5. Encrypt persistent data at rest

For devices such as sensors or cameras, information stored on deployed devices may seem innocuous, but when physical control of a device is not guaranteed that information can be a target for unauthorized actors. Whether in the consumer space like cached videos on cameras, industrial application with proprietary machine learning (ML) models, or even some configuration data for operational environments, the best course of action is to encrypt all data (even transitive data) stored at rest when possible. Some additional considerations include:

• Identify and classify data collected throughout your IoT ecosystem and learn their corresponding business use case.

• Categorize data based on the earlier risk analysis, including impact to other stakeholders.

• Identify opportunities to stop collecting unused data or reducing granularity and retention time, then implement improvements.

• Ensure integrity of data used to operate devices through cryptographic mechanisms.

• Apply access controls using least privilege principle to encryption keys, and monitor and audit data access.

• When necessary, follow least privilege and need-to-know principles when granting access to third parties.

• Consider privacy and transparency expectations of your customers and corresponding legal requirements.

Supporting AWS resources

AWS provides the following assets and services to help you secure IoT data at the edge and cloud:

• AWS Shared Responsibility Model – For security and compliance.

• AWS Data Privacy

• AWS Privacy Notice

• AWS Compliance programs and offerings

• AWS Compliance Solutions Guide

• AWS Key Management Service (AWS KMS) – Can be used to create and control the keys used for cryptographic operations in the cloud.

• Security Pillar of AWS Well-Architected and IoT Lens