By Vincent Delaroche
Every day, it seems we read something new about how the Internet of Things (IoT) is going to change our lives. Whether it’s in the form of self-driving cars, smart home appliances, fitness trackers, or retail solutions, the IoT is going to make our lives better.
But what IoT advocates and marketers don’t always take into account are the security challenges presented by interconnecting software systems that have never before had to “speak” to one another. With more than 20 billion connectable devices to manage by 2020, according to Gartner, there are going to be more systems and connection points to manage than ever before. As these systems become interconnected, vulnerabilities in one may lead to similar risk exposure in others.
What business leaders, CIOs, and chief product officers can do now is establish an effective software risk framework that considers the company’s technology strategy, existing software, and infrastructure investment and the deluge of new data and connection points that will hit the IT organization once an IoT project is deployed. Doing so will aid data integrity and safety, as well as end-to-end software application security.
The (Not so Retro) Big Data Headache
With the introduction of new devices and related data sources comes more opportunity for data corruption, instability, loss of integrity, and more possibilities for hackers to exploit weaknesses in a company’s IT ecosystem. CIOs planning to integrate IoT programs need to make critical decisions about how to manage, measure, and guarantee software reliability and performance of programs running in- and out-of-network. Not to mention, they will gain a vast amount of new data that will need to be managed in company databases. For example, the digital news outlet Quartz recently estimated that connected cars alone will send 25 gigabytes of data into the cloud every hour.
IoT requires significant reengineering to address the variety of devices and the constraints that many of these devices impose on security. For example, blacklisting consumes way too much disk space to be a practicable solution for IoT applications. Not to mention smaller devices often have small power supplies, relatively lower processing ability, and limited connectivity bandwidth.
As CIOs have more personal data and devices under their purview, it will be increasingly important to implement a data management strategy that standardizes security and quality measures under a unified umbrella. While the first fear to pop up in everyone’s mind might be about hackers accessing a company’s giant data store, the most dangerous threat actually lies in the company’s intrinsic data integrity. In healthcare, for instance, where IoT is becoming more predominant with patient sensors, bed monitors and doctors increasingly using application-generated alerts. Poor programming will have a huge and lasting impact. Over time, data integrity and corruption issues left unchecked would become a nightmare for hospital CIOs, and a big glitch could send them immediately back out into the job market.
IoT Security Must Be Scalable
The sheer volume of IoT data and devices has big implications for IT portfolio health and security. Just as CIOs carefully curate application portfolios that can scale and grow with the business, they must do the same for IoT. Simply “bootstrapping” IoT into existing IT systems will not guarantee they perform at scale. IoT security and efficiency measures must be effective at all levels.
IoT implementations will increase the number of interfaces that existing systems must support. And the data flows and data stores will clearly multiply at great speed. The architectures that support current systems will be tested and will likely have to be redesigned to support this magnitude of data and connections. Development leaders need to create new architectures to ensure scalability and security is designed into the systems that support IoT. For example, all data will have to be controlled by a rock solid and secure access software layer. Any bypass of that software layer will have to be enforced.
An incremental approach to this architecture will not be sufficient; it must have to be carefully considered and designed. Then, as the development scrums build incremental new functionality to support IoT applications, these architectures should be governed and checked systematically and holistically—from data collection up to data storage—with every sprint. Continuous automated architectural governance is a relatively new concept that leading IT organizations must implement as part of their enterprise agile frameworks in order to ensure scalability and security.
Create a Secure Ecosystem
Poorly architected IT systems remain one of the biggest software risks today. Architectural quality and security is particularly sensitive and crucial for today’s data-intensive systems, such as billing, customer relationship management, and order management. IoT presents new challenges for CIOs, CTOs, and enterprise architects, who have to visualize, quantify, and prevent risk tied to data manipulation all along the data flow chain. An immediate and significant increase of the overall software security and integrity across all newly implemented IoT and IT systems is a must.
To help CIOs manage IoT security complexity, the Open Web Application Security Project (OWASP), a community dedicated to helping organizations develop and maintain applications that can be trusted, has established a set of security recommendations. According to OWASP, CIOs should ensure that all system devices have update capacity and can be updated quickly when vulnerabilities are discovered, that update files are encrypted and that they are transmitted using encryption, that update services are secure, and products have the ability to implement scheduled updates.
In addition to the OWASP recommendations, the Consortium for IT Software Quality (CISQ), a standards group founded by the Software Engineering Institute and the Object Management Group, promotes a comprehensive quality measurement framework to build resilient, efficient, and safe IoT and IT systems. Recommendations and programming rules focus on code quality, but most importantly on the quality and technical integrity at the system level. It’s important to measure at the system level because it is the source and often the root cause of the most dangerous software corruptions. It is critically important to construct reliable and structurally sound software layers and interfaces that gracefully manage exceptions and guarantee data integrity.
CIOs embarking on IoT projects, or coming up against project speed bumps will do well to consult CISQ’s global standards and technology requirements to measure their software efficacy and prevent future disasters.
Plan for the Future
Security and privacy remain a serious concern in IoT for the foreseeable future. Even with CIOs and users proactively taking steps to secure IoT data, circumstances and threats are often well outside their control. Hackers can design and execute attacks with high degrees of sophistication—linking information not only from public networks, but also from various private sources such as phones, home automation systems and automobiles. Time will tell how sophisticated hackers and poor system constructions will become a threat in evolving business environments.
To stay ahead of the threat, CIOs must establish control over their software portfolios and begin to improve software integrity and security measures. SW
Jul2016, Software Magazine
A long-term entrepreneur and industry thought leader, Vincent Delaroche founded CAST in 1991 with the vision that software development could no longer be viewed as an obscure art, but rather a performance-driven profession. His passion to “make the invisible visible” helps business leaders and IT managers gain visibility to form better decisions, drive fact-based discussions, improve productivity and prevent businesses from losing money, customers, and reputation due to software failures.
Jul2016, Software Magazine