IoT’s lesson from PCI: Commercial motivation is Crucial | Cypress Semiconductor
IoT’s lesson from PCI: Commercial motivation is Crucial
This is part two of What IoT can learn from the Payment Card Industry
We ended part one discussing the IoT industry’s need for managing costs associated with security, and how the payment industry addressed this through normalization. However, IoT application and infrastructure fragmentation is much greater than the homgeneous PCI market. Each component of a total IoT product – cloud platform, connectivity, end application – has multiple variations. AWS or Azure? Wi-Fi or LTE? Thermostat or Smart Speaker? These variations make it difficult for a normalizing effort for security to emerge. However, there are early signs athat progress is being made.
One example of a normalizing force is government-led legislation and policies. In the US, California has made the first move with the California Consumer Privacy Act (SB-327). Similar legislation is being put forth in at least nine other states (as of this writing), adding to the momentum. In Europe, the EU and the European Telecommunications Standards Institute (ETSI) both have active initiatives that are attempting to address end-user privacy.
Industry-led initiatives also have a normalizing effect. One of the more visible efforts is the Platform Security Architecture (PSA) initiative. It is safe to say that the vast majority of IoT devices today incorporate at least one Arm processor. As such, Arm is leading this initiative to make security implementation easy and cost effective for devices that use their processors.
Cypress welcomes these normative efforts. They increase consumer awareness, and they serve to offer commercial motivation in the form of legal compliance and operational expense efficiency. This is important because normative efforts must address commercial motivation to be credible, and therefore to be effective.
These efforts are still taking shape. So, what can a secure IoT solution provider like Cypress offer in the mean time? Our approach is to provide an embedded security foundation that aligns to the commercial motivations that these efforts present. Specifically, this means:
- Providing supply chain cost efficiency by offering standard, off-the-shelf secure devices with customization occuring later in the supply chain. This eliminates the costs of special handling and customized product inventory prior to devices being purchased. In addition, provisioning occurs as an extension of programming. All MCUs with embedded Flash require programming, and bear supply chain overhead to do so. Sharing this overhead with provisioning extracts efficiency.
- Supporting any cloud. Maintaining control over data privacy is essential and depends upon managing device and network integrity. Secure device management is a critical capability that tends to have implementation dependencies on the cloud platform, including proprietary platforms. Flexiblity is an important enabler for competitive differentiation.
- Using standardized embedded secure services, which are available for the embedded system, enables design reuse, and standard APIs for secure cloud applications such as firmware update. This secure by design approach yields efficiency for engineering, network operations, and for legal compliance.
More specifically, Cypress is tackling this issue with solutions based on our PSoC 64 Secure MCUs. PSoC 64 based solutions have been developed with the entire IoT device lifecycle in mind, and therefore, specifically provide the benefits that align to the normative efforts that are underway.
We’re still a long way from the finish line, but Cypress is committed to the cause – your cause! We’ll always be there for our customers and ecosystem partners to ensure their products meet the latest security standards while also aligning to the commercial.