|By Roger Strukhoff||
|May 27, 2014 01:51 PM EDT||
I am as excited as anyone about the potential of the IoT. But let's step back a second, and think about its security. With trillions and trillions of things deployed in the future, it might be an issue!
I addressed my concerns to Malte Pollmann (pictured below), CEO of Utimaco, who had this to say...
Roger: In the excitement over the Internet of Things, I don't see much talk about security. What are the big issues you see for security? In other words, is the IoT safe, and if not, how can it be safer?
Malte: The security challenges of objects becoming smart, personal and having their own identity are quite similar to the ones we have in the real world.
Once "anything" can play an active role, we want to be sure these "things" have the right identity, and then can be authenticated and the actions they require and initiate can be trusted. Security for the Internet of Things has precisely to care about the security of such identities.
Roger: What can you do to let CISOs ensure their data integrity is maintained and infrastructures immune from successful attack?
Malte: We face a dramatic overhaul of the old production world and systems today. Smart objects and permanent connectivity are creating a great opportunities, but are also source of concern due to hacker threats as well as security of data generated.
Whenever a whole lot of objects interact we see quickly big masses of data - potentially private or at least highly valuable data - being created. Securing the infrastructure and the data within is our core concern and whenever customers are concerned to protect high-value assets they generally turn to state-of the art encryption embedded in hardware security as the ultimate protection.
Our core expertise of hardware security modules of the highest protection class deals solves these problems every day.
Roger: How will security providers address privacy concerns? As a European company, you may have more experience with the EU and its concerns, for example, than in the US.
Malte: Basically every organization and company is somewhere maintaining customer data, not only addresses and invoicing data, but equally usage and support information from their client base. While the EU data protection laws are very strict and require customer consent if data is being processed by someone or somewhere externally - this is a trade-off against IT systems setup and efficiency in many cases.
Data encryption, encrypted transport and storage and ultimate master-key authority, for instance implemented with deployment of certified Hardware Security Modules can help solve this conflict in everybody´s interest and with great operational efficiency.
Roger: What about "back doors"? What sort of entry points should IT management be most concerned about with the IoT?
Malte: As a security vendor and as a company for more than 30 years in the business of protecting high-value assets and infrastructures, we have a clear "no-backdoor" policy and an absolute commitment to ensure that only our customers by themselves have the authority over their own key-material.
Manifold certifications by independent bodies proof this commitment, in addition to our worldwide broad base of loyal customers and our long time in business, never being compromised. So while you should be careful in your technical deployment, use encryption and access-rights management as much as you can, be also very clear and careful in your vendor selection.