By Dragan Petkovic, Security Product Leader ECEMEA Oracle
The worldwide number of connected devices is already impressive but this is just the beginning. With the projected increase of connected devices comes additional complexity, presenting challenges in terms of their security and manageability. The security of IoT devices is important, but needs to be looked at holistically, the concept we often refer to is ‘security core to the edge’.
Java Card update boosts IoT device security
Oracle has released a new version of Java Card, one of the most popular open applications used in some of the most sensitive devices, on January 16 2019. Release 3.1 is an extensive update which provides more flexibility to help meet the unique hardware and security requirements of both existing secure chips and emerging IoT technologies. New features introduced with this release address use cases across markets ranging from telecom and payments to cars and wearables. Java Card introduces features that make applications more portable across security hardware critical to IoT.
This enables new uses for hardware-based security, such as multi-cloud IoT security models and makes Java Card the ideal solution for tens of billions of IoT devices that require security at the edge of the network. This enhancement enables emerging applications such as smart metering, industrial IoT, wearables, automotive and most importantly, cloud connected devices.
New features include rapid deployment of edge security services, dedicated IoT features and development enhancements which simplify development, code maintenance and upgrades. The 3.1 release enables the roll-out of security and SIM applications on the same chip, allowing services to be used on a large spectrum of networks from NB-IoT to 5G, and on a wide range of devices.
Treat connected devices like humans
The next step is the Oracle IoT Cloud Service, which is designed on a security foundation, using mutual certificate authentication between components. Participants in the IoT process are sometimes referred to as non-carbon identities. This concept mandates that connected devices should be treated like humans when it comes to security. We need to govern their lifecycle through provisioning, deprovisioning and attestation. We need to apply similar behavioural analytics that we use for humans and that is where the E in UEBA (User and Entity Behaviour Analytics) comes from. One can assume that connected devices create vast amounts of data, which can be sensitive. Protecting this data is often neglected, but it is crucial for the security posture.
This is the concept of security core to the edge for IoT in a nutshell. IoT also affects our security decisions in seemingly unconnected areas though. With a large number of IoT devices, especially personal ones being hopelessly misconfigured there is an elevated threat of distributed denial of service attacks