Secure Development of Internet of Things Products for Education

min read

By Vaughn Eisler and Renault Ross

Vaughn Eisler is a business development manager and Renault Ross is a national security architect at Symantec Corporation.

The Internet of Things (IoT) represents a major departure in the history of the Internet, as connections move beyond computing systems and begin to power billions of everyday devices, from smart meters to home thermostats to remote e-learning systems. The market demands that these devices and sensors have a multilayered security and data management approach to ensure they are properly identified, secured, and trusted and that the data they produce remains private, managed, and analyzed.

Due to projections of massive scale and the unique requirements of the ever-changing and nascent IoT market, additional demands within the market must be met. It is critical that security vendors have dedicated product management, engineering, development, and go-to-market resources to ensure security is integral to these devices before they become integrated in end-user systems.

Capabilities based on the unique requirements of the IoT market — from IoT system lockdown and compliance to intrusion prevention — are needed. Additionally, vendors should embed technology directly at the operating system and chip level, building new technology for very low powered chips and using new analytical techniques to evaluate the data for certain use cases.

IOT will have a significant impact on the education system, ranging from concepts like advancing online courses to include information such as how much time people spend on course materials in online courses, to building new programming paradigms into courses that teach designing and building technology systems that reflect the openness and participation of IOT, to improving the accuracy of research with big data and analytics concepts.

Many IOT concepts have already reached the education market. Small sensors, or "things," are capturing data and becoming more contextually aware. By providing more real-world information, sensors are enabling more relevant and valuable decisions. For example, consider attaching sensors to a skeleton within an archeological dig to monitor the skeleton's temperature and condition. Another example includes leveraging RFID to track and observe wild animals and marine life. All of this type of information can be made available to teachers, helping them increase their understanding of a topic and updating them on the latest field research.

Many IOT concepts are available in the consumer market; the expansion of IOT within education depends on mitigating risks. With different devices interconnected, a greater amount of security is required for sensors and systems, along with the need to manage and analyze the explosion of data these sensors report. This outcome has compelled the education system to take a much closer look at how to provide end-to-end security and data management. It will take a combination of best practices, technology, and focused effort to mitigate the risks.

Industry recommendations should include consideration of the following aspects:

  • A strong defense-in-depth security architecture. A defense-in-depth approach is a multilayered security strategy that provides holistic security throughout an educational system.
  • Security certificates, based on Public Key Infrastructure, will ensure that devices (such as smart meters) communicating with critical infrastructure are properly identified and trusted as sources of information.
  • Signing certain applications that may reside within a network let the operator ensure the integrity of those applications both to their own systems and to third parties who might eventually want access to those applications.
  • Other edge protections including authentication, authorization, VPN, and antivirus software are required to ensure the perimeter is secure.
  • System hardening through application whitelisting, intrusion detection, intrusion protection, password management, and user profile definition will lock down each component within the network.
  • Access control mechanisms ensure that only authorized parties are allowed to see the data being collected from the various sensors deployed worldwide.
  • Network-based backup, archiving, and discovery applications are needed for the massive amounts of data being collected.
  • Information management can help correlate all related network and component issues in one place — painting the picture of the overall security state can reveal previously unnoticed attacks.

Solutions specifically designed to work within this unique environment are required for any security program to succeed. Ultimately, collaboration between the education market and IT vendors offers the best way to develop the right technology for the Internet of Things to meet its potential.

© 2014 Vaughn Eisler and Renault Ross