Cloud Security in the Age of IoT

The proposed bill, Internet of Things (IoT) Cybersecurity Improvement Act of 2017, requires vendors to ensure that their devices are patchable, rely on industry standard protocols, do not use hard-coded passwords, and do not contain vulnerabilities.

Unfortunately manufacturers had none or negligible security design into their products as they are driven by tight margins, high volume and speed of time to market. Having security built into IoT products need investment, expertize and product redesign as security needs more computing power. So for IoT to have a certain level of security it needs a cloud that can support scaling up and computing resources.

Cloud security is about policies, process, technologies and controls to protect the data, application and infrastructure. We could either follow the traditional approach to ban anything out of fear or embrace IoT. IoT is so immense to be ignored hence it needs to be embraced, so the next best option would be for governments or industry to regulate the devices and the cloud service providers offering these cloud computing services.

In Singapore, the InfoComm Media Development Authority (IMDA) has released a “Cloud Adoption Starter kit” handbook that gives a beginner view on cloud and cloud security on those who are planning to adopt the move to cloud. They have also released the “Cloud Computing in Singapore” booklet which provides an overview of Singapore’s cloud computing ecosystem and consists of variety of cloud adoption case studies; featuring Cloud Service Providers’ journey achieving Multi- Tier Cloud Security certification. The booklet also contains directory listings of IaaS/PaaS, SaaS(Infrastructure as a service/ Platform as a service/ Software as a service), Cloud Technology Companies, Cloud Training Providers and MTCS Certification Bodies. And Singapore was the first to launch the Multi-Tier Cloud Security (MTCS) Singapore Standard (SS) 584 a world’s first cloud security standard that covers multiple tiers of cloud security. It can be adopted by Cloud Service Providers (CSPs) to meet different cloud user needs for data sensitivity and business criticality.

The MTCS standard seeks to drive cloud adoption across industries by giving clarity around the security service levels of cloud providers, while also increasing the level of accountability and transparency from CSPs. As of 23 Jan 2018, a total of 128 cloud services are MTCS certified. Of these, 107 are IaaS/PaaS and 21 are SaaS.

In conclusion, the more the insecure IoT devices the more it increases the risk to consumers. To reduce these risks, the industry, regulators must work together to mitigate these risks and the risks associated with the cloud computing services. A standards-based approach similar to Singapore could be one possible option to address such issues related to cloud computing services and an industry-led approach to address the security design and protocols of the IoT devices. These approaches would lead to a strong consumer satisfaction when deploying IoT devices and pave a secure way forward into the future.