The internet of things (IoT) pertains to the connection of sensors, devices, and other objects, sending and receiving data for communication of requests and commands through the internet and other networks. Given this traditional definition and the decades since the conception of the IoT, it’s no surprise that there has been a steady increase in the number of interconnected “things.” This has naturally resulted in greater amounts of data gathered, which in turn have made the handling and storage of information more challenging. The growing demand for fast product developments for end users’ conveniences and the subsequent rapid deployments have necessitated advancements in both hardware and software. And the need has emerged for data processing and analysis with the security infrastructure to match the increasing complexity of data associated with the IoT.
In the face of challenges brought about by the continuing expansion of the IoT — a trend that is expected to be further amplified by the coming 5G era — many organizations have turned to cloud computing, particularly cloud-based IoT solutions. Built on the idea of providing “rented storage space,” cloud-based IoT solutions can respond to organizations’ needs in regard to integration, processing, scalability, and the all-important consideration of security.
IoT security has rightly become a focal point in discussions among manufacturers, developers, and organizations: Do service providers comply with the requirements of data regulations such as the General Data Protection Regulation (GDPR)? Can product updates be released as soon as vulnerabilities are reported or disclosed? Will migration to cloud servers be more efficient and secure in the long run? These and other questions warrant close examination and critical discussion by IoT adopters, including those involved in the development and implementation of cloud-based IoT solutions.
Comparing traditional IoT and cloud-based IoT solutions
Cloud service providers have proposed solutions to organizations according to their different business needs. And as more enterprises move their workloads to the cloud to reap the infrastructure’s benefits, these providers are also able to expand their product features to explore more business opportunities. Enterprises that have already availed of cloud services are offered more solutions specific to the IoT, requiring lower costs than what it normally takes to get into the IoT market — without dramatically affecting existing product infrastructure at that.
Vendors also get to redefine some business aspects for improvement, such as responding to existing security gaps in the IoT market. With the presence of API management resources at their disposal, an environment similar to one involving software as a service (SaaS) is ready for development, as well as a mechanism for certification and authentication management. Based on our research, cloud service providers can translate their expertise into cloud-based IoT developments. The table below compares the advantages and disadvantages of traditional IoT and cloud-based IoT solutions across different areas of concern — effectively highlighting the potential growth the latter can offer for enterprises.
Each device is connected to one dedicated server.
If kept at a small scale, this reduces costs on hardware and infrastructure.
Each device uses its own cloud server.
In most cases, the device doesn’t hold the server. If necessary, there is a dedicated device to do so.
This significantly reduces the attack surface and improves the user experience (UX) since the web interface is located in the cloud.
The main server provides fewer features and is harder to scale up.
An in-house operations team dedicated to the server is needed to deal with complex security issues.
Server costs will increase.
For areas with strict capitalization, the location of the data needs to be discussed with the cloud service provider.
If the setup is originally designed with traditional network architecture, drastic changes may be needed.
In areas where space and energy costs are cheaper, companies can subscribe so as to lower book costs.
Data can be kept simple to meet the requirements of local laws for storage areas.
If the data is stored in the device, the load on the central server can be reduced.
Most of the data can be found in the cloud.
Even edge computing solutions do not store large heavy amounts of data locally.
This is safer and easier to scale up.
Mostly, data can be accessed only within the device’s locally connected area.
This is usually unsafe and unencrypted.
Server costs will initially increase (capital expense).
For areas with strict capitalization, the location of the data needs to be discussed with the cloud service provider.
If the product is not exposed to the external network, a simple authentication mechanism may be expected.
This reduces costs.
This can accelerate the product development process.
This offers authentication methods enabled by identity and access management (IAM) and made available for cloud infrastructure.
For some cloud solutions, a shared access signature (SAS) key or single sign-on (SSO) certification feature is offered.
This significantly reduces the attack surface since it is not exposed to the web and does not rely on open ports.
In most cases, the infrastructure can protect stored data even if a device is compromised or a connected hardware is cracked or hacked.
This uses a local password.
This has weak user management.
In the event of a lateral attack, a chain reaction in the system can happen.
Different cloud platforms have varying rules and methods for IAM/active dictionary (AD) customization and setup. Teams tasked to create and maintain the platforms for their respective organizations will have to learn and test these new developments from scratch.
In case the error is set on IAM, role, or policy, the error can lead to other errors in other areas.
The products need to be customized one by one, increasing the complexity of the shipping process.
