Security and data privacy plays a vital role in the success of an IoT solution implementation. Due to the vast surface area and heterogeneity and decoupled nature of the Industrial IoT solutions, security is certainly a challenging aspect and needs thorough upfront design thought process. In this series of the blog article, I’m going to attempt to describe some of the important aspects of security.
- Securing the device – Identity and authentication of the device.
- Securing the data transfer – Transport level security and message encryption.
- Security on the server side – Typically we see public cloud (Azure, AWS, etc..) fill this spot.
In this article, I’m going to dive into device security in Azure IoT stack. I’ll also talk about the data security and cloud security in future articles. So, stay tuned!!
What is device security and how can we secure?
It all starts with device identity – Setting up device identity and securing it from bad actors is important. The following are the options to register a device and to authenticate device while communication.
- Using a key – A unique identity key will be given to device as a symmetric key. The device sends this key to Azure IoT hub while posting the telemetry. More on this in future articles.
2. Using a certificate – There are two options here. More details will be posted in future.
2.1 Using a CA-signed certificate – A certificate should be purchased from a third-party authority by generating CSR.
2.2 Using a self-signed certificate – A self- signed certificate is typically created for quick prototype kind of projects.
After setting up the identity, Key or Certificate gets deployed to the device and it needs to be secured and protected from bad actors misusing it. Unique Id and private key in case of the certificate. Access to private key may let attackers falsely sign the certificates or mimic a site’s identity or send false messages by the device to cloud which can lead to severe consequences.
Here some means to secure:
- To use cryptographic hardware storage device – Hardware storage modules, USB tokens, smart card etc.
- Restricting access to the local file system or hardware which has the private key
- Continuous monitoring the access to the private key
Note: The detailed process of generating self-signed and CA-signed certificates and cloud communicating with code samples will be specified in next article. So, stay tuned!!