[From the last episode: SecurityRefers to whether or not IoT devices or data are protected from unauthorized viewers. and privacyRefers to whether or not information gathered about your usage of IoT devices by authorized people can be made public, or shared with others, without your consent. Different from (although related to) security, which protects such data and devices from access by unauthorized people. Different from privacy, which is more concerned about use of data by authorized people. are related, but distinct, notions. Both will be critical to the success of the IoTThe Internet of Things. A broad term covering many different applications where "things" are interconnected through the internet..]
Security is an extraordinarily complex topic. Just when you think you have your arms around it, someone comes up with yet another way to cause havoc. It also has a language all of its own, complete with colorful characters using that language (but hopefully not colorful language, at least until something goes wrong…).
So we’re not going to get into the totality of security. Even trained engineers who don’t specialize in security can be flummoxed by some of the ideas. But we can go a fair distance into exploring all of the issues that security raises. We won’t do them all in this post, however. For now, we’ll go to the very highest level as a basis for drilling down later.
When You Think “Security,” You’re Probably Thinking Data Security
The biggest reason people want security is to protect data. Volumes of data are stored in far-flung locations, and much of it would be of great interest to many people that have no business viewing it. You’ve probably seen some of the many major security failures that have made news headlines.
It would be easy for you to think that this was about preventing access to hard disks or other permanent storageThis usually refers to memory that doesn't lose its contents when powered off - like a thumb drive or a hard disk. It's a place to store data. drives, where lots of data is stored. But it’s more than that. There are three “types” of data that need protection.
- Data at rest: this refers to any data stored in permanent memory somewhere. So the hard disk examples belong in this category. It’s the easiest to visualize.
- Data in motion: if someone or something wants to get some data that’s located somewhere else on the networkA collection of items like computers, printers, phones, and other electronic items that are connected together by switches and routers. A network allows the connected devices to talk to each other electronically. The internet is an example of an extremely large network. Your home network, if you have one, is an example of a small local network. – and if they’re authorized to get that data – then they will access that resting data through a file transfer. That data will move to their computer, and possibly even to their own local hard driveA type of persistent (non-volatile) memory built from rotating platters and “read heads” that sense the data on the platters.. That means the data has to travel through the network to get from its original storage location to the computer that has requested it. If someone is snooping on the network while the data comes by, then they could see it, steal it, or even mess with it.
- Data in use: this is data that’s being actively processed in your computer. Let’s say you requested data, and it was transferred from secure storage through a secure network onto your computer. And now you’re doing something with it. That means that your computer’s processorA computer chip that does computing work for a computer. It may do general work (like in your home computer) or it may do specialized work (like some of the processors in your smartphone). (a CPUStands for "central processing unit." Basically, it's a microprocessor - the main one in the computer. Things get a bit more complicated because, these days, there may be more than one microprocessor. But you can safely think of all of them together as the CPU. or other processor) is manipulating the data. Temporary pieces of the data might end up in temporary computer memory here and there (DRAMStands for "dynamic random access memory." This is temporary working memory in a computer. When the goes off, the memory contents are lost. It's not super fast, but it's very cheap, so there's lots of it. , SRAMStands for "static random access memory." This is also temporary memory in a computer. It's very fast compared to other kinds of memory, but it's also very expensive and burns a lot of energy, so you don't have nearly so much. , or cache). If anyone can access your computer’s processor or local memory (yes, it’s happened), then they can steal, or even modify, that data.
The Risks of Unauthorized Data Access
If you have sensitive data, then an obvious risk of someone accessing it is that they’re seeing something you didn’t want them to see. But there are a couple of other risks.
- What if you think you’re getting data from one place, but in fact someone is fooling you into getting what looks like your data from somewhere else? It might now be fake data.
- Or what if someone captures the data as it’s traveling along the network and makes changes? Again, you’ll be receiving data, some or all of which is fake. That’s what I mean by “messing” with your data.
There are many scenarios like this that security professionals try to work through. And every time there is a new breach, they analyze it to figure out what happened — and how they can prevent it in the future.
If you read through some of the literature, you’ll fund amusingly consistent references to fictitious people like Alice, Bob, and a possible host of other characters. These are simply names (starting with A and B, etc.) for actors in imagined security scenarios. Part of the language of security. The actual scenarios they illustrate, however, can range from obvious to mind-bending.
Next we’ll look at security for protecting IoT devices.
Leave a Reply