“Five 9s, NERC/CIP, HIPAA Compliant, CISSP…” When it comes to device or “thing” security you’ve had numbers and a variety of security certification acronyms thrown your way. While this information really does mean something, we want to dive in and tell the whole story. “If you read between the lines, these up-time commitments and certifications imply that device security and reliability are a reason to avoid connecting your machines to the Internet. But, nothing could be further from the truth. Once you start streaming GPS location, device health, messages and so forth, the security and reliability of the device itself skyrockets.” Digi’s Chief Innovator, Rob Faludi pointed out.
So, in this post, Device Cloud’s leader of information security, Don Schleede, breaks down how attaching devices will lower security risks. Below he explains why and how.
Let’s start with an analogy. Imagine you have a nice house, close to the city, but still a little rural. You install the best security system that money can buy. But it is not hooked up to any phone line, and never reports back to a centralized and managed center. What happens when a burglar breaks in? Chances are that your system will be going off for a long time. Are you really protected? The same concept applies to a device.
Centralized data collection and management provides the following 6 benefits:
1) Centralized Identity and Authorization
When a device is connected you are able to track logins and use of the device. You also have the ability to do a much simpler password restore operation and to federate your user ID and password to your central ID repository, where password expiry, authentication, is monitored.
2) Firmware Updates for Security
Device connectivity to a system like Device Cloud allows for automatic notifications of firmware updates for your devices. Firmware updates can easily be rolled out in a batch methodology, instead of visiting each device and having the chance of missing a few devices.
3) Configuration Settings
Connectivity offers the ability to store the configuration of your device off-site. You also have the ability to create a “gold configuration” for all of your devices. Also, if you need to meet a security standard, all devices can be validated against a standard and suggestions for improved security can be recommended. For example, you may have 120 devices, but one of them is misconfigured, and is insecure (not running SSL for example). This can be alerted within a console.
4) Centralized Logging
Centralized logging for devices makes for easier manageability. Connectivity enables you to do advanced analysis and correlations on devices. For example, can you do brute force detection on your current devices? If a device starts to malfunction, the visibility of that malfunction can be centralized and someone can be alerted easily.
5) Asset Management
Having one location where all of your devices are located, and the ability to tell the status of the devices, gives you a nice clean way to manage your inventory and identify missing devices. If a device is stolen, they may recoverable. This is similar to someone stealing an iPhone and trying to enable the stolen phone on a new account.
6) Disaster Recovery/Replacement of Bad Units
Devices that are connected have minimal downtime due to broken devices. The last known configuration can be replaced on a new unit. And, there’s the option of spinning up a new device if a disaster were to occur.
Overall, devices are small, and typically are limited in CPU, memory and power. To include many of the security features needed today in each device is just impossible because of the limits. The better approach is to “off-load” or shift those functions into the cloud. When a device works together with a device cloud service, it has the ability to cooperatively work together to increase the overall security of the device, and all devices in general. Better device security through security information sharing.
Meet Security Standards with Device Cloud
As we mentioned earlier, many industries have specific security requirements that need to be met while handling customer data. This is especially prevalent in industries handling sensitive data such as health care, with HIPPA compliance and E-commerce’s PCI standard. Device Cloud’s ISO 27001 Certification enables our users to meet these industry specific requirements and guarantee protection of their customers’ data and devices.
The ISO 27001 program is only part of the protection Device Cloud offers. We also maintain SSAE-16 SOC 1 certifications for our data centers, keeping your data safe and secure.
As the Internet of Things continues to grow and develop, security must be considered at every point throughout the network. Device Cloud fulfills this need and can be used to deliver security to your devices and keep your data secure.
Learn more about Internet of Things Security
You can listen to Don’s interview with Device Line Radio, as he covers the current state of data security in the industry as well as the advantages of using a cloud platform to secure your devices. We also offer a white paper on Device Cloud security here.
Have a question about device security? Ask in the comments section below or on Twitter.