When comparing all aspects of an IoT (Internet of Things) Solutions, it is clear that security tops the list. In society, there is a great deal of fear surrounding the perception that IoT systems are easily hackable. To an extent, this fear is justifiable as the consequences of hacked IoT devices and services can often be life-threatening.
In relation to security, the other concern for IoT solutions is privacy. In IoT solutions, security and privacy go hand in hand. This means that whilst we are analysing and validating the security requirements, we also consider the privacy requirements.
Some IoT solutions could be compared to unchartered waters. As IoT solution architects, we need to understand the security pain points in these dangerous zones. The main reason for this prerequisite is that IoT is an emerging field; hence, there are still loopholes that should be systematically identified and addressed.
Therefore, we need to start asking powerful and open-ended questions to understand the security issues, risks, concerns, constraints and dependencies. At a high level, we may start posing the questions as to ‘What are the security pain points in this solution?’, ‘What are the new technologies that may create risks?’ and ‘How can we address the identified risks?’ among many more exploratory questions.
Of course, by asking many more questions, we prompt our minds to find effective resolutions for each concern. As IoT solution architects, we usually cover the breadth rather than depth in developing solutions, like any aspect of the solution, it is essential to have a security subject matter expert on hand to help delve into the details of security risks, issues, dependencies and constraints. These consulting subject matter experts can help validate our solution proposals. Therefore, it is highly recommended that the security subject matter experts review the security architecture of the solution and give their approval.
In addition to the security subject matter expert, the solutions are also reviewed by a security governance body in an organisation. The members of the governance body may review various aspects of the security, such as identity management, authorisation, encryption and so on. Then, it is the IoT Solution Architect’s role to ensure the recommended security actions fit into the overall solution. As you may have guessed, specialists of a specific domain are often unaware of the other domains and the overall solution. Understanding the importance of this point is critical as architects often make the assumption that subject matter experts in security know every aspect of the systems or solutions.
As IoT lead solution architects, we need to analyse and define the key security threats. Then, we need to propose solutions to address those threats in the Security Model of the IoT solution. These points in each solution building block need to be carefully reviewed by the security subject matter experts and peer-reviewed by other solution architects in the program or organisation who understand the security landscape for applications, middleware, data, hosting infrastructure, databases, network, storage and all other aspects of the solution.
IoT Security and privacy requirements need to be analysed using reliable trust and assurance frameworks. These requirements need to consider the privacy laws in the geographies of the solutions that are developed. These requirements may not use traditional security controls. These requirements may have been developed in agility and may differ, state to state, country to country, and continent to continent.
You can find my updates on my author profile on Amazon.
Dr Mehmet Yildiz 