Data created by Internet of Things (IoT) sensors must be secured better, say some. A simple password-on-device solution is no longer sufficient thanks to increasing data protection regulations, a new public awareness of tracking, and hugely proliferating devices.
A new kind of architecture using Security Agents should be aggressively built into local routers and networks to handle IoT security and computation rather than offloading the number-crunching to a data center or the cloud, or indeed trying to perform it on the resource-limited IoT device, IEEE researchers say. In other words, IoT security should be handled at the network level rather than device for best results.
Boxes containing the necessary hardware could be developed specifically for the purpose, where traditional, but newly security-modified, routers aren’t applicable—such as in a smart vehicular setting, like by the side of a road.
New IoT security framework
A “new security framework is required,” say the authors of the paper, Reconfigurable Security: Edge Computing-based Framework for IoT (pdf), published by IEEE Network.
Those researchers, consisting of IEEE members and a fellow, say existing IoT security protections, which they explain generally consist of just an authenticated key exchange and access control for communications, must be upped.
“Anonymous protection and fine-grained secure access control” has to be included in the solution, they say. That includes techniques for guarding against malicious IoT devices, too.
The problem is small IoT sensors and radios can’t handle the cryptographic processing required for truly diverse, customizable security, like this now-required anonymization. And as people become more conscious of the need to secure their data, they are going to want that data to remain private. The “sensitive behaviors of each individual” need protecting against location traceability, is how the IEEE team put it.
“A new reconfigurable security framework for IoT (ReSIoT),” based on edge computing will fix the problem, the researchers say. Their solution: a new, IoT management component to be installed at the edge nearby—the Security Agent.
Routers, base stations, and other near-edge boxes acting in this new security role would handle the computing that the IoT device can’t (due to size, power limitations, and so on). That includes the intensive cryptographic stuff. The researchers say this will not only be more secure, but it will also simplify the management of keys—cryptographic key disclosure risk increases as more keys, or passwords, need to be implemented by applications. The solution would also be more scalable.
That the IoT device doesn’t need upgrading periodically is an added benefit. In fact, all you need to do is manage the Security Agent box, which can operate numerous, possibly remotely located sensors that are difficult to get to. IoT device cost, too, would be kept in check, as sensors can remain inexpensive—no need to modify them and add to their cost to handle security.
“Even the low-end devices will be able to be protected by advanced security algorithms requiring high computation costs,” the researchers explain.
IoT processing time over legacy systems could, overall, start increasing because of security, the researchers say. Using Security Agents is better partly because the “high complexity computations” are offloaded to the Security Agent, which has more power. The “protocols outperform legacy solutions,” they claim. “Even though additional communications [are] required to interact with [Security Agents].”
There would also, presumably, be some edge-gained distance savings in comparison to an in-cloud key management solution.
Interestingly, the group points out that IoT applications will fail if the now-needed and very intensive authentication can’t be completed fast enough. IoT eats itself, in that case, making it clear something has to be done.
Thanks to Patrick Nelson (see source)