The Security Vulnerability You Can Prevent As IoT grows quickly, so should your skepticism of data security
By Jon Gelsey, CEO, Auth0
Auth0 simplifies identity implementation and management, making it easy for developers to implement even the most complex identity solutions for their web, mobile and internal applications, APIs and IoT devices.
"The majority of IoT devices today have significant security vulnerabilities, but it doesn’t have to be this way"
The Internet of Things is one of the world’s fastest growing technologies. It is also poised to become the fastest growing source of security vulnerabilities in the enterprise – but it doesn’t have to be that way.
According to Gartner, there will be 4.9 billion IoT devices active in 2015, representing a 30% increase from 2014 – and that trend is set to continue as 25 billion connected objects are expected by 2020. IoT technology has taken root across countless business verticals – and according to PwC’s 6th Annual Digital IQ Survey, 20% of companies are currently investing in IoT sensors, up from 17% in 2014.
IoT innovation has provided developers with the chance to tap into a new world of potential opportunities for improving everyday life through applications ranging from home, health, factories, finances and beyond. A new Business Insider Intelligence Report found that globally, cities’ investments in IoT technologies will increase by $97 billion between 2015 and 2019.
However, the rapid pace at which IoT infrastructure and applications are evolving have placed both consumers and enterprises at risk. The infrastructure itself has become potentially vulnerable, as has the ever-growing amount of sensitive personal and enterprise data that it holds. That data and infrastructure must be protected. Without the proper identity security in place, enterprise and consumer data is vulnerable. In fact, HP recently reviewed 10 of the most commonly used connected devices in the HP Fortify on Demand Internet of Things State of the Union Study and found that 70% contained serious vulnerabilities.
The problem? Developers often accidentally take shortcuts with security, either because they do not have adequate training to know their code is vulnerable – because they are trying to keep up with competitive pressure to ship – or through simple oversight. With terabytes of internet-accessible data and infrastructure, these security-weak IoT devices are vulnerable to attack because they do not implement a security architecture that starts with strong identity security.
Recently, PC gaming giant, Valve, saw millions of its Steam customer accounts hacked through a simple login implementation oversight that allowed hackers to access accounts that were not their own by simply clicking through the “forgot my password” prompts. Valve employs some of the best software developers in the world, but even the best developers are susceptible to simple mistakes. When these errors involve identity security, the results can be disastrous.
Generally, the problem of weak security is not rooted in malice but rather in inertia. Security has traditionally been an afterthought for developers, viewed as a “tax” on the effort to build core business logic. Previously, when most applications ran behind a defended network perimeter, that was not unreasonable – if the application was inside the firewall, it was probably safe. Unfortunately, that is not true anymore. Every enterprise, regardless of the sophistication of its security measures, must assume its internal IT infrastructure hosts at least some malware and was built with at least a few simple oversights that create vulnerabilities – as demonstrated by the headline-making breaches of even very sophisticated enterprises that we have seen almost weekly over the last few years. Today, every application, API and IoT device should assume that it’s running in a hostile environment – even if it’s inside the network perimeter – and should take appropriate steps to keep it secure. A basic and easy-to-implement best practice to improve security is to implement strong identity security, as identity has become the new firewall.
So how can organizations protect themselves? Developers cannot be expected to be experts across every subspecialty of the development chain. The rising tide of headline black-hat attacks is often the result of great software developers that make the mistake of trying to keep up part-time with a changing security environment while their opponents – the black hats – are focused full-time on trying to find vulnerability. Companies building any application, API or IoT device have an opportunity to close that gap without making any sacrifices by adopting SaaS services that make implementing and maintaining strong identity and security simple. As adoption of these platforms widen, the frequency and severity of major breaches will abate.
The majority of IoT devices today have significant security vulnerabilities, but it does not have to be this way. Simple-to-implement cloud services – like Auth0 – instantly create strong identity security for IoT devices and reduce the surface area available for attacks. Identity security – authorization, authentication and identity management, and the constantly shifting and changing security and vulnerability landscape – is a specialty that mainstream developers should not be expected to keep up with, nor do they need to when they employ best practices by using IDaaS (Identity as a Service) cloud services.
IoT is bringing enormous benefits to all of us today. Headline IoT breaches would slow the pace of innovation in the industry and do a disservice to all of us. But by simplifying identity within an enterprise through IdaaS, IoT developers can easily and with high confidence secure those areas that would have otherwise been most vulnerable.