The Covid-19 pandemic has made digital transformation an urgent necessity for organizations, pushing the adoption of a hybrid work model marked by remote connection and enabled by the convergence of the internet of things (IoT) and cloud computing.
While large-scale IoT deployments provide a number of benefits, more IoT devices — and consequently, a more complex IoT ecosystem — also mean more security vulnerabilities from the edge to the cloud. When trying to assess risks, most organizations think in terms of the devices themselves instead of the services offered through the cloud as probable attack vectors. But with all the data being amassed through the edge, organizations turn to cloud services to ease the strain on their own IT infrastructure, which then creates a whole new layer of cloud security issues. Given this, many companies unfortunately fail to see the urgency of implementing a cybersecurity strategy for the IoT until it’s too late. Prevention in this instance is infinitely better than a pound of cure; a measured approach can help security teams mitigate risks now as threats multiply and continually evolve in the future.
Enterprises that have just started their IoT adoption or are looking to expand their established IoT networks are pretty much in the same boat when it comes to managing, monitoring, and securing their connected IoT environments.
The IoT relies on cloud computing to integrate servers, analyze information gathered from sensors, boost processing power, and increase storage capacity. The security risks to IoT herein discussed are specific to the cloud.
Major cloud-related challenges facing the IoT
API gateway misconfigurations
Application programming interfaces (APIs) make fast and efficient communication with IoT cloud servers possible for device manufacturers and developers. An IoT device can request specific actions from the cloud server using an API gateway and vice versa. The gateway serves as a doorway to the cloud as it limits IoT device traffic. It also facilitates specific commands such as turning the device on or off, checking the device’s status, upgrading the firmware, downloading or uploading screenshots or videos, and accessing data. Threat actors can use a misconfigured device or a cloud service for malicious activities such as faking a command sequence by changing the logic between the APIs, thus causing more vulnerabilities. Other possible activities include user spoofing, man-in-the-middle (MiTM) attacks, denial of service (DoS) attacks, and session replays.
Our report on cloud-based IoT solutions also provides an insightful context on this and other related threats.
Identity and Access Management (IAM) misconfigurations
IAM is a framework of processes, policies, and technologies that enables the management of digital devices and identities. An IAM framework allows information technology (IT) managers to control user access to critical information within their organizations. Developers, on the other hand, configure specific rules and policies for IoT devices connected to cloud servers through the IAM. As this is done, every IoT device is expected to process a huge workload equivalent to the corresponding limitations for data access and streams. Some cloud-based IoT devices utilize the same design, logic, and trust chain as some cloud-based servers and services used for alignment and ease of configuration.
Threat actors can exploit IAM misconfigurations in many ways. They can breach the server, block data traffic and access, launch more complex attacks, control the cloud service, or spoof a guest or device user.
Misconfiguration is a common problem in cloud computing, as it can provide a path for attacks like data exfiltration. Misconfigurations and similar security flaws in the cloud can cause serious damage to the IoT ecosystem to which it belongs.
Unsecure communication and data flow between the edge and the cloud
Access controls and the integrity of the data sent between the endpoints is endangered if the cloud lacks security features such as authentication and encryption. Weaknesses in the security of data traffic or path exposes the device or the cloud server.
Misuse of cloud services
Threat actors can willfully violate their contracts with the cloud platform by launching attacks on the networks such as brute force attacks, trojans, SQL injections, botnets, phishing, and denial of service (DoS) attacks. Some cloud service providers may not always have the ability to detect the attacks on their networks because they can neither generate nor block the attacks.
Here are a few pointers to consider for minimizing cloud-related risks in your IoT infrastructure:
Have a system for device identification, visibility, and inventory in place.
One of the first steps to establishing a good security foundation is to assess your organization’s various assets and business processes. Establishing an accurate inventory that is regularly updated can be challenging because of the fast proliferation of devices with varying life cycles and functionalities. More often than not, there is a discrepancy between what enterprises think they have versus what they actually have. Also, knowing what normal device behavior looks like can help determine a potential breach should traffic deviate from the norm. These steps are crucial to identifying what your organization needs to protect.
Perform a comprehensive risk assessment.
A thorough asset inventory can help an organization analyze its attack surface. This helps determine the various entry points that threat actors may use. One needs to consider the entire IoT-cloud infrastructure in order to fully understand cloud-related threats. The process is multifaceted: from analyzing device communication, administration, and the software and hardware used to documenting physical assets, IoT endpoints, networking hardware, digital assets (such as cloud capabilities and databases), and access controls.
While the task of risk assessment may seem overwhelming, it is necessary for identifying and prioritizing vulnerabilities.
Adopting a risk-based security strategy requires a definitive overview of the assets to determine the risks they pose. The goal is to establish a baseline so the attack surface they create can be sufficiently defined.
Evaluate current security practices from the edge to the cloud and adopt best practices.
Once current security practices and gaps are assessed, organizations can plan how to implement best practices in all aspects of the IoT-cloud infrastructure.
Towards a More Secure IoT-Cloud Infrastructure
The following pointers can help improve the cyber-hygiene practices in your teams:
Implement monitoring and filtering tools at the start. Enterprises need to implement tools to monitor and filter traffic flow from the IoT endpoints to the cloud at the outset. This enables the security team to detect suspicious activity, determine anomalies, and ensure visibility for all connected devices. Define a clear, effective, and detailed access control plan. Develop a complete access control plan that covers the entire environment from the cloud to the edge.
Identify all users, groups, or roles and define detailed authentication and authorization policies that apply throughout the IoT-cloud ecosystem. Consider the principle of least privilege, which refers to giving users only the access or permissions needed to perform their tasks.
Perform vulnerability checks regularly.To minimize the threats arising from cloud, API, and IAM misconfigurations, enterprises can conduct vulnerability testing to these components, along with the rest that comprise the entire IoT-cloud ecosystem. Consistency is key.
Use secure passwords for both IoT devices and linked cloud services. Successful data breaches still happen because of weak credentials. Since passwords are still the primary means of authentication, enterprises should enforce strict password policies to prevent breaches.
Inspect cloud infrastructure for control features before use. Organizations that use the cloud to manage their IoT devices need to check the cloud infrastructure for vulnerabilities and see if proper controls are in place. Companies seeking to migrate operations to the cloud should read the Service Level Agreements (SLA) carefully to be clear about which security controls the cloud provider will maintain and which ones they will have to implement on their own.
Consistently implement cloud security procedures. Efforts to establish security protocols will all be for naught if they’re not maintained, monitored, and acted on in a timely manner. While cloud providers carry much of the security burden, it is incumbent upon enterprises to take charge of access control, traffic segregation and filtering, security configurations, data protection, virus protection, and other incident monitoring, including prompt response and prevention.
We also discussed other pointers to secure enterprise cloud-IoT infrastructures in a separate guide, “A Security Guide to IoT-Cloud Convergence.”
An enterprise can effectively address cloud-related IoT threats by establishing a robust cybersecurity foundation. This involves adopting a sound approach that includes identifying what assets and data to protect, performing a comprehensive risk assessment across all the components of the IoT-cloud ecosystem, and ensuring that security measures are not only in place but are also consistently implemented. Enterprises can reap the benefits afforded by IoT-cloud convergence for as long as they take a proactive security mindset and adopt as many best practices as possible.