The internet of things is not a new idea but in the hype curve it is now definitely on the upswing. Disillusionment should be setting in soon, before the real delivery of value gets started.

I  had an amusing conversation with the CEO of a startup in the business of providing software for monitoring “things” on the Internet of Things. Amusing in that whenever I asked him about how access to these devises was secured, he said that you didn’t access them directly, only a virtual representation.  I then followed up with “so they are not connected to the internet then ?” to which he answered yes, they were. I returned to my original question. Repeat. We went though this cycle about 4 or five times. We had a pretty good bit going there; should have taken it on the road. As a CEO of a startup he could have used the money I’m sure. I am also sure that having your security model be a joke on the standup-circuit would perhaps be ill advised.

That still leaves the larger question. What should be security model be for the Internet of Things.

In some sense we have had IoT for a long time already. But the “T” in IoT are not the PCs and servers we are used to.  These new devices will not be running a full stack of software. They won’t  be able to and even if they were (computing resources gets ever cheaper) it would be hugely wasteful. And a management nightmare too.

Though I’m sure many software vendors will emerge to help us with it. And Microsoft would be perfectly happy to sell a copy of Windows to every fridge and toaster built.

No, these devices will have a simplified software stack. As simple as possible. Requires less hardware, and less is cheaper. Perhaps cheaper by only a few cents, or less, but when you number your devices in the billions, every little bit adds of pretty fast. Simple is also easier to maintain and leaves less room for error (read: bugs).

Considering only the security side of things. What are the minimum security features required ?

Privacy: The devices have to be able communicate privately – which means encryption.

Integrity: The devices have to be able communicate reliably. The data streams must not be tampered with. This ties in with encryption in the TSL/SSL protocols.

Authorization: If the device is able to receive and act on requests , there has to be a way to check the authorization for those requests.

The need to authentication is typically driven by the need for authorization – first you establish who somebody is, then what they are allowed to do – but with PAML tokens this is not so. Authentication is therefore optional, depending on security protocol.