Debate: What is the edge of IoT security responsibility? Will device-level security testing be enough?
senior director, solutions marketing, Ixia
The majority of IoT devices have several things in common: a sensor, a basic processor, and networked communication. The IoT hardware device, data it sends, database where the data is stored, big data backup, and everything in between require rigorous testing. Miss a database patch, forget a single engineering backdoor password, leave one data center analysis tool with a default login and it could be game over. The question remains if the IoT vendor does all that, is their security responsibility complete? The ‘security edge' is an ongoing court topic, but the IoT vendor is holding your data, whether in storage, in back up, or sharing with others. And if they allow you to log in via single sign-on, they still need to validate that you are you. This is true for every IoT device whether for fitness, temperature control, or a pressure valve at a nuclear power plant. Testing and visibility of IoT products should extend across the entire lifespan of the data they produce.
VP, solution strategy, NetIQ, the security portfolio of Micro Focus
There's a lot of focus now, as there should be, on how we build security into the devices that will ultimately form the endpoints of the IoT. No one wants a car that could be hacked, or a TV that might be eavesdropping on their private conversations. Yet we shouldn't allow ourselves to forget that the IoT doesn't only consist of “things.” Behind this skin of devices we see are the networks, services, data centers, and systems that will collect data, manage interactions, watch for activity, and respond to the world based on all those end points. And it will be at the nexus of devices and services that the security of the IoT will stand or fall, because it will be here, wherever the weak points are, that attackers will focus their efforts to steal the data, and privacy, that we value. Building secure devices won't give us a secure IoT, and if we allow ourselves to become too focused on “device level security” we run the risk of repeating the mistakes of the past, with disastrous consequences.