmountable effort. However, with the help of our extremely knowledgeable and dedicated volunteers, we are providing a strong starting point for organizations that have begun transforming their existing products into IoT-enabled devices, as well as newly emerging IoT startups,” Russell said.

The goal, he said, is to make it easier for developers and others to develop their own security strategy, and help mitigate the most pressing IoT risks.

The report details 13 considerations and guidance for designing and developing secured IoT, as well as to mitigate the more common security issues associated with IoT development. The CSA also provided the top five security considerations, when heeded, should immediately and substantially improve IoT security. 

Additionally, the report lays out guidance in the following seven areas: 

• A discussion on IoT device security challenges.
• Results from an IoT security survey conducted by the CSA IoT Working Group.
• A discussion on security options available for IoT development platforms.
• A categorization of IoT device types and a review of a few threats.
• Recommendations for secure device design and development processes.
• A detailed checklist for security engineers to follow during the development process.
• A set of appendices that provide examples of IoT products mapped to their relevant threats.