Ambient Security: How It Can Help You Secure IoT

After spending a good part of my career doing serious embedded security engineering, I once confidently believed it was possible to build serious security into (nearly) any kind of thing.

Yet each day, it seemed, there was a new kind of item to secure. Like the film character "Neo," we've become wired into a 24 x 7 digital matrix of constant connectivity with networked lights, locks, heating-cooling systems, cameras, and a variety of other smart "things" to secure.

It took me more than a year to realize that I couldn't possibly build security into all of the - literally - billions of things coming online, each with their own operating systems or embedded applications. That would take more than a lifetime.

But if the long-term goal of absolute cyber security in the Internet of Things era remains beyond our grasp for now, there may still be another way to move closer to that target. The fact that we're already constantly connected and able to participate in a seamless experience - an ecosystem of devices we call ambient computing - offers the theoretical hope that we can do the same for security.

"Always-on" Security

Think about it this way. What if your device was connected to a cloud-based service that delivered "always on" security? What's more, the device wouldn't be able to connect to anything except through that particular security service, which would offer full protection against any imaginable cyber attacks cooked up by the bad guys.

This isn't fantasy. We already do something similar for laptops, smartphones, and tablets with "firewall as a service" offerings. Many enterprises also use cloud-based services with global deployments of security hardware so that wherever they connect, employees are connecting through these security sites.

Some may be connecting over an untrusted local connection but that's why those services set you up with a "personal" crypto connection, thus eliminating the need to trust a particular local network. What's more, everything is encrypted from the device to a secure site which deploys security hardware to protect users from potential attack.

Of course, firewalls aren't enough. That's why such services seriously need things like full proxies and careful "key management." That allows the security hardware to even defend against attacks tunneling through encrypted web connections. Fortunately, this exists today in commercial services like our own Web Security Service (WSS) as well as offerings by other security providers.

The Road Ahead

Where do we head from here? I see three possibilities.

If your company makes IoT devices, be sure they only connect through such security services. It should be up to the manufacturer, not the end-customer, to decide whether or not their "things" connect to security services - or to anything else.

If you or your company buys IoT devices, don't be bashful. Tell your suppliers that you want products configured so as to only connect to cloud-based security gateways that protect them. If a supplier can't do that, put them on notice that the clock is ticking. Let them know that you'll only source products in the future from vendors that are serious about IoT security. While we're at it, consider this: If a vendor is unable to configure their devices to connect to a simple cloud-based security service, can you really trust them to deal with the harder aspects of security?

We can glimpse a better security future over the horizon. So, whether you make or buy IoT devices, let's team up and further the research into how to make seamless, "always on" ambient security better. Symantec collaborates with countless universities and customers and we regularly share our research with the industry. Even if someone else manages to find an answer, we'd still be flattered and grateful that you chose to join us on the journey. After all, we all share the same goal of making a better, more secure world.