In most instances, another user may be able to connect to a device directly, instead of having to go through the cloud infrastructure and “line up.”
This significantly reduces the attack surface by restricting all traffic entering and leaving to pass through an API gateway in the cloud.
In some cases, some IoT devices use plain, unencrypted text during data transmission, which can lead to man-in-the-middle (MitM) attacks.
For some cloud service providers, a “purely intranet environment” will not work.
Some cloud service providers offer solutions for intranets, but these are less versatile than the original cloud-based IoT solutions and can operate only as edge computing.
This uses user identification (UID) numbers generated by the manufacturer and programmed only once.
This works with IAM or a subscription mechanism from the platform.
Each device has its own fingerprint, enabling the manufacturer to easily trace its status.
For product services, they can trust the connections from the device and don’t have to worry about attacks from fake connections.
The device is usually easy to spoof or fake.
The device is more difficult to identify or recognize.
If cloud service providers do not provide device provisioning services, the manufacturer’s shipping process becomes more complicated and requires more resources such as manpower and time to set up and activate the device.
Although some manufacturers provide device provisioning services, the user may not be able to use the device for secondhand transactions, and the user may be listed until it is scrapped. If the product is covered under returned material authorization (RMA), it will require a reset or be immediately abandoned (perhaps due to irreparability, e.g., Google Titan Bluetooth security key).
Some cloud-based IoT solutions have embedded edge computing solutions.
Some app and product developments require frameworks now available with cloud development, such as artificial intelligence (AI). Bringing AI to the frontline, this enables the developer to implement product development faster for end users.
This requires a microcontroller with better computing power, thereby increasing costs.
Solutions such as containers are able to provide isolation mechanisms.
With separate operating system applications and over-the-air (OTA) components, it is more difficult to inject malicious codes, enable permissions, and escalate privileges.
Devices can remain live for monitoring of malicious behavior if a hacker breaks into a component.
For some products, cloud-based IoT solutions are able to add a layer of security and the OTA component is separate from the firmware (e.g., Azure Sphere).
Most IoT devices running on Linux or simple real-time operating systems (RTOSs) do not have application isolation. An error in one may prompt a chain reaction with the rest of the devices or applications.
Programmers tasked to create and maintain the platforms would need to learn and upgrade their skills to match the new requirements of these platforms (such as using free RTOSs) to ensure delivery of the products to the end users.
Cross-program data exchange will become more complicated.
The firewall between APIs needs to be properly customized.
Many convenient features will be limited to improve security, and will not be directly accessing most third-party code.
Update channel (OTA) maintenance and software development kit (SDK)
OTA updates are the focus of cloud providers for IoT solutions’ development.
For some platforms with more aggressive designs, operating system updates of terminal devices are forcibly uploaded by the service provider.
For manufacturers that provide security-aware SDKs, product developers have the convenience of focusing on application development.
It is easier for developers to follow SDKs and instructions that are more security-conscious because they no longer have to worry about system restrictions. Development process flows are also clearer.
In some cases, manufacturer-released firmware updates depend on user activity.
SDKs are created by chip designers, and are often not secure.
For a number of platforms, it can be a common occurrence that if there is a problem in continuous integration and continuous delivery (CI/CD) during the development process, or an error in the development of the software itself, it will not be found and product deployment may cause other problems for the end user.
Enterprises will need to have higher quality and verification requirements for the codes they produce.
Table 1. Comparison between traditional IoT and cloud-based IoT solutions for enterprises
Use case for benefits of cloud-based IoT solutions: Transport-sharing app
Figure 1. Transport-sharing app with a cloud-based IoT infrastructure
With the proliferation of IoT devices and the need to handle an exponentially increasing amount of data, enterprises can look into the developments afforded by cloud-based IoT solutions. Here we illustrate some of the benefits organizations can derive from adopting cloud-based IoT solutions. We take the case of a transport-sharing app as an example, specifically examining its scalability with cloud-based IoT features given the users and services it’s expected to deal with after its launch.
When necessary, the developers can scale up the app faster and easily account for the platform’s needed changes, such as time accuracy for both drivers and passengers. Since the platform can be treated as part of the IoT methodology — with the user, node, and edge found in the cloud as “loosely coupled architecture” — the cloud-based app can be designed to have periodic rewards and emergency returns. It can also have server-side anti-counterfeit/anti-spoofing features. Cloud-based IoT solutions are designed to use strict rule validations and hierarchical rights management to prevent unauthorized intrusion as the entire cloud environment can be compromised; without data or signal tests from the server terminal, commands do not follow through to the device or app.
Integrated with machine learning and artificial intelligence (AI), the app can constantly study the data for product development and improve drivers’ and users’ profiles. Since cloud-based solutions have multiple channels for communication, users and drivers can report their respective locations, speed information, and profiles in real time. These integrations can also help drivers in handling unexpected situations and condition violations, immediately warning them as needed either in real time or within a delay of 10 seconds. Downtime is reduced by 0.01% as new cloud-based solutions offer strong out-of-band capabilities to accommodate unexpected situations such as network and sensor signal changes.
Potential attack vectors in cloud-based IoT infrastructures
As evidenced by the disadvantages noted in the comparison table above, cloud-based IoT infrastructures are far from perfect. This is further demonstrated by several potential attack vectors that threat actors can take advantage of as cloud-based IoT solutions are developed and deployed.
API gateway misconfigurations
Using APIs is a common practice among manufacturers and developers for devices to communicate faster and more efficiently with IoT cloud servers. With APIs, an IoT device can request for specific actions from the cloud server using an API gateway, and vice versa. Functioning as a doorway to the cloud and limiting IoT device traffic, the gateway facilitates specific commands such as turning the device on or off, checking the status of the device, upgrading the firmware, downloading or uploading screenshots or videos, and accessing data.
A misconfigured device or a cloud service may thus be seen as a security liability. Threat actors can use it as an opportunity for malicious activities such as faking a command sequence by changing the logic between the APIs, invoking more vulnerabilities in the process. Other possible activities include user spoofing, man-in-the-middle (MiTM) attacks, and session replays.
Wrong authentication roles, policies, or assigned keys
Developers customize the rules and policies for IoT devices connected to cloud servers for identity and access management (IAM). In the process, every IoT device is expected to handle a big workload equivalent to the corresponding limitations for data access and streams. In addition, some cloud-based IoT devices use the same design, logic, and trust chain as some cloud-based servers and services use for alignment and ease of configuration.
However, IAM misconfigurations can not only block data traffic and access, but also enable hackers to breach the server, do more complex attacks, control the cloud service, or spoof a guest or legitimate device user.
Device, channel, and infrastructure weaknesses
As previously mentioned, APIs are commonly used for easier transmission and retrieval of data from the cloud via API gateways. Most platforms are designed such that the IoT infrastructure will use the same API gateway as the cloud server infrastructure for ease of use to the device owner.
However, misconfigurations and attacks in devices, cloud gateways, and infrastructures may highlight weaknesses in the security of data traffic or path, exposing the device or the cloud server as well. Several open-source websites have begun hosting performance tests on tools for API fuzzing and gateway misconfiguration, and on proofs of concept for hacking established cloud infrastructures that cybercriminals may use in the future.
In their relative infancy, cloud-based IoT solutions are of course not perfect be-all and end-all solutions. Product developers and the programmers tasked to maintain these platforms for their organizations may have to learn the technology from scratch. Configurations and customizations are still required from IT teams and developers to ensure uninterrupted services and daily operations, and to augment the existing multilayered protection systems inside the organizations. This implies more allocations for spending and resources required from enterprises, especially in the beginning.
But cloud-based IoT solutions do offer features that address certain security gaps. These include authentication mechanism enhancements, terminal device identity verification, tighter security connections, edge computing capabilities, app container design, OTA and SDK maintenance, and reduced attack surfaces. Given malicious actors’ predilection for hacking into vulnerable devices or exploiting misconfigured cloud storage settings, organizations would do well to consider cloud-based IoT solutions and their potential for improving security as well as integration, processing, and scalability.
Trend Micro solutions
Enterprises should choose security solutions that can offer a complete package of features that include threat detection, network intrusion prevention, and security management. The Trend Micro™ Deep Security™ for Cloud solution can provide proactive detection and prevention of threats, while Hybrid Cloud Security offers optimal security for hybrid environments that incorporate physical, virtual, and cloud workloads.
Businesses can also consider Trend Micro Deep Security as a Service, which is a dedicated protection system optimized for Amazon Web Services, Microsoft Azure, and VMware. It can help an organization’s IT department by securing servers without the need for any installations. It allows businesses to implement new upgrades without any downtime, and can instantly connect to the cloud and data center resources for proactive security measures.
Like it? Add this infographic to your site: 1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).