Best Practice 7.1 – Use encryption to protect IoT data in transit and at rest - IoT Lens Checklist

Best Practice 7.1 – Use encryption to protect IoT data in transit and at rest

For data at rest, the Storage Networking Industry Association (SNIA) defines storage security as “Technical controls, which may include integrity, confidentiality and availability controls that protect storage resources and data from unauthorized users and uses.” Thus, it’s required to protect the confidentiality of sensitive data, such as the device identity, secrets, or user data, by encrypting it at rest. For data in transit, use a secure transport mechanism such as TLS to protect the confidentiality and integrity of all data transmitted to and from your devices.

Recommendation 7.1.1 – Require the use of device SDKs or client libraries for the device to communicate to cloud

Configure the IoT devices to communicate only over TLS to cloud endpoints. For example, use AWS IoT Greengrass or Amazon FreeRTOS SDKs to secure connectivity from your devices to AWS IoT Core over TLS 1.2. See AWS IoT Core Developer Guide’s Transport security in AWS IoT.

Recommendation 7.1.2 – Encrypt data at rest or secrets on IoT devices

As explained earlier in section 2.3.3, take advantage of encryption utilities provided by the host operating system to encrypt the data stored at rest in the local filesystem. In addition, take advantage of Secure Elements, and TPMs. TEEs can add storage protections as well.