The Importance of Tenant Separation and Authentication Standards in IoT Security

CONNECTIONS Europe 2017 Wrap-Up
November 7, 2017
Show all

This is the tenth and final blog in a series of Arrayent posts on IoT security. The series is written for employees of companies who sell connected products, especially those new to IoT. With this series, we hope to bring a basic level of awareness and understanding of key issues that face everyone who develops connected consumer products. We also hope to stimulate an ongoing dialog that helps move the conversation about connected products security forward.

As a provider, as well as customer, of cloud services (Prodea’s own business is run in the cloud), we know that data is at the heart of IoT, and that companies with connected products and services need to know their data is safe.

When considering cloud SaaS vendors, one of the first questions we ask is: “Will our data be mixed with data from other companies?” We ask this question to all of our cloud infrastructure vendors, even the dominant players. It has to be answered to our satisfaction before we engage.

Why is this so important? If a bug or malfunction occurs, there theoretically could be ‘leakage,’ resulting in another company accidentally gaining access to data. Imagine the consequences of some other company getting a hold of millions of IoT devices!

We all understand that software isn’t perfect. There will inevitably be bugs or problems that arise. Companies in IoT must take every precaution to prevent damage, and limit any repercussions. This is why proper segregation of critical data is vital. If data is properly separated—also known as ‘tenant separation,’ then regardless of any malfunction or hack, exposure is limited to only that customers data set and not all other data on the system.

TENANT SEPARATION
There are generally three types of database structures for SaaS. There is a great primer on Dev.to that describes:

  1. Single Tenant (each client will have a physically different database)
  2. Multi-Tenant (a single database for all clients, where each client data set is shared)
  3. Multi-Tenant with multi-schema (single database for all clients, but each client will have a separate, but homogeneous schema structure in the single database)

In the case of big consumer applications and email services, tenant separation may not be a cost-efficient solution—and wouldn’t make sense for the Googles, Apples or Amazons of the world that have millions of customers (which would mean millions of database tables). In their case, there are a number of intelligent steps taken, and different strategies at work, to protect the data. But even with very smart people behind the scenes, big companies like Yahoo have experienced a breach that exposed the data of over 10 million users.

With really sensitive data such as that collected by IoT product companies, it’s extremely important to have a well thought-out and tested strategy for separation of user data—and it’s best for each customer to have their own set of data tables.

Within Prodea’s Arrayent IoT services platform, we use tenant separation where each customer has their own set of data tables—and we don’t mix data tables between customers. This is the ultimate step in preventing cross-pollination or contamination of data—the holy grail of data separation.

The case of a hacker attack aside, you also wouldn’t want someone with a root admin account for one customer to be able to make a mistake and have it impact anything for other customers across millions of devices.

In the case of administration functions, another critical aspect is dual-factor authentication for administration functions. Dual-factor means you don’t only have a username and password, but also one additional item that is required to access a system.

AUTHENTICATION SCHEMES
As with tenant separation, there are also different levels of authentication schemes:

1) Single-factor authentication. This is the simplest and it’s something you already know: matching one thing to verify yourself online, like a password to your username.

2) Two-factor authentication In addition to your password/username combo, two-factor authentication asks to verify who you are with something that you, and only you, own, such as a mobile phone or security token.

3) Multi-factor authentication. In addition to the password/username combination, multi-factor authentication requires that a user confirms a group of things to verify their identity. This is usually something they have—like a biometric scan of a fingerprint, palm, or retina—or another form of authentication which can include location and/or time of day.

All Prodea employees, for example, are required to use two-factor (2FA) authentication to access their smartphones and computers.

Multi-factor authentication (MFA) is the standard for administrative access these days. For multi-factor authentication, a security token is something that is generally easier to accomplish than a biometric scan, although a palm scan is also common. The token can be generated with an application on a mobile device that provides a temporary code or time-based token (commonly known as “one time use token”) via an application such as Google Authenticator. This smartphone-based app that works offline allows you to access your sensitive accounts like Slack, Amazon Web Services, your bank account, etc.

The bottom line is that mature enterprises understand why MFA is critical because of what’s at stake.

Prodea’s use of two-factor and multi-factor authentication also helps our customers with regulatory privacy compliance. These procedures help limit the sharing of usernames and passwords which is a problem for administrators who want to eliminate credential sharing. They also create an audit trail for each user which provides another large benefit for Prodea customers.