[From the last episode: we looked at Alertgy, a new company trying to make accurate, non-invasive glucose testers]

We’ve just spent a bunch of time discussing communications. But being able to communicate means you need to get your messages out and in. Which means you need, so to speak, a window or a door to do so. And once you have a window or door, well, if you’re not careful, anyone can get in. That’s where securityRefers to whether or not IoT devices or data are protected from unauthorized viewers. comes in. It’s an important part of communications. There are tons of good communications ideas out there, but many of them fail because they’re not secure.

But security isn’t just about communications. If someone has a device in their hands, they may try to break in. There’s no electronic finesse there; just the electronic equivalent of screwdrivers and hammers to break things open in an attempt to discover secrets. We saw this back in our introduction to device security.

Psssst! I Have a Secret…

Yup! Good security is about keeping secrets. The tricky part is doing it in a way that’s as foolproof as possible. Your login passwords are also supposed to be secrets, but… well, let’s take what security folks have yelled at us for years to do:

• Use random, hard to guess (which also happens to mean “hard to remember”) passwords
• Don’t write them down anywhere
• Use a different password everywhere
• Change them frequently.

Um… right. That may be a very secure procedure, but only someone with a photographic memory can do so. So that’s what I mean by saying that the security mechanisms must be achievable. To be clear, we won’t be talking about passwords here. You control your passwords for accounts. The security we’ll be talking about won’t necessarily be visible to you (although, if you pay close attention on a slow computer, you might see elements of it as your browser connects to secure sites).

Basic Security Operations

In our introduction to data security a while back, we identified three things to protect: data in motion, data at rest, and data in use. In this series of posts, we’re going to look at several different mechanisms for providing security:

• EncryptionEncryption refers to encoding and decoding (or encrypting and decrypting) data so that it can't be read unless you have the right key. It's critical for good security.: this is how we protect sensitive data anywhere – except when it’s actually in use within some device. ProcessorsA computer chip that does computing work for a computer. It may do general work (like in your home computer) or it may do specialized work (like some of the processors in your smartphone). can’t work on encrypted data; they need the real thing.
• AuthenticationThis is the act of proving to some other entity that you are truly who you are representing yourself to be. That is, you're not pretending to be someone else. "You," of course, means a computer or IoT device or any other entity trying to make a network connection with another computer or device.: this is how, more or less, you prove that you’re really you. If you connect a device to the internet, how do they know it’s you? How do you know you really got to where you think you got to on the internet rather than some impostor site?
• AuthorizationThe process of deciding what privileges – if any – someone gets on a network, server, or other asset.: OK, so you proved you’re you when getting onto a site. While there, what do you have permission to do?
• AttestationA security operation that involves “inspecting” software (and perhaps also data) to check whether anything has been altered.: If you receive something from someone – say, a softwareIn this context, "software" refers to functions in an IoT device that are implemented by running instructions through some kind of processor. It's distinct from "hardware," where functions are built into a silicon chip or some other component. update – how do you know it hasn’t been monkeyed with on the way? Updates are super attractive to hackersA misused, but common term for an unauthorized person trying to break into a device or network. Originally, in this context, "hackers" referred to the good guys (or "white hats"), while "crackers" were the bad guys (black hats).: if they can fool you into accepting an update that actually plants malwareSoftware that usually finds its way into a computer or phone or IoT device without the knowledge or approval of the device's owner. It's malware when the intended purpose of the software is to cause some kind of harm. into your IoTThe Internet of Things. A broad term covering many different applications where "things"  are interconnected through the internet. device, it’s a huge win for them.

During this phase of our discussion, we’ll cover a number of topics related to these four areas. We’re going to simplify things somewhat (OK, a lot if you’re reading this as an expert), but there are lots of interesting ideas that get woven into the whole security discussion.

We’ll follow that up with more detail on device security: how hackers might try to pry secrets out of your hardwareIn this context, "hardware" refers to functions in an IoT device that are built into a silicon chip or some other dedicated component. It's distinct from "software," which refers to instructions running on a processor. if they get their hands on it.

If things feel a little swimmy with some of the weirdness we’ll encounter, don’t worry. It happened to me too. I survived, and so will you.

Here we go!