What is an IoT security solution?
An IoT security solution is designed to safeguard connected devices, data and all the components of an IoT platform.
Threats and bad actors continue to evolve to find new ways to breach data security, disrupt reputations and cause financial loss. That’s why, when you are looking for an IoT platform, be certain it comes with stringent security built in from the start—security measures that are robust, certified, governed and under constant scrutiny.
The best IoT security is engineered into the architecture from the start, certified by third parties and receives the top grade for security management best practices and comprehensive controls.
Why use IoT security?
An IoT security solution is absolutely essential to doing business in today’s connected world. Without security, your business can be vulnerable to hacks and data breaches that make private information public and exploited, threatening the well-being and reputation of your company, your customers and business partners. With the right solution, you can block hackers and their abhorrent practices to minimize risks and assure business continuity.
According to Beecham Research, a leading technology research and analysis firm that specializes in IoT, nearly three quarters of IoT projects won't be considered successful. One reason: IoT security. Many IoT users fail to take even the most basic security precautions, such as changing default/vendor-supplied passwords.
An IoT security platform can make managing the security of IoT devices much easier. When choosing an IoT platform, ask:
- Is the platform certified for compliance with ISO 27001, ISO 27017 and ISO 27018?
- Is the platform’s architecture designed to protect physical, network, application and access control?
- Is security intrinsic to the platform’s software development process?
- Has the platform been graded by SSL Labs? If so, what was the grade?
- Will you be able to secure data between tenants or groups on your IoT solution?
- Is communication secure with the platform’s APIs?
- How are servers, storage and network devices physically secured?
Benefits of the IoT security solution
The Cumulocity IoT platform was originally designed to meet the carrier-grade security requirements of Nokia in 2010. Since then, it has been tested and deployed by the world’s biggest carriers, including Deutsche Telekom.
The IoT security platform delivers carrier-grade features, such as secure multi-tenancy, scalability, high availability and encryption—making it secure for virtually any IoT use case, from smart, connected products to industrial IoT (IIoT), from utility monitoring to smart cities, from tracking vehicles to tracking crowd movement.
Certified with highest grade for security
All data is transported using TLS 1.2, and the platform has been graded A+, the highest possible grade, by respected security firm SSL Labs. In addition, the Software AG Cloud Information Security Management System has attained the ISO 27001, ISO 27017 and ISO 27018 Information Security Management standards. This certifies our software development processes and management controls are sound and support the development of secure products.
The Cumulocity IoT security framework allows companies to meet the security, governance and regulatory requirements of their markets (for example, HIPAA, PCI-DSS or safety critical standards such as NERC-CIP and NIST). Cumulocity IoT also integrates seamlessly with a range of security frameworks, which means it can conform to the standards, roles and access privileges already defined in your organization.
Security philosophy & commitment
Security is built into the Cumulocity IoT software development process, woven into every line of code. Everything we do related to security is driven by a security program based on the OpenSAMM (Open Software Assurance Maturity Model), a vendor-neutral framework. This model helps define and measure all security-related activities for the development, verification and deployment stages of Cumulocity IoT, ensuring exhaustive governance and continuous improvement. Software AG works closely with security researchers and third-party vendors to understand emerging threats and how to mitigate them.
There is no direct access to the internal code and functions of Cumulocity IoT. All interactions take place through a set of secure public-facing APIs, which expose every function of the platform in a way that can be used with your own applications or devices. Our approach means Cumulocity IoT supports a whole host of security standards and protocols that ensure communication with its APIs are secure and data cannot be compromised while stored or in transit between the cloud, devices and your local network.
Physical security includes unauthorized access to IoT devices, for example, to redirect or manipulate data from devices, read credentials from devices or change a device’s configuration. Software AG works with customers to provide best practice and guidance on protecting devices. Our Cumulocity IoT platform architecture also monitors for and reports secure incidents, such as activation of tamper devices, which may indicate an attempt to subjugate a device.
Cumulocity IoT includes an end-to-end implementation of HTTPS from devices to applications. A customer’s specific ports and services from their infrastructure are not exposed to the public Internet. Additionally, all communication with Cumulocity IoT requires individual authentication and authorization, whether a device, application or user.
Cumulocity IoT follows standard practices for application-level hardening, such as making sure only properly upgraded operating systems and web servers are in use. Best practices make Cumulocity IoT secure by design. For example, all Cumulocity IoT functionality is coherently implemented with the same set of publicly documented, stateless REST APIs. This means that none of the popular “session stealing” techniques will work with Cumulocity IoT.
Cumulocity IoT does not use a SQL database for IoT data storage and is itself not based on a scripting language. This means that so-called “injection attacks” will not work with Cumulocity IoT.
Devices are treated like any client application connecting to the platform via HTTP or MQTT secured by TLS; this negates popular device attacks. In addition, devices are individually connected with Cumulocity IoT’s device registration feature. This means that if a device is stolen or tampered with, it can be individually disconnected from Cumulocity IoT.
Cumulocity IoT uses a standard authentication and authorization process based on realms, users, user groups and authorities. The IoT platform creates a new realm for each tenant to store the users of that tenant. This realm is fully isolated from other tenants, and administrators are appointed that assign permissions through their own administration application. Permissions and roles for devices and groups of devices can also be created at very granular levels and custom configurations defined to meet an organization’s unique requirements.
Cumulocity IoT has native multi-tenancy, which means a single instance of Cumulocity can securely serve multiple enterprises, without placing any data at risk of compromise. We achieve this by separating data on at least two levels. Data can be physically separated across different tenants for security, but also within a tenant using the role-based access controls. As an example, an industrial machine manufacturer would have its data fully isolated from its competitors but also offer 100% separation of the customers (factories) that use its machines. All data on Cumulocity IoT is isolated and protected, ensuring the privacy of all tenants and their customers.
Extensible security model
The security model in Cumulocity IoT can be extended by third parties, such as those in our IoT ecosystem, with proven integration capabilities for technologies, including full public key infrastructure or intrusion detection and prevention solutions.
Certified hosting partners
The cloud version of Cumulocity IoT is hosted on Amazon Web Services (AWS), architected to be one of the most flexible and secure cloud computing environments available today. AWS is certified according to ISO 27001, PCI DSS and many other accreditation bodies.
Handling a security event
When a security event occurs, whether at an application level or on the network, Cumulocity IoT enables applications and agents to write audit logs, which are persistently stored and cannot be externally modified after being written. Cumulocity IoT also writes its own audit records related to login and device control operations. Administrators are also alerted to security events as they occur so remedial action can be taken.