Cloud Security Alliance’s New Internet of Things (IoT) Security Controls Framework Allows for Easier Evaluation, Implementation of Security Controls within IoT Architectures

Cloud Security Alliance’s New Internet of Things (IoT) Security Controls Framework Allows for Easier Evaluation, Implementation of Security Controls within IoT Architectures

February 1, 2021 Off By David

The Cloud Security Alliance (CSA) announced Internet of Things (IoT) Security Controls Framework Version 2 and the accompanying Guide to the Internet of Things (IoT) Security Controls Framework. Created by the CSA IoT Working Group, the updated Framework includes several significant changes, most notably the development of a new domain structure and infrastructure. Together with the companion piece, the Framework will make it easier for organizations to evaluate and implement security controls within their IoT architecture.

“Enterprises are finding themselves in a position where they must not only adopt new IoT technologies but plan for accessible, secure, and resilient deployments. Not an easy task given how quickly these technologies and new threats are evolving,” said IoT Working Group Co-chair and lead author Aaron Guzman, product security lead, Cisco Meraki. “The Framework provides a starting point for organizations looking to better understand and implement security controls within their IoT architecture.”

The IoT Security Controls Framework, first released in early 2019, introduced 155 base-level security controls required to mitigate many of the risks associated with an IoT system that incorporates multiple types of connected devices, cloud services, and networking technologies. Today, it continues to be used by system architects, developers, and security engineers in evaluating their implementations’ security as they progress through the development lifecycle to ensure they meet industry-specified best practices.

”As the IoT market continues to grow, so, too, is an overall reliance on IoT-generated features and data. With this framework and guide, it was our intention to provide enterprises with direction on how to create a safe IoT environment with security that both addresses the unique risks involved with IoT and employs appropriate implementation mitigation measures,” said Brian Russell, IoT Working Group Co-chair and one of the paper’s lead authors.

The most significant changes in Version 2 include:

  • Updated security controls: All controls have been reviewed and updated for technical clarity.
  • New domain structure: Control domains have been reviewed and updated to better categorize each control.
  • New legal domain: Introduces relevant legal controls.
  • New security testing domain: Introduces security testing of architectural allocations.
  • Simplified infrastructure allocations: Device types have been consolidated to a single category to simplify the distribution of controls to architectural components.

Applicable across many IoT domains, ranging from systems processing only “low-value” data with limited impact potential to highly sensitive systems that support critical services, the Framework lets system owners classify components based on the value of data being stored and processed and the potential impact of various physical security threats. Once identified, security controls can be allocated to specific architectural components, including devices, networks, gateways, and cloud services.

The CSA IoT Working Group develops frameworks, processes and best-known methods for securing these connected systems. Further, it addresses topics including data privacy, fog computing, smart cities and more. Individuals interested in becoming involved in future IoT research and initiatives are invited to visit the Internet of Things Working Group join page.