The New Guide to IoT Cloud Security
How organizations handle “Internet of Things” (IoT) cloud security has to change — because what the industry’s doing now clearly isn’t working.
Even after years of development and maturity, IoT is still often derisively referred to as the “Internet of Threats.” Part of the reason is that building IoT systems and connected devices is unusually complex. You can’t secure something you don’t understand in the first place.
There’s the device hardware, the software integrations, the network connectivity, and the cloud services. Even large organizations might not have enough in-house expertise to build it all themselves.
The most successful organizations include outside technology partners who have that expertise at every stage of IoT product development.
Those organizations probably won’t make the worst mistakes, like contributing to the staggering 98% of IoT communications that one study found were unencrypted… but, ironically, they create an all-new security challenge for themselves.
SaaS is broken
Software AG is one of the largest software companies in the world and claims to offer the “#1 self-service IoT platform.”
In 2020, they were hacked. At first, they denied that any of their customers were compromised by the breach.
But two days after that initial denial, they backtracked and admitted to finding evidence of data theft.
Vendor compromise like this isn’t unique, and it’s not just limited to IoT vendors. In October of 2023, Okta, one of the most ubiquitous identity and access management providers, announced its customer support system had been hacked.
This announcement came only after some of its own customers had discovered and contained the data breach weeks earlier. Cloudflare, one of those customers, published an exasperated blog about the incident titled, “How Cloudflare mitigated yet another Okta compromise.”
And it’s not just a problem of SaaS partners failing to keep themselves (and, by extension, their customers) safe from bad actors. Sometimes, the SaaS partners themselves are the bad actors.
In March of 2023, Zoom quietly updated its Terms of Service to give itself sole rights to “Service Generated Data,” specifically to train its own AI models. But it wasn’t until months later, after a viral report by the tech news site Stack Diary, that most of Zoom’s customers even became aware of it.
After an outcry, Zoom CEO Eric Yuan apologized for the debacle, and the controversial ToS was again changed.
Clearly, one of the biggest security vulnerabilities every organization has might be the SaaS model itself.
Ownership is a security solution
I met with Onymos Founder and CEO Shiva Nathan to talk about IoT security and what Onymos is doing to address it.
“You have to remember: Data is insight. Insight is IP. Unless you’re giving it away. Not only is that a bad business model, it’s a bad security model,” he said.
“The entire SaaS model, as it exists, has to be destroyed. I know that sounds radical, and it is radical. That’s how SaaS itself initially made people feel, too.
“But it’s a problem now that 99.9% of the SaaS vendors you can approach today about their IoT solutions will tell you, ‘Yeah, we can help you, provided we can get your data into our systems.’
“They rent you software with their right hand and take your data with their left.
“They control your security. They control your infrastructure. If you disagree with a decision they make, too bad. Do you want to start from scratch with another vendor? If they deprecate their services, too bad. Maybe they’ll recommend someone else for you to use.”
And if that’s all true, it puts organizations that want to build IoT devices in a very tough spot. If they can’t rely on in-house expertise because they don’t have it, and they can’t rely on SaaS because it might compromise their IoT infrastructure, then what is the alternative?
“No-Data” architecture for secure IoT
Onymos uses something called “no-data” architecture to protect its customers’ data flows — by staying out of them. I asked Shiva to explain how “no-data” architecture works in more detail.
“[Onymos] might be the only vendor out there that says, ‘Nope, we don’t need your data to provide you the functionality you need.’
“Essentially, we provide the libraries or licensed source code for a complete IoT software solution. We designed it all to take the data from your app and put it directly into your data center.
“It doesn’t have to stop over at an Onymos server or be accessed through an Onymos-hosted portal. We don’t see or access a bit or byte of your data. We put all of the software you get from us in your control.
“It’s like your developers went to sleep, woke up, and had all of this code checked into your source control system. That’s ‘no-data’ architecture. There’s absolutely no lock-in. We built our platform to be the opposite of that. It’s designed to help you build your IP, not diminish it. More IP is more application security. It means fewer attack surfaces for malicious actors to try and exploit.
“The other benefit is you’re taking your data out of the honeypot. You might think a big SaaS provider can do data security better than you, but even if that’s true, that big SaaS provider is getting attacked more than you in the first place. It has everyone’s data. That’s why they’ve been breached before and will be again despite all the security they have in place.”
3 steps for better IoT cloud security
If you’re a device manufacturer thinking of working with an IoT technology partner, we recommend taking these three steps before you commit.
- Don’t just audit them. Audit their customers. Review their case studies, visit their customers’ websites, and even consider connecting with those customers directly. A years-old website quote might be misleading. In fact, this isn’t just about security. It’s about understanding what kind of relationship you can expect to have with a potential technology partner.
- Maximize ownership. Control the things you can control. If you outsource any component of your IoT system, make sure you fully understand what you’re gaining and, maybe more importantly, what you’re losing.
- Avoid lock-in. Vendor lock-in has brought more than one IoT initiative to a screeching halt. Know how to extract as much of your product as possible from third-party platforms and services. Can you export your data? Is there a cost? In what format will you receive that data?
If you think Onymos can help you build, monitor, and secure your IoT system or want to know more about “no-data” architecture, reach out to our team.