HPC Appliances

Will a fight break out over who’s responsible for securing data? Maybe. Will companies start taking security seriously? Not sure. Will design engineers need to address security before corporate management?

A key component of the Internet of Things (IoT) and the Industrial Internet of Things (IIoT) is the cloud; that group of services residing nearly anywhere that will house all the data collected. Despite all the buzz about the IoT and its variations, most actual implementations are in the very beginning stages of development. Now is a good time for users and designers of equipment that will link to the cloud to look into just how they will secure all of the data.

Recent surveys and studies indicate, though, that companies are not as focused on data security as they should be. For example, according to findings from “The 2016 Global Cloud Data Security Study” study from Ponemon Institute, organizations and companies are not adopting appropriate control and security measures to protect sensitive data they store in the cloud. The study surveyed more than 3,400 IT and IT security practitioners worldwide to gain a better understanding of trends in data collection and security practices for cloud-based services.

They found that:

• Half of all cloud services and corporate data stored in cloud are not controlled by IT departments.

• Only a third of sensitive data stored in cloud-based applications are encrypted.

• More than half of companies do not have a proactive approach for compliance with privacy and security regulations for data in cloud environments.

“Cloud security continues to be a challenge for companies, especially in dealing with the complexity of privacy and data protection regulations,” said Dr. Larry Ponemon, chairman and founder, Ponemon Institute. “To ensure compliance, it is important for companies to consider deploying such technologies as encryption, tokenization or other cryptographic solutions to secure sensitive data transferred and stored in the cloud.”

Agreed Jason Hart, Vice President and Chief Technology Officer for Data Protection at Gemalto, a leader in digital security, “It’s quite obvious security measures are not keeping pace because the cloud challenges traditional approaches of protecting data when it was just stored on the network. It is an issue that can only be solved with a data-centric approach in which IT organizations can uniformly protect customer and corporate information across the dozens of cloud-based services their employees and internal departments rely every day.”

The state of IoT security today

Thus, working with IT departments will be key to securing cloud data. But, the study found that nearly half (49%) of cloud services are deployed by departments other than corporate IT, and an average of 47% of corporate data stored in cloud environments are not managed or controlled by the IT department. Until such time as individual companies come up with a policy, engineers may have to take a proactive approach and initiate conversations with customer IT departments early in the design phase.

Just what kind of security measures are needed? 54% of survey respondents felt it was more difficult to protect confidential or sensitive information when using cloud services. 53% of respondents report difficulty in controlling or restricting end-user access. The other major challenges include the inability to apply conventional information security in cloud environments (70% of respondents) and the inability to directly inspect cloud providers for security compliance (69% of respondents).

Customer information stored in the cloud is most at risk. According to the survey, customer information, emails, consumer data, employee records and payment information are the types of data most often stored in the cloud. Since 2014, cloud storage of this information has increased from 53% in 2014 to 62% today. 53% considered customer information data to be the most at risk in the cloud.

The majority of respondents (64%) said their organizations do not have a policy that requires use of security safeguards, such as encryption, as a condition to using certain cloud computing applications. This situation challenges designers during product design.

72% of respondents said the ability to encrypt or tokenize sensitive or confidential data is important, with 86% saying it will become more important over the next two years, up from 79% in 2014.

Yet, passwords and similar conventional security measures are no longer adequate. 67% of respondents said the management of user identities is more difficult in the cloud than on-premises. However, organizations are not adopting measures that are easy to implement and could increase cloud security. About half (45%) of companies are not using multi-factor authentication to secure employee and third-party access to applications and data in the cloud, which means many companies are still relying on just user names and passwords to validate identities. This puts more data at risk because 58% of respondents say their organizations have third-party users accessing their data and information in the cloud.

Easier security solutions on the way

In some cases, communication developers are adding features that are easy for design engineers to incorporate into their designs, helping improve security.

One example is the PAC Project 9.5, which provides updated firmware for Opto 22 SNAP PAC S-series and R-series controllers that enable a secure HTTPS server on PAC controllers. Combined with a RESTful open and documented API, it allows developers to write applications that access data on the PAC using the developer’s programming language of choice with the JSON data format. This new capability allows software and IoT application developers to eliminate layers of middleware for secure Industrial Internet of Things (IIoT) applications.

Firmware version 9.5 for SNAP PAC R-series and S-series controllers enables REST endpoints for analog and digital I/O points as well as control program variables including strings, floats, timers, integers, and tables. REST endpoints are securely accessed using the RESTful API for SNAP PACs.

Client data requests are returned in JavaScript Object Notation (JSON) format. PAC controllers and I/O can be used with almost any software development language with JSON support, including C, C++, C#, Java, JavaScript, node.js, Python, PHP, Ruby, and many more. They can use the development environment and language of their choosing to write new software, create web services, and build Internet of Things applications.

The addition of a secure RESTful server and an open, documented API to a programmable automation controller (PAC) is a significant industry innovation, because REST architecture and associated technology are intrinsic to the Internet of Things and paramount to web and mobile-based application development. Opto 22’s implementation of REST directly into a commercially available, off-the-shelf industrial PAC places the company as one of the first industrial automation and controls manufacturer to offer this industry-changing technology.