Designing networked objects to achieve reasonable security
Author(s)Markel, Zane A
Technology and Policy Program.
David D. Clark.
MetadataShow full item record
To maximize the value of the Internet of Things (IoT), developers need to build devices that balance security with features, cost, and usability, relative to the threats that their particular devices will face. However, many IoT devices have thus far failed to achieve this balance. Various organizations have published copious security frameworks to help developers. Of these, frameworks that focus on desirable outcome metrics remain theoretically desirable yet infeasible to use in practice. The other frameworks, which focus on some aspect of the development process itself, are widely used despite a lack of methods for determining their utility. This work introduces six criteria useful for evaluating and comparing these process-based frameworks. Applying them to multiple security frameworks, we find that these frameworks often derive from inflexible conceptions of security, limiting the ability of developers to to vary their security designs. Even when developers are given options, they lack the tools necessary to balance security with other tradeoffs respective to the situations their products will be used in. To begin to address these shortcomings, we propose the Processes for Reasonably Secure Design (PRSD), a novel process-based security framework that helps developers comprehensively and systematically consider the security threats an IoT device may introduce to its surroundings, options for mitigating those threats, and the tradeoffs between those options. To demonstrate its worth, we apply it in multiple case studies. Further, using the six criteria, we evaluate PRSD and find that, in addition to providing useful and novel guidance, it has practical qualities that could make it suitable for many real development efforts.
Thesis: S.M. in Technology and Policy, Massachusetts Institute of Technology, School of Engineering, Institute for Data, Systems, and Society, Technology and Policy Program, 2017.This electronic version was submitted by the student author. The certified thesis is available in the Institute Archives and Special Collections.Cataloged from student-submitted PDF version of thesis.Includes bibliographical references (pages 89-99).
DepartmentMassachusetts Institute of Technology. Institute for Data, Systems, and Society.; Massachusetts Institute of Technology. Engineering Systems Division.; Technology and Policy Program.
Massachusetts Institute of Technology
Institute for Data, Systems, and Society., Engineering Systems Division., Technology and Policy Program.