The European Union Agency for Network and Information Security (ENISA) has published a paper on the security challenges that arise from the convergence of Internet of Things (IoT) and Cloud computing. The paper is directed at IoT developers, IoT integrators and Cloud service providers, and concludes with a number of suggested steps to achieve secure solutions.

ENISA defines IoT as “a cyber-physical ecosystem of interconnected sensors and actuators, which enable intelligent decision making”. This would include, for example, smart homes, Fitbits and Apple Watches. ENISA divides the IoT ecosystem into three components, (i) devices, (ii) communications and (iii) Cloud platform, backend and services.

The growth of IoT in recent years has put pressure on Cloud computing to evolve in order to accommodate IoT’s needs, including aggregating, storing and processing the data that it generates. This resulted in a new model, the “IoT Cloud”.

The emergence of the IoT Cloud poses potential security risks, and ENISA is primarily concerned about the fact that IoT devices provide access to Cloud systems, and therefore any attack on an IoT device can potentially lead to a more widespread attack.

Security challenges

The paper identifies seven specific security challenges, spanning across the three “security aspects of the IoT and Cloud computing”, as identified by ENISA: connectivity, analysis and integration. These security challenges are illustrated in a series of “attack scenarios”, which represent real life situations, highlighting the gravity of these risks.

A common theme in these security challenges is IoT’s increasing use of edge computing. The paper notes the IDC forecast that by 2021, 43 per cent of IoT computing will occur at the edge. While acknowledging that edge computing has many benefits, the insecure flow of data between the edge and Cloud, caused by limited processing and storage capabilities of some endpoints, is a security risk.

IoT devices are highly moveable, meaning they can be located anywhere, and scattered across multiple locations, including unsecure environments. Real-time edge computation can occur on these devices, regardless of the security level of where they are located, posing a security risk. Since edge computing represents a link between IoT devices and Cloud, both IoT devices and Cloud become vulnerable to attack.

The paper also raises concerns about IoT devices not being implemented with security elements at the development stage and not receiving software updates further down the line.

Security takeaways

The paper provides suggested directions for achieving secure solutions for the IoT Cloud. ENISA suggests that:

  • Data flowing between the edge and Cloud should be encrypted, both in transit and at rest;
  • More secure hardware should be deployed in relation to IoT devices, to counter the risk of IoT devices being potentially located in unsecure environments;
  • Additional security elements should be added to IoT devices, such as security appliances, routers and gateways;
  • The API gateway should be incorporated at Cloud level to provide a control layer for the flow of data from edge devices; and
  • A baseline of security measures should be adopted, in order to harmonise security across the IoT ecosystem, along with a system of automated, secure software updates.

Comment

Overall, the paper is positive about the developments in technology and the opportunities that the convergence of IoT and Cloud can bring. However, the paper makes it very clear that the security challenges arising from these developments must be addressed and cannot be ignored going forward.