2022-06-18, 14:00–14:45, Track 1 (UC Conference Rm A)
Securing IoT devices is complex, but Cloud platforms help alleviate core security concerns such as availability, authentication/authorization, and logging. When migrating IoT devices to the Cloud, which platform should you use? We will introduce core IoT services within the major cloud providers (AWS, Azure, and GCP) and investigate their pros and cons.
When IoT security is mentioned, it is typically in reference to a physical device. For device security, you must consider the security of its hardware, software, local communications (LAN, BLE, etc), and Internet communications. However, IoT should be viewed as an ecosystem and include not only the device, but its supporting mobile applications and its Internet/Cloud communications.
What security controls matter for Internet communications? These include availability, authentication/authorization, and logging. All IoT Cloud providers include these security controls and create a robust system for its connected IoT devices. However, not all Cloud providers handle IoT services the same way.
For the three major Cloud platforms - AWS, Azure, and GCP - there are major differences in the way IoT services are implemented, and each have their pros and cons. For AWS, its IoT services contain many useful features, and it provides custom access controls for device communication. However, the AWS services require a steep learning curve and its naming conventions can become confusing. For Azure, its IoT services are feature rich and very flexible in where it can send device data. The downside for Azure is its reliance on premium IoT Edge devices, which can quickly become expensive at scale. Finally for GCP, its IoT services do not have as many features as AWS or Azure, but its core features are fast and secure by default.
Each Cloud provider has its pros and cons, but which platform should you choose for your IoT ecosystem? Unfortunately, there is no one right size fits all solution. One deciding factor could be where you already have positioned your Cloud assets. Each IoT Cloud provider has its own internal communication channels that allow greater cohesion with other Cloud services. Another deciding factor is the amount of additional features you want for your IoT devices. Both AWS and Azure have monitoring detection capabilities for suspicious device behavior. Regardless of what platform you chose, Cloud greatly increases IoT security and provides strong availability, authentication/authorization, and logging controls.
Jonathan Fisher is a staff security engineer at Praetorian, with a focus on IoT security. Jonathan has performed numerous security assessments against a large range of IoT devices, including consumer, medical, vehicle, and industrial connected devices. He also holds an OSCP and eCTPX certificate.