Security challenges and focus areas

Security risks and vulnerabilities have the potential to compromise the security and privacy of customer data in an IoT application. Coupled with the growing number of connected devices, and the data generated, the potential for security events raises questions about how to address security risks posed by IoT devices and device communication to and from the cloud. Common customer concerns regarding risks focus on the security and encryption of data while in transit to and from the cloud, or in transit from edge services to and from the device, along with patching of devices, device and user authentication, and access control. Another class of security risks stem from protecting physical devices. Hardware-based security, such as using Trusted Platform Modules (TPMs), can protect the unique identities and sensitive data on a device and protect it from manipulative events such as probing of open interfaces on the device.

Addressing these risks by securing IoT devices is essential, not only to maintain data integrity, but to also protect against security events that can impact the reliability of devices. As devices can send large amounts of sensitive data over the internet, and end users are empowered to directly control a device, the security of “things” must permeate every layer of the solution. This whitepaper walks through the ability to integrate security into each of these layers using cloud-native tools and services.

The foundation of an IoT solution must involve security throughout the process or else risking costly recalls or expensive retrofitting when poor security implementations lead to customer issues or downtimes. Getting the right foundations in place makes it easier to adjust to changing conditions and makes it possible to layer on services capable of continuously auditing IoT configurations to ensure that they do not deviate from security best practices and respond if they do. After a deviation is detected, alerts should be raised so appropriate corrective action can be implemented—ideally, automatically.

To keep up with the entry of connected devices into the marketplace, as well as the threats coming from online, it is best to implement services that address each part of the IoT ecosystem and overlap in their capability to secure and protect, audit and remediate, and manage fleet deployments of IoT devices (with or without connection to the cloud). In addition, with the accelerated adoption of Industrial IoT (IIoT) connecting operational technologies (OT) such as industrial control systems (ICS) to the internet, new security challenges have arisen. OT environments are leveraging more IT solutions to improve productivity and efficiency of production operations. This convergence of IT and OT systems creates risk management difficulties that need to be controlled. Operational technology controls physical assets and equipment such that if there is unintended access, it could impact outages of critical services. To address these emerging concerns, customers must evaluate the unique considerations these bring, and apply the appropriate security considerations. In later sections, this whitepaper provides prescriptive guidance on addressing the security concerns related to various IoT use cases including consumer, enterprise, and industrial.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Abstract and introduction

AWS IoT services and compliance