Does the data need to be audited?
So far in the IoT Security principles blog series we have looked at the architecture of devices, data privacy and trust, making sure that data gets to where it needs to be and on time, controlling access to devices, software updates and the transfer of ownership of devices. The final comprehensive set of principles looks at how to securely address use cases where a data audit is a necessity. IoT services may be required to meet a user audit, an enterprise audit or a regulatory audit requirement. Developers should consider providing:
- Managed access to IoT data (for example at a local hub).
- If properly secured, this feature will build end-user trust and enable compliance with network policies (e.g. Intrusion Prevention Systems). This feature may also enable innovation via integration of IoT data sources.
- Policy controls to disable unwanted features.
- Failure to provide these may limit use in some enterprises, regions or markets.
This is the final part of the blog series. It is taster of the work we seek to develop through IoTSF activities with experts and pratitioners – we hope you found the principles useful.
For more information on how to join the IoT Security Foundation, please click here.
There are 7 elements to the IoTSF security principles blog:
- Part 1. Establishing Principles for Internet of Things Security
- Part 2. Does the data need to be trusted?
- Part 3. Is the safe and/or timely arrival of data important?
- Part 4. Is it necessary to restrict access to or control of the device?
- Part 5. Is it necessary to update the software on the device?
- Part 6. Will ownership of the device need to be managed or transferred in a secure manner?
- Part 7. Does the data need to be audited? [this blog posting]
Edited by David Rogers, CEO Copper Horse Solutions Ltd., Member of the Executive Steering Board IoTSF.