The New Guide to IoT Cloud Security

How organizations handle “Internet of Things” (IoT) cloud security has to change — because what the industry’s doing now clearly isn’t working.  

Even after years of development and maturity, IoT is still often derisively referred to as the “Internet of Threats.” Part of the reason is that building IoT systems and connected devices is unusually complex. You can’t secure something you don’t understand in the first place.

There’s the device hardware, the software integrations, the network connectivity, and the cloud services. Even large organizations might not have enough in-house expertise to build it all themselves.

The most successful organizations include outside technology partners who have that expertise at every stage of IoT product development.

Those organizations probably won’t make the worst mistakes, like contributing to the staggering 98% of IoT communications that one study found were unencrypted… but, ironically, they create an all-new security challenge for themselves.

SaaS is broken

Software AG is one of the largest software companies in the world and claims to offer the “#1 self-service IoT platform.”

In 2020, they were hacked. At first, they denied that any of their customers were compromised by the breach.

But two days after that initial denial, they backtracked and admitted to finding evidence of data theft.

Vendor compromise like this isn’t unique, and it’s not just limited to IoT vendors. In October of 2023, Okta, one of the most ubiquitous identity and access management providers, announced its customer support system had been hacked.

This announcement came only after some of its own customers had discovered and contained the data breach weeks earlier. Cloudflare, one of those customers, published an exasperated blog about the incident titled, “How Cloudflare mitigated yet another Okta compromise.”

Despite high-profile incidents like these, the digital defense firm BlueVoyant still found that less than half of all organizations are monitoring their vendors for cyber risk.

And it’s not just a problem of SaaS partners failing to keep themselves (and, by extension, their customers) safe from bad actors. Sometimes, the SaaS partners themselves are the bad actors.

In March of 2023, Zoom quietly updated its Terms of Service to give itself sole rights to “Service Generated Data,” specifically to train its own AI models. But it wasn’t until months later, after a viral report by the tech news site Stack Diary, that most of Zoom’s customers even became aware of it.

CBS talks to Pardis Emami-Naeini, an Assistant Professor of Computer Science at Duke University, about Zoom’s use of customer data to train AI.

After an outcry, Zoom CEO Eric Yuan apologized for the debacle, and the controversial ToS was again changed.

Clearly, one of the biggest security vulnerabilities every organization has might be the SaaS model itself.

Ownership is a security solution

I met with Onymos Founder and CEO Shiva Nathan to talk about IoT security and what Onymos is doing to address it.

“You have to remember: Data is insight. Insight is IP. Unless you’re giving it away. Not only is that a bad business model, it’s a bad security model,” he said.

“The entire SaaS model, as it exists, has to be destroyed. I know that sounds radical, and it is radical. That’s how SaaS itself initially made people feel, too.

“But it’s a problem now that 99.9% of the SaaS vendors you can approach today about their IoT solutions will tell you, ‘Yeah, we can help you, provided we can get your data into our systems.’

“They rent you software with their right hand and take your data with their left.

“They control your security. They control your infrastructure. If you disagree with a decision they make, too bad. Do you want to start from scratch with another vendor? If they deprecate their services, too bad. Maybe they’ll recommend someone else for you to use.”

And if that’s all true, it puts organizations that want to build IoT devices in a very tough spot. If they can’t rely on in-house expertise because they don’t have it, and they can’t rely on SaaS because it might compromise their IoT infrastructure, then what is the alternative?

“No-Data” architecture

Onymos uses something called “no-data” architecture to protect its customers’ data flows — by staying out of them. I asked Shiva to explain how “no-data” architecture works in more detail.

“[Onymos] might be the only vendor out there that says, ‘Nope, we don’t need your data to provide you the functionality you need.’

“Essentially, we provide the libraries or licensed source code for a complete IoT software solution. We designed it all to take the data from your app and put it directly into your data center.

“It doesn’t have to stop over at an Onymos server or be accessed through an Onymos-hosted portal. We don’t see or access a bit or byte of your data. We put all of the software you get from us in your control.

“It’s like your developers went to sleep, woke up, and had all of this code checked into your source control system. That’s ‘no-data’ architecture. There’s absolutely no lock-in. We built our platform to be the opposite of that. It’s designed to help you build your IP, not diminish it. More IP is more application security. It means fewer attack surfaces for malicious actors to try and exploit.

“The other benefit is you’re taking your data out of the honeypot. You might think a big SaaS provider can do data security better than you, but even if that’s true, that big SaaS provider is getting attacked more than you in the first place. It has everyone’s data. That’s why they’ve been breached before and will be again despite all the security they have in place.”

4 steps for better IoT cloud security

If you’re a device manufacturer thinking of working with an IoT technology partner, we recommend taking these four steps before you commit.

• Limit data access. Do they use a “no-data” architecture model (as in, no customer data flows through their systems)? Can they launch their product and perform the necessary processing and storage in your cloud? Can you license their software source code to verify and customize it?
  
  These things don’t just make your organization more secure — their knock-on effect is more agility overall. You will know about threats sooner, respond to those threats faster, and be able to transition between vendors more seamlessly.

• Avoid lock-in. Control the things you can control. If you outsource any component of your IoT system, make sure you fully understand what you’re gaining and, maybe more importantly, what you’re losing.
  
  Be especially careful when you rely on low-code/no-code platforms. You cannot “export” their proprietary systems. There may even be costs associated with just exporting your own data.

• Demand regular cyber security audits and threat assessments. You will always care about your organization’s data privacy and security more than anyone else. Take the lead and hold your partners accountable.
  
  Most importantly, encourage them to be open with you about their own security challenges because everyone has them. They will, from time to time, fall short and fail penetration tests or outside audits. You should know about it when it happens. If they’re reluctant or evasive, they’re probably closer to a used-car salesman than a technology partner you can trust.

• Don’t just audit them. Audit their customers. Review their case studies, visit their customers’ websites, and even consider connecting with those customers directly. A years-old website quote might be misleading. In fact, this isn’t just about security. It’s about understanding what kind of relationship you can expect to have with a potential technology partner.

If you think Onymos can help you build, monitor, and secure your IoT system or want to know more about “no-data” architecture, reach out to our team.