The Internet of Things (IoT) refers to the arrangement of data streams and services created by digitizing everything through the four basic custom models of Manage, Monetize, Operate and Extend. IoT permits individuals and things to be connected whenever with anything and anybody, in a perfect smart world utilizing any network and any administration. Among the key challenges faced by Internet of things in today’s stage, security and privacy is the first most imperative problem. Even despite the fact that, the technical innovations have provided crucial solutions for the security problem, the security barrier has not been able to defeat to the most satisfied point. So, implementing Risk Based Security & Self Protection methodology in implementing security concerns has become a novel research area today.
In fact, IoT has become a vast developing topic in the today’s context. It has widely spread today in the business applications, Industrial Systems and Protocols, Human Interfaces and a broad range of applications such as sensors, devices, gateways, equipments and Mobile assets. The use of platforms in IoT is being driven by transformative technologies such as Cloud services, Big Data Analytics, Device Clouds, Social services and Device connectivity platforms [7]. The IoT makes use of many synergies that are generated by the convergence of consumer, business and industrial internet and this convergence creates an open, global network that connects people, data and things. Examples of this enormous context are IoT demands, impacts and implications on sensors technologies, big data management and future internet design for various IoT use cases such as smart cities, smart environments, smart homes etc.
The challenges of IoT that have emerged today, can be specified as privacy, participatory sensing, data analytics, GIS based visualization and Cloud computing and apart from the standard WSN challenges including architecture, energy efficiency, security, protocols, and Quality of Service. Among the key challenges faced by Internet of things, security and privacy is the first most important one. Conceptually, all roads to the digital future lead through security.
As suggested by Goldman Sachs, “The Internet of Things (IoT) is emerging as the third wave in the development of the Internet.” [1]. According to IBM, “Internet-of-Things (IoT) provides the foundational infrastructure for a smarter planet and offers significant growth opportunities in IT, infrastructures and services”. According to IBM Market Development and Insights Report, Security and Privacy in IoT is listed as the first Internet of Things approach to Watch in 2015 [1]. Apart from that, Industry analyst Gartner recently identified that risk-based security and self-protection among their Top 10 Strategic Technology Trends for 2015 [2]. The massive number of devices that are coupled with IoT data creates challenges and barriers, mostly in the area of security.
Security, Privacy and Trust
As the IoT has become a key milestone of the Future Internet and a critical international infrastructure, the need to provide satisfactory security has been a mandatory issue. Large-scale applications and services based on IoT are more increasingly vulnerable to interruption from attacks or threats. The main three physical components of IoT, RFID (Radio Frequency Identification), WSN (Wireless Sensor Network) and cloud are vulnerable to most of the predefined attacks. For RFID, there are two types of threats as RFID System security threat that includes Abuse of tags, Reader’s risk, and Personal privacy leak and signal interference. The other type of threat is Communication security threat that includes Wireless Communication Risk, Wired Communication Risk and Denial of Service [4]. WSN are vulnerable to the security attacks due to its broadcast nature of the transmission medium. These security attacks can be active attacks or passive attacks. The active attacks includes Routing attack in sensor network, Denial of service , Node subversion, Node malfunction, Node outage, physical attack, Message corruption, Node replication attacks, False node and passive information gathering. The passive attacks included monitor and eavesdropping, Traffic analysis and camouflage adversaries. In the case of Cloud computing, today it is been established as the most popular building blocks of Future Internet that is progressed in various paradigms that greatly help to reduce cost of ownership and management of associated virtualized assets and enable provision of new services. Thus security in the cloud is a major research that will need more concentration. Due to the vicinity of the information and tools in the cloud, it handles economic matters additionally, which will make it a greater danger from attackers. Furthermore, Security and identity protection has become a critical issue today, in hybrid clouds where public and private clouds are empowered in business purposes. The types of attacks in cloud are threats to Cloud computing discovered by “Cloud Security Alliance”(CSA) [5], cloud challenges inherited from network concept, Security problems concerning location of the cloud systems, and Inevitable cases of Information Disclosure etc.
As much of the information in IoT may be personal data, there is a major requirement to support anonymity and restrictive handling of personal information. There are a number of advancements to this issue that has been implemented including Cryptographic techniques that enable protected data to be stored, processed and shared without the information being accessible by other parties. And also there are techniques to support privacy by design concepts that include data minimization, identification, anonymity and authentication. Apart from them, there are privacy implications that have been raised from ubiquity and pervasiveness of IoT devices, where further research is required. Some of them are preserving location privacy, where the location can be inferred from things that are associated with people, and keeping information as local as possible by using decentralized computing and key management.
As IoT applications and services scale over compound domains involving multiple ownerships, the requirement of reliability of the information and services that is being exchanged issues an outstanding place. The improvement of a trustworthy framework for IoT fulfills this requirement. Today, IoT has supplied solutions for this matter through implementing Lightweight Public Key Infrastructures (PKI) as a basis for trust management and other assurance methods for trusted platforms including hardware, software, protocols etc. Apart from them there are access control methods to prevent data breaches; one example of it is Usage Control which is the process of ensuring the correct usage of information according to a predefined policy after the access is granted.
IBM has today developed a secure model for Internet of Things that is useful for understanding the security threats at various data flow and control transition points. That specific model has been generalized to accommodate all categories of IoT “things”, but not all the “things” will require all components of the model [1].
Basically there are two types of network security concerns that must be addressed in IoT named as network infrastructure security and information security. Securing a network infrastructure includes the physical securing of devices that provide network connectivity and preventing unauthorized access to the management software that resides on them. Information security refers to protecting the information contained within the packets being transmitted over the network and the information stored on network attached devices. Security measures taken in a network should be able to avoid unauthorized disclosure, Prevent theft of information, avoid unauthorized modification of information and Prevent Denial of Service (DoS) [6]. One of the first and most basic lines of network perimeter defense is the firewall that inspects inbound and outbound traffic on a specified network.
Today, there have been tremendous advancements in the security implementations and the firewalls of next generation that should be a part of any Information Security Plan that includes Unified Threat Management (UTM) capabilities. Examples for them are Stateful Packet Inspection, Application Control, Intrusion Detection/Prevention, Anti-malware/ anti-spam, Endpoint security, virtualized environments and VPN. But due to the shrinking budgets, lack of security focus and resources and the lack of a common approach to information security have become constraints in implementing effective IoT security.
In today’s competitive digital business world, security of IoT cannot be an obstruction that stops all progresses. Organizations are keen in implementing possible approaches and more-sophisticated risk assessment and mitigation tools that provide a 100 percent secured environments. Security-aware application design, dynamic and static application security testing and runtime application self-protection that is combined with active context-aware and adaptive access controls are all required in today's dangerous digital world. This will lead to new models of building security directly into applications other than the traditional perimeters and firewalls.
Underlining the above mentioned security issues, Risk Based Security and Self-Protection has been emerged as a novel topic in IoT security. Today, there has been a steady and slow change at the way organizations approach security using a Risk Based Model. Today, organizational personals are being asked to prioritize risks by identifying which ones need to be addressed and which ones should be accepted based on the cost of doing business. Compliance, Recent security event, threat landscape and proactive approach are some of the major factors that drive a Risk Based Security Model.
Risk Management Model
Risk management is the complex and multifaceted ongoing process of identifying, assessing, and responding to risk. Managing risks includes the need of the businesses and organizations to understand the likehood or the probability that an event will occur and it’s resulting consequence or impact. Risk Tolerance is the process of determination and the acceptation of the level of risk for the delivery of services that is performed using the Risk Management Model. There are several Risk Management frameworks that organizations are using today, including NIST SP 800-39, ITIL, ISO 27000 Series, HIPPA, PCI , Internally developed systems or combination of others[7]. NIST SP 800-39 framework is the major framework that is used by many organizations today.
NIST SP 800-39 framework
Establishing a realistic and credible risk frame basically supports organizations to identify the risk assumptions, constraints, tolerance and priorities and trade-offs. The Risk Assessment component identifies the threats, vulnerabilities, Consequences / impacts and the likehood that harm will occur. The end result of this step is the determination of risk. The next step of responding to risk provides a consistent, organization-wide response to risk in accordance with the extant organizational risk frame through developing, evaluating, determining and implementing a risk solving process. The purposes of the Risk Monitoring step, is to verify, determine the ongoing effectiveness and through that, identifying the risk-impacting changes.
Runtime Application Self Protection (RASP)
Today, most of the runtime protection of applications has been mainly delegated to external devices. RASP is a security technology that enables self-protection through implementing protection features built into the application in the runtime environment. It runs on the application server and monitors the execution of the application from the stack. It is predicted that 25% of the web, cloud applications and also virtualized environments will become self-protecting through this secured mechanism [7]. When considering about the security threats to applications on mobile devices, RASP can be cited as an effective solution for access and the use of these mobile devices within the enterprise networks.
Despite the fact that Internet of Things has merged the world context into the new stadium, it has been unable to provide much satisfied solutions for security threats that IoT currently undergoes. A Risk Based Security model is a different perception in Information Security that helps to provide a flexible, ongoing and a fluid Information Security framework that needs collaboration in every IoT aspect in the growing world. Risk Based Security model comes in various models to accomplish an organizations overall strategic objectives. Runtime Application Self Protection (RASP) is an emerging security technology that can address the quickly disappearing perimeter for Information Security.
References
[1] Bill Chamberlin, Principal Client Research Analyst - HorizonWatch(January 27, 2014) IBM Market Development & Insights Internet of Things: HorizonWatch 2015 Trend Report A bluemine original report – Client Version, 2014.
[2] Lulu NG(January 28, 2015), NexusGuard_PressRelease_2015_Americas_Expansion, Answering Growing Security Threat, Nexusguard, the Worldwide Leader in DDoS Security Solutions, Expands to the Americas
[3] Ton Van Deursen, (2011), “50 ways to break RFID Privacy”,”IFIP AICT(Advances in Information and Communication Technology) 352, pp,192-205
[4] S. Gbemawal. H.Gobioff, and S.Leung, (2003),”The Google File System,” in preceding of the 19th Symposium in operating systems principles (OSDI ‘2003.PP.29-43)
[5] Netacad.com, 'Cisco Networking Academy', 2015. [Online]. Available: https://www.netacad.com/. [Accessed: 23- Sep- 2015].
[6] M. Sanchez, 'Risk Based Security and Self Protection', (2015).
[7] O. Vermesan, (2014), Internet of things applications - from research and innovation to market deployment, River Publishers.