I have been a little bit surprised to hear during travels and events, or even within private meetings, that security certification for IoT devices is too expensive and in a way not a strict business requirement. Such statements can be refuted by basic economics, and explained by simple sociological considerations. At its very core, certification is a substitute or at least a complement for trust in business relationships. Certification brings trust so that an insurance company can pay the customer back when a credit card has been stolen. Certification brings trust so that an operator can allow a connection to its network through a SIM card. Without certification, there is no established and documented trust. Without trust no one wants to be liable for a given business risk. In the end, the cost of certification is far less than the volume of business it enables and the margins that are derived from it.
IoT devices generally do not depart from this rule. There are low value applications for IoT devices and services: a T-shirt that flashes messages from your mobile phone may not need security or certification (although why not…). But as soon as IoT is considered a technology that unlocks insights for customers and enterprises - by connecting sensors to business applications - a certified root of trust is mandatory. Digital medicine, water networks, fleet management applications all rely on such insights, and IoT unlocks new value and tremendous business opportunities in those markets. If IoT sensors, devices and gateways do not come with certified security, then the chain of trust cannot be established to your applications. This is not an acceptable outcome for business operations today, and there is no reason to think that companies will lower the bar as they bring IoT data into their processes.
Overall – there is a relevant and challenging discussion to be had about the ease and reusability of security certification for IoT products. The costs of certification need to be made clear and optimized – through the availability of protection profiles and security targets, through modular certification in particular. But the basic requirement for certification cannot be ignored unless one is ready to jeopardize the existing trust principles that hold businesses together.
Oracle Java Card™ platform powers certified secure elements and certified applications and allows reuse across IoT Device Edge products, and bringing trust to IoT. About that, Java Card Forum published a whitepaper (co-authored by Oracle) outlining the increasing role of Java Card in End-to-End IoT solutions.
Among the topics covered in this document :
You can download this whitepaper for free today, from the Java Card Forum website.
About Java Card Forum:
About Java Card: