This is the eighth in a series of Arrayent blog posts on IoT security. The series is written for employees of companies who sell connected products, especially those new to IoT. With this series, we hope to bring a basic level of awareness and understanding of key issues that face everyone who develops connected consumer products. We also hope to stimulate an ongoing dialog that helps move the conversation about connected products security forward.
If your company collects data about your products, customers, employees, or market, the best practice is that you should always encrypt it, whether or not there is a compelling legal, statutory, or regulatory obligation to do so.
Encryption protocols for, 1) sensitive data protection in storage (e.g., file servers, databases, and end-user workstations), 2) data in use (memory), and 3) data in transmission (e.g., system interfaces, over public networks, and electronic messaging) are outlined with recommendations in the Cloud Security Alliance (CSA) Cloud Controls Matrix.
Encryption of data is a central component of Arrayent’s cloud platform security procedures to ensure data access only by authorized users (roles and services). The Arrayent Connect Cloud platform includes a comprehensive security framework for encryption for data transactions, end-point verification, and role-based authorization.
Security starts with the Arrayent Connect Agent (ACA) firmware that establishes and maintains a secure connection between devices and the Arrayent cloud. Via ACA, we establish a secure connection and can then securely transmit data between real devices in the field and their digital twins in the Arrayent cloud. Arrayent applies several standards of encryption to data, including data in transit and data at rest. You can learn more details on Arrayent’s approach to data at http://developer.arrayent.com/embedded-guides/embedded-datasheet/.
DATA IN TRANSIT ENCRYPTION
Data in transit is all about data being accessed over a network. It is critical that data in motion be encrypted from application-to-cloud, and from device-to-cloud. ACA securely sends and receive different types of data to and from the cloud. This is done securely with 128-bit AES encryption. The APIs are fully documented on the Arrayent developer site.
To protect data confidentiality and the data from being monitored or tampered with in transit, we encrypt data traffic using Transport Layer Security (TLS), which requires authentication in transit. TLS is the predecessor to Secure Sockets Layer (SSL) cryptography, the standard security technology for establishing an encrypted link between a web server and a browser or mobile apps.
The National Institute of Standards and Technology (NIST) recommends migrating to TLS version 1.1 or higher. The current version (1.1) is still considered secure, but the Transport Layer Security Working Group of the Internet Engineering Task Force (IETF) is already working on TLS 1.3 to further improve security, reduce the chance of implementation errors, and remove unnecessary features and functions.
For device-to-cloud, Arrayent employs 128-bit AES to protect data packets travelling between products and the Arrayent Connect Cloud. AES is an open encryption standard first established by the NIST in 2001. AES is a symmetric (a.k.a. ‘secret key’) block cipher, which means that a cryptographic key and algorithm are applied to a block of data as a group rather than one bit at a time. A flexible AES key management system supports numerous encryption key exchange business rules.
DATA AT REST ENCRYPTION
There are many levels of security that help reduce threats to data at rest, whether data is stored online or offline. Data stored on the Arrayent Connect platform is encrypted at the storage level using the AES algorithm. Arrayent encrypts data stored at rest using one or more encryption methods, including in ‘block’ storage. This means data is stored in a self-contained ‘chunk.’ For maximum performance, we run block-level encryption and each chunk is encrypted with a unique data encryption key. You can learn further details at developer.arrayent.com.
QUESTIONS TO ASK ABOUT ENCRYPTION WHEN EVALUATING AN IOT PLATFORM:
Security should be one of the key deciding factors when choosing an IoT platform, and encryption is one of the central pieces of an IoT security strategy. Here are some questions to ask about encryption policies and procedures if you are evaluating an IoT platform:
1) What are the provider’s policies and procedures for encryption and key management?
2) Do the encryption capabilities of the service provider match the level of sensitivity of your data?
3) Does the platform provide device unique device IDs, AES-keys, user binding, firmware versions, etc.?
4) Are the device IDs assigned dynamically in the field (which could potentially enable cloning), or burned into the chips by the manufacturer during the device production process (preferred, as this is more highly controlled and secure)?
As the leading consumer IoT cloud platform, Arrayent views data security and privacy protection as job number one. The Arrayent Connect Cloud is TRUSTe certified and vetted through third-party security audits initiated by the world’s most trusted brands. Arrayent has more than a decade of experience working with mass-market global brands defending their IoT data having helped Whirlpool, Febreze Home™, Pentair, OSRAM Sylvania, Maytag Commercial Laundry®, LiftMaster, Schumacher, Salus, Braeburn, Chamberlain, and many others launch and manage over 70 products across five continents.
Other Reading on Data Encryption:
“SecaaS Category 8 // Encryption Implementation Guidance”
— Cloud Security Alliance
“How to ensure a secure data transport of information in the cloud”
“Advanced Encryption Standard (AES)”
— TechTarget SearchSecurity
— Casper Manes, TechTalk