IoT security depends upon protecting data at multiple levels, from the IoT device itself, to the firmware, to the application layer where humans are interfacing with the system. Zeroing in on the application layer, what are some best practices for protecting valuable data?
What Is Application Layer Security?
To understand what the “application layer” is when we’re talking about IoT security, the first thing we need to learn is the Open Systems Interconnection (OSI) model.The OSI model is a conceptual framework that describes all the communication that’s going on in a network system. To illustrate this, the model uses seven layers, which are built on top of one another, starting from the physical layer (labeled number one below).
7. Application Layer
6. Presentation Layer
5. Session Layer
4. Transport Layer
3. Network Layer
2. Data Link Layer
1. Physical Layer
As shown above, the application layer is the topmost layer, built on top of everything from real, physical wires and fiber optic cables in layer one, to data transport protocols in layer four, to serialization of data just below at layer six.
The application layer is the part of this model that humans actually interact with, facilitating communication between a person and a computer over a network. Application layer security simply means protecting this layer and the users who are interacting with it.
Why Do We Need Application Layer Security?
In the OSI model, if one layer of the system is compromised, all of the layers “above” it are also vulnerable, because they’re built on top of one another. If the transport layer is attacked, therefore, the application layer may also be affected. In contrast, however, an attack on the application layer won’t affect the layers beneath it.
But this doesn’t mean that you should leave the application layer wide open to threats — in fact, quite the opposite. The application layer has a wider attack surface because it's intended to be used by people, and will therefore will be exposed to both good and potentially malicious actors intentionally. This exposure is a key difference between the application layer and the other layers in the OSI model.
One of the core tenets of information security that you'll need to adhere to when securing the application layer is the CIA triad. While this might sound like something you’d find in a secret government agent’s arsenal, in computer science, it's just an acronym that stands for confidentiality, integrity, and availability. You should have confidence that the data is secret, has not been tampered with in any way, and that it’s available to the people who are supposed to have access to it.
Different kinds of security threats can affect every layer of the OSI model, but the application layer is often subject to distributed denial-of-service attacks (DDoS) attacks, HTTP floods, SQL injections, cross-site scripting, parameter tampering, and Slowloris attacks.
Security Solutions for the Application Layer
How you go about securing your application layer all depends on your specific application. Applications have all sorts of different purposes and uses, so your security needs to be tailored to your unique situation.
Additionally, you’ll need to be aware of the trade-offs that may accompany tighter security measures. More security can mean more costs in data and computing power.
For example — some security solutions, while effective in preventing attacks, may slow your application down slightly. If you’re dealing with highly sensitive data like financial or medical information, this small consequence may pale in comparison to the idea of a security breach.
It’s kind of like putting seven locks on the door to your home instead of the standard single deadbolt. With seven locks, it will take you a little longer to get in and out of your house, but if you live in an area where there have been a lot of break-ins, that trade-off might be worth it to you.
That being said, what are some options you have for securing your application layer?
Application layer security begins with the communication protocol you choose, whether it’s HTTP, MQTT (a popular choice for IoT projects), or one of numerous others. Each individual protocol will have its own methods for performing user authentication — some more secure than others — so it’s important to be familiar with the patterns present in each, so that you know about any security adjustments you’ll need to make.
The HTTP server-based authentication method, for example, is usually frowned upon because it's not inherently a very secure method. If you need more security, you might choose another protocol.
Alternatively, you could keep the protocol but add in a more secure form of multi-factor authentication , like HTTP token-based authentication. With token-based authentication, the application validates a user’s credentials on their first login, then provides the client with a signed token. The client stores the token and then must provide it with every login request, helping to prevent against CSRF attacks (where unauthorized commands are transmitted from a user that the application trusts).
Also of note — most protocols will have both a standard version and a secure version. While the standard version will be more lightweight and less secure, the secure version will be more complex, likely based on DLS, and offer more protection.
Follow Best Practices for Encryption
One common misstep in protecting the application layer actually has to do with other layers, like the transport layer.
As mentioned earlier, due to the structure of all the layers, an attack at a given layer can affect all of the layers above it, though not the ones below. And while it’s critical to secure the transport layer and those other deeper layers on their own, you shouldn’t always rely on those layers to handle all your encryption. If for some reason an attacker exploits a vulnerability in the transport layer, like the infamous Heartbleed bug, data not encrypted at the application layer could be suddenly available.
For this reason, it’s always a good idea to follow best practices for encrypting your data at the application layer to avoid unplanned exposure.
You can also use application firewalls to guard your application layer, plus other layers as well. Keep in mind that most firewalls are built with specific applications in mind, though many firewalls can be configured for multiple applications.
The firewall can control all network traffic on any OSI layer up to the application layer. Basically, it makes sure that weird connections aren’t happening in places you don’t expect, and that all communications are following the desired protocols.
Making it a Reality
Whichever route you choose for application security, based on your own unique needs, make sure that your security isn’t an afterthought. Put the safety of your users — and by extension, your business — first by following these best practices.
If you’re looking for a team who can help you implement strong IoT security protocols during your development project, give the team at Very a shout. In the meantime, check out this handy guide to IoT development, and let us know if you have any questions.