Now that IoT devices encompass technology like refrigerators, washers, dryers, drones, and security cameras, the amount of data created by these devices is going to exceed the bandwidth of the internet. There is just not enough fiber and bandwidth between local tech and cloud providers. This means we are going to have to start processing and storing data near its creation point and pushing what is needed or legally required to cloud environments. What security features should we be planning and designing, at home and work or near your local repository data, to protect data?
Security Layers of the Future
In the future, we’ll likely need a few systems that we do not have now or have been slow to implement. Here are a few that come to mind:
1. IPv6 and IPsec for all devices, from your refrigerator to your local NAS. These features have been mandated by some U.S. Government agencies and businesses, with more to come. There are many reasons for this, but security is one of the main ones.
2. Data encryption at rest (DAR) for all storage devices so that no one can hack and grab devices and retrieve the data.
3. Zero trust frameworks and network access controls for edge locations and data centers, as data is funneled into smaller and more diverse locations.
4. A security framework that signs all of the firmware and OS upgrades to ensure that updates are really the update from the company that made the device and do not have backdoors.
5. Encryption algorithms that are quantum-resistant. This National Institute of Standards publication discusses quantum-resistant algorithms.
IPv6 has been around for decades. It became a draft standard in 1998, but work had started at the beginning of the 1990s. IPv6 provides for:
1. Mandatory use of IPSec, which is important as data streams such as video could potentially be changed in real time, given the speed and performance of new GPUs.
2. Large Addressing Space, which means potential hackers would need to perform a net scan of 2^64 (18446744073709551616) hosts. However, this is not very likely to happen.
3. Neighbor Discovery and address auto-configuration, which make IPv6 more secure than its predecessor.
It will be important for all devices to run IPv6 and encrypt all data traffic both within the internal network and externally. Every device on the network should use WiFI encryption, IPv6, and IPsec to reduce the potential for attacks like the casino fish tank infiltration. Know that you will likely have to upgrade communications technically more quickly than you upgrade devices. For example, WIFI routers that are 10 years old might not be very secure, but your refrigerator will likely last more than 10 years.
I have written about DAR before (here and here) but for most organizations this is not a requirement, although there are often mandates. In the U.S. in some environments, the cryptographic module must be certified through the FIPS standards process from the National Institute of Standards (NIST), and other certifications that are required for devices with DAR include Common Criteria in the U.S. and the E.U.
Zero Trust and Network Access
Edge storage and computing, intended to decrease latency for edge networks and devices, better manages the overwhelming amount of data in some ways: it places data closer to locations that actually need it, dividing it (opposed to a public cloud method). However, it also adds complications: the farther data is spread, the harder it is to secure. Per the section about IPv6 and IPSec, all connections should be secure, as should storage.
Zero trust frameworks are becoming more important for networks, ensuring that users are only given the access they need to perform a task. To make edge security successful, stored data needs strong network access controls and as little trust as possible. The more data is scattered across edge locations, the more security it requires.
Signed OS and Firmware
NIST has a set of guidelines called NIST 800-193, which are titled Platform Firmware Resiliency Guidelines and came out in May 2018. The underlying goals and principles of these guidelines are:
- Protection: Mechanisms for ensuring that Platform Firmware code and critical data remain in a state of integrity and are protected from corruption, such as the process for ensuring the authenticity and integrity of firmware updates.
- Detection: Mechanisms for detecting when Platform Firmware code and critical data have been corrupted.
- Recovery: Mechanisms for restoring Platform Firmware code and critical data to a state of integrity in the event that any such firmware code or critical data are found to have been corrupted, or when forced to recover through an authorized mechanism. Recovery is limited to the ability to recover firmware code and critical data.
Quantum Computing is Likely Coming
While some have questioned whether quantum computing will happen or be successful, too many corporations and nations are working on quantum systems for quantum computing not to happen. The only question is when. Initially it is likely that quantum systems will be used for good, such as health care, weather prediction, systems design, and national interests such as defense. But quantum computing will be potentially used for nefarious purposes regardless of access protections.
Quantum computing will significantly impact cryptographic hashes and encryption algorithms. It is possible that everything done in the past will have to be redone with new algorithms, which would likely be costly given that initial quantum systems will be expensive and the new algorithms will take significant time. Some might ask why we don’t start using quantum resistant algorithms now, and the answer, in my opinion, is the cost in CPU time, memory, and I/O to implement quantum-resistant algorithms on today’s limited hardware.
Data at the edge will be a way of life within a few short years. You will likely not have the protections that you have in major data centers, with guards, cameras, and policies for data destruction. Data is not going to stop growing faster than density trends. Higher-resolution cameras, more lenses, and more sensors everywhere are just a few of the reasons why this trend is not going to change. Current data security policies are designed around two basic workflows:
- Consumer homes, where security is not quite as crucial.
- Enterprise where security does matter, given penalties for compliance failures and data breaches.
The cost of building enterprise data centers at the edge to store all of the data in a near-local way is not going to happen, given the availability of infrastructure and the costs for upgrades. Storage of data at the edge is both a security problem and a storage problem and there will have to be some architectural tradeoffs — IT security, power, cooling, and armed guards are a few of the potential differences between the enterprise and the edge.
The views and opinions expressed in this article are those of the author and do not necessarily reflect any policy or position of Seagate Government Solutions or Seagate Technology.
This article was updated July 2021 by Jenna Phipps.