Will ownership of the device need to be managed or transferred in a secure manner?
This penultimate blog in the IoT Security principles series, addresses transfer of ownership and how to manage that in a secure manner. Many IoT devices will change ownership at some point in their lifetime. To preserve the security of the device and data throughout its lifecycle, developers should:
- Provide a secure method to transfer ownership of the device to another user.
- This will allow both the old and new users to verify that the transfer of ownership has succeeded and that any sensitive data will be handled appropriately after handover.
- Be clear which system components (devices, data, network etc.) are owned by the user.
- Users or managers can clearly identify what their responsibilities are for ownership transfer. This will minimise the risk of security issues arising through misunderstandings of responsibilities.
- Ensure that change of ownership does not impact security updates.
- Critical security updates must continue to be supplied, regardless of who now owns the device.
The final part of the series covers IoT security principles for data audit in enterprises.
There are 7 elements to the IoTSF security principles blog:
- Part 1. Establishing Principles for Internet of Things Security
- Part 2. Does the data need to be trusted?
- Part 3. Is the safe and/or timely arrival of data important?
- Part 4. Is it necessary to restrict access to or control of the device?
- Part 5. Is it necessary to update the software on the device?
- Part 6. Will ownership of the device need to be managed or transferred in a secure manner? [this blog posting]
- Part 7. Does the data need to be audited?
Edited by David Rogers, CEO Copper Horse Solutions Ltd., Member of the Executive Steering Board IoTSF.