11.2.1 Security Comparison Between Traditional and IoT Networks

It is evident from research that challenges and security issues of IoT and traditional networks vary in various aspects [63, 120]. The IoT involves RFID-based objects and nodes having constrained resources such as minimal CPU speeds and, often, objects are battery powered while as traditional networks such as internet is composed of high-end PCs, servers, smart phones, and tablet computers having abundant resources. Thus, traditional internet can support complex combination of security algorithms irrespective of resource usage and consumption [38, 115]. While as in case of IoT, lightweight algorithms having minimal resource usage that balance between security and computational power need to be implemented. The conventional cryptographic encryption algorithms demand swift computations, so it is not feasible to directly port them to IoT devices [79].

The IoT nodes communicate through slower and insecure wireless medium which is susceptible to data theft, privacy violation and node compromise. In comparison to this, traditional internet involves communication through faster wired medium such as optical fiber which is more secure and reliable. Even in case of wireless communication, the setup is built on top of complex and secure protocols which are not usually feasible with resource constrained IoT nodes. Additionally, IoT devices employ minimal data-rate radio technology for communication across the network. Thus, conventional security policies do not apply to IoT-enabled devices directly due to low-throughput transmission media implications [25].

Although internet consists of heterogeneous devices, but with the abstraction support provided by the operating system, the devices are able to share a common data format across multiple platforms. In case of IoT nodes, no such operating system or common data format exists. The nodes have embedded programs that vary with different chip hardware resulting in heterogeneous data contents and formats.

Table 11.1 shows typical feature difference between IoT and conventional networks.

11.3.1 Security Protocols

Internet Protocol Security (IPsec): At IoT’s network layer, a device can exchange data securely by implementing IPsec in its communications. IPsec forms an integral component in IPv6 as a part of extension header while as in IPv4; it was added as an additional feature in order to augment its security and encryption. The principal objectives accomplished by employing IPsec in smart object communication over an unsecure network are the data integrity, confidentiality, authentication, and protection against replay attacks. The IPsec offers two protocols for achieving security. These are Authentication Header (AH) and Encapsulating Security Protocol (ESP). Both of these standards are implemented as a part of extension headers in IPv6.

Transport Layer Security (TLS): To protect data exchange at transport layer, the TLS protocol is employed. TLS dispenses secure communication via object-based authentication and key interchange. TLS is commonly used for data encryption at the IoT application layer between the IoT applications and the backend server. The encryption can also be extended to other services such as short message communication and VoIP.

Secure Socket Layer (SSL): SSL protocol uses certificates that ensure security, integrity and protect identity of IoT devices. Although there are different varieties of SSL certificates but all use asymmetric encryption to protect the data communication between two sensor objects.

11.3.2 Enabling Technologies

RFID: RFID is the short form for “Radio-Frequency Identification”. In this communication technology, digital data which are concealed in RFID tags are detected by RFID reader using radio signal. RFID technology is analogous to bar-coding in which tag data is detected by a node and is then archived in data warehouse. In fact, RFID provides several merits over other devices that implement bar-code tracking software. The most significant advantage being that RFID tag data identification does not entail for line-of-sight communication. Using Automatic Identification and Data Capture (AIDC) methods, RFID automatically identifies objects, captures information, and stores that data directly into database without any human intervention. The base architecture of an RFID system consists of three main integral elements which include an RFID label, reader, and a communication media. The tags or smart labels consist of a microchip and an antenna to communicate data to the RFID reader. The reader transforms radio signals into readable data format which is then sent through a communication medium to an end computer system where data is archived in a database. In contrast with other available techniques, RFID offers optimized scanning, reliability, reuse, huge storage, non–line-of-sight communication, security, etc. Thus, RFID is an optimal choice to be used at IoT perception layer in order to identify, track and exchange data between objects in real time.

“Constrained Application Protocol (CoAP)”: CoAP is a messaging standard hinged on REST (Representational State Transfer) architecture designed for low power and computationally constrained devices in order to operate in an IoT environment [19, 29]. CoAP is developed by IETF core working team and is enumerated as RFC 7252. CoAP was designed to enable M2M communication between constrained devices and networks having low bandwidth and availability. As most IoT nodes are resource constrained, HTTP cannot be operated in such an environment owing to its complexity. To vanquish the challenge, CoAP has evolved as an alternative to HTTP operations in an IoT network. The CoAP protocol underpins features such as group communication including push notifications, communication with HTTP, resource identification, and security [145].

Wireless Sensor Network (WSN): A WSN form an integral part of an IoT network. A WSN is a network of sensor devices that can transmit the monitored information through wireless links. The data gets transferred using multiple nodes which are further connected to other sensor networks via gateway. The sensor network typically consists of a single base station and a set of wireless nodes which are used to scan and monitor the status of devices and transmit this status data to the base station or sink nodes. The WSN connects the line between virtual world and physical world and dispenses features such as scalability, robust reconfiguration, minimized cost, and minimal energy consumption. Both RFID and WSN are employed for data collection in IoT; however, the RFID is mainly operated for object tracking, while as WSN is mainly used for the sensing of real-world physical parameters inherent in the neighboring environment.

IEEE 802.15.4: The IEEE 802.15.4 is a protocol designed by IEEE 802.15 working scientists which expounds the working of low-rate wireless personal area networks (LR-WPANs). The protocol identifies the physical and the Media Access Control (MAC) layer for wireless personal area networks (WPANs). This standard underpins protocols such as Zigbee, 6LoWPAN, MiWi, and Wireless-HART, each of which further define the upper layers of the standard. The IEEE 802.15.4 standard aims to dispense minimal rate connections in personal area networks with minimal cost and power consumption. IEEE 802.15.4 protocol stack is analogous to the layers of OSI model wherein each layer implements a predefined function and lower layers pass the data and control information to the upper layers.

6LoWPAN: 6LoWPAN standard aims to carry IPv6 datagram’s with IEEE 802.15.4–based communication networks. The protocol dispenses E2E IPv6 connectivity, thereby providing direct communication with varied networks including internet. 6LoWPAN employs header compression technique for IPv6 datagram’s that are motivated by constrained space offered by 802.15.4 frames to encapsulate IPv6 data packets. The encoding formats for compression are defined by 6LoWPAN itself due to the fact that certain fields are implicitly available to all network nodes or can be implied from MAC layer. 6LoWPAN offers number of advantages such as minimal packet size, low power, and optimized bandwidth utilization.

Zigbee: Zigbee is a wireless protocol hinged on open standards designed to bridge requirements of low-cost and optimized energy IoT networks. This protocol works on IEEE 802.15.4 physical radio guidelines and using unlicensed bands such as 2.4 GHz, 900 MHz and 868 MHz. The Zigbee technology focuses on short-term communication utilizing low power and energy and dispensing high reliability and security. Similar to TCP/IP model, Zigbee operates using five layers which are physical layer, the MAC layer, the data transmission layer, the networking layer, and the user interface/application layer. For network configuration, Zigbee supports topologies such as Star and Mesh.

Z-Wave: Z-wave is wireless communication technology commonly used in designing smart home networks thereby permitting the smart devices to communicate and interact with each other and also interchange control messages and data. With duplex communication and data acknowledgement system, the Z-Wave protocol standard eases out power consumption issues and delivers low-cost wireless networking. Thus, offering a low-power and long-range alternate solution to Wi-Fi and Bluetooth. One important thing to note in Z-wave network is that only 232 nodes (slaves), all having routing capacity can be connected at a time which are managed by a controller node. The controller is also responsible for updating routing table which is stored in the memory of each slave. Although both Zigbee and Z-wave provide short range wireless data communication, however they differ in the frequency band in which they operate. The Zigbee operates at 2.4-Ghz frequency band in the physical layer while as Z wave frequency band is less than 1 Ghz.

MQTT: Based on publish/subscribe method, MQTT is a short message standard which is employed for acquiring sensed data on deployed sensors and further transmission of this data to the server. MQTT is primarily designed for networks suffering from low bandwidth and latency. MQTT finds implementation at various platform levels and thus plays a substantial role in connecting IoT with the global internet.

Extensible Messaging and Presence Protocol (XMPP): Hinged on XML streaming protocols, XMPP is an instant messaging protocol. Due to inherited features from XML, XMPP dispenses greater extensibility, addressing and security features. The protocol can also be employed for applications such as multi user chatting and voice including video streaming. XMPP protocol supports three main functional components: client, server, and gateway and also inter communication between them. With XMPP integrated in IoT, object to object communication is possible based on XML supported text messages.

Data Distribution Service (DDS): The DDS protocol is a publish/subscribe-based standard underpinning highly effective device-to-device communication and suitable for constrained IoT communication. Designed by Object-Manage-Group (OMG), the protocol is highly data dependent and supports multicasting to achieve perceivable quality of service and reliability. Table 11.2 lists the characteristics of various enabling protocols and technologies.

11.4.1 Data Perception/Acquisition

This layer composes of deployed sensor network which include perception or wearable data acquisition things which perceive, measure, and store healthcare information of patients. These wearable devices track and sense critical patient parameters including temperature, blood pressure, and heart rate and record this data remotely in a backend database [96]. This recorded data is heterogeneous in nature and varies across diverse patient groups and cases. For instance, in heart disease patients, measuring ECG data, saturation of O₂, and pulse rate points to one of the basic components in the diagnosis of any heart related disease symptoms [44]. Similarly, for diabetic patients, measuring blood sugar levels periodically is very important. For applications that support the idea of ambient-based living or AAL in old people, monitoring and tracking their activities repeatedly is required [36]. Many application programs underpinning AAL are equipped with accelerometers and gyroscopic sensors that aid in medical data collection and tracking [121]. These sensors are usually classified into two categories: invasive and non-invasive sensors. Invasive sensors are permanently installed inside the patient’s body and usually have better performance than non-invasive sensors due to the fact that they are in close proximity with the patient’s body. However, these are not usually preferred by the elderly patients due to discomfort unless the issue is complex and severe in nature [5, 56]. In comparison, non-invasive sensors are usually preferred and are wearable on hand, forearm or any other body part of the patient. Some sensor-based application use actuators for generation of alerts if they sense or record any change with respect to physiological parameters of the patient [131]. The research community has been actively engaged in the design and development of intelligent body sensors which broaden the application area of CloudIoT-driven healthcare framework [101]. These body sensors generate massive volumes of data that require substantial amount of storage. One of the key considerations for the design of data acquisition layer is the cost implication, energy utilization and data transmission capacity of the network. The body sensor network design needs to be ad hoc, light, agile, and flexible in nature for accommodating any change [10, 103].

11.4.2 Data Transmission/Communication

The data communication level facilitates transmission of medical data to remote databases for archival storage [66]. The layer also provides seamless access to the vast collected data available in the cloud repositories [151]. This layer is assigned the task of communication of collected medical data of patient confidentially to an end healthcare data server. The data transmission occurs at the local as well as the global level. For local communication and for activities that involve monitoring and scanning the environment, wireless communication protocols such as Bluetooth and Zigbee are implemented. These protocols facilitate transmission between the data perception level and concentrator [12, 53, 125]. The wireless protocol such as Bluetooth is used for short range transmission having an working frequency as 2.4 GHz and offers a lost cost solution with economical energy consumption [125]. A similar communication standard like Zigbee protocol which is although not so popular as Bluetooth offers decent and reliable transmission of data. The alternate transmission standards employed at this level include RFID-based communication, “Near Field communication” (NFC), and “Ultra-Wide Bandwidth” (UWB) communication. RFID supports duplex mode of data transmission involving RFID tag and reader. In long-distance transmission, the information available in the concentrator is forwarded using the Wi-Fi or mobile data internet to the Cloud or Healthcare Organization (HCO) for long-term storage [23, 88]. The mobile data protocols such as 4G and LTE are utilized in varied health surveillance and communication devices. The data communication layer also underpins low-power hardware devices which include Arduino and Rasberry Pi that underpin IoT service deployment environment. These applications involve varied data crunching tasks that run on devices such as mobile phones, tablet computers, and microcontroller-based devices [49].

11.4.3 Cloud Storage and Warehouse

The CloudIoT-driven healthcare devices link heterogeneous things that transact considerable volume of bio-medical data and thus entail for efficient storage space and mechanism [148]. The Cloud processing layer involves three basic functionalities which include archival data storage, processing, or computation on stored data and finally analysis or mining data for information [85]. The Cloud service providers including “Google Cloud”, “OpenIoT”, “Amazon”, “Thing-Wrox”, and “GENI” provide an excellent interface for long-term storage of patient’s biomedical information and provides an interface to healthcare professionals to access this data pervasively for mining and data analytics. The data analytics helps the medical practitioners in better disease diagnosis and prediction and thus helps realize the concept of smart e-healthcare including generating alerts and notifications [31]. In addition, this layer also provides various data visualization tools which enable physicians to present and conceptualize data in a given format.

11.4.4 Data Flow in Healthcare Architecture – A Conceptual Framework

Connecting technology with healthcare is an important challenging area of research and development [27]. Though this area has seen technological surge in recent years, however, planning and decision making process of medicos still counts on manual and traditional record system [13, 102]. To achieve an optimal, reliable, and secure healthcare framework is a daunting and challenging task [14]. The transaction of medical data is restricted between the health department and its subsidiaries. The other entities in the system such as clinical doctors, patients, HCO, and laboratories have no provision for sharing or access to this data. The CloudIoT health provides an underlying platform for guiding healthcare system to focus their resources on augmenting patient care by efficacious disease monitoring, timely diagnosis and cost effective treatment [150]. The CloudIoT improves traditional healthcare system by employing bio-sensors and RFID-enabled devices [40]. These devices and sensors enable real-time patient tracking, identification, diagnosis, and treatment and also in some cases, dispensing of medical supplies and drug management [133]. The CloudIoT-driven healthcare effectively connects patients, sensor objects, and network and checks for optimal medical waste management [30]. Recent advances in low-power devices have enabled the design of pervasive health framework [43, 62]. In healthcare, sensor networks have been replaced by a novel idea known as Wireless Body Area Networks (WBAN) that realizes the concept of e-health [24]. A WBAN integrates number of sensor devices for health surveillance which measure health parameters and report medical status of patient. The CloudIoT-driven health supports diverse services such as e-prescription system, “Electronic Health Records” (EHC), “Personal Health Records” (PHC), data analytics and decision systems, and drug recommendation system. These applications cater to varied stake holders which include patients, medical teams such as doctors, testing laboratories, and chemists across diverse interfaces offering a range of services [116].

To understand the working of a typical CloudIoT-driven healthcare system, let us consider a use case scenario as shown in Figure 11.7.

The figure depicts various entities and identifies actors involved in the healthcare system and illustrates the data transaction among the processes. For instance, the patient can wear a body sensor that monitors and collects biomedical data. These bio-medical sensors are deployed either as invasive or non-invasive implants on a human body. These sensors can also be placed as an ornament or also placed inside patient’s clothing including footwear. These sensors work autonomously and are proficient enough to sense, monitor and record physiological parameters and transmit them over a wireless medium to backend database or cloud. The biomedical sensors are also equipped with GPS facility which enables them to track patients location and precisely determine their physiological and activity state, i.e., whether a patient is walking, sitting, running, or doing some other physical work. This collected data is then uploaded for archival storage in the cloud and can be accessed via an Electronic Health Record system (EHR). The EHR is maintained separately for each patient, which can be accessed ubiquitously and pervasively from any given location. This EHR is further shared among the medical team and clinical experts seeking their opinion as well as analysis. The medical