The first thing to think about in the nature of Internet of Things security is that you have to recognize this is not “one and done.” The fight to secure your IoT environment is an activity that continues in perpetuity. The resources you initially allocate will be substantial, but they will escalate and costs will increase over time. It’s a very different way to think about a process than the services world’s normal engineering approach where you have a large up-front cost that becomes smoothed out, so you spend less and less money on it over time.
In the IoT, we can segment into two kinds of security. And there are different ways you approach the two. And both have a different level of funding.
The first segment is security at the edge, or device level. Here you need to be sure that each level is secure and monitored, from the device at the edge all the way through the network and the apps in an ecosystem. Think of this as a hygiene or compliance role in which you need to ensure that security exists, it’s adequate, you monitor it for effectiveness, and that any attack is limited and limited to only a small segment and can’t spread. Those are the things you need to look for at the compliance level.
The second kind of security is around architecture and end-to-end monitoring. This requires a thoughtful end-to-end view of the objective you want to accomplish through the IoT, how you view security in the total ecosystem, how you architect it into systems, and how you monitor it at a systems level for the entire process that you define within the IoT. This security level typically reports to the chief security officer and requires a different level of thinking, talent, and investment.
If you’re not doing both the hygiene approach and the architectural view, black hats potentially can use any holes to corrupt the whole chain.
Even though you believe you have adequate security by levels, that doesn’t mean you’re safe. The inventiveness of the black hats is so robust that you’ll have to continually invest in protection. You first need to invest in architecting your solution from end to end and then continually monitor it and adapt it as new threats emerge.
One thing you can be sure of is that threats will continue to emerge.