University of Magdeburg Professor Dr. Mesut Güne is leading a team of researchers in an effort to develop a more secure approach towards protecting IoT data. Kevin McKeogh, nCipher Security’s Director of Product Management, was quoted in an SC Magazine article about the initiative. McKeogh’s full set of comments may be found below.
This proposal highlights a decentralized approach and a move away from the trend of migrating all data into the cloud and processing it there, or having to provide all your credentials to a cloud provider that you may not trust to look after them
Decentralising and distributing is an inherently good thing. It supports data sovereignty restrictions and can provide good protection for credentials. However, what these solutions will rely on is global standards in order to govern the infrastructure and protocols that enable the systems to communicate, share data and authenticate. These standards need to be open, controlled and maintained by an appropriate body that is open to scrutiny.
Providing strong identities to IoT devices (credentialing) is also a critical part of the trust framework. It ensures that those devices can be authenticated before they respond to any requests or share or receive data, etc. These credentials are also important to allow secure upgrades for the device (with signed code) to maintain device security.
Cloud is not necessarily part of the problem. In fact, its processing power, dynamic scalability and cost effectiveness can still be advantageous as part of the solution. But, separating the compute engine from where the data has to reside and ensuring that data can be kept and appropriately protected within an environment where the owner is in full control is a big advantage to system security. Decentralising authentication and building a trust relationship across multiple entities delivers much more security and flexibility to the solution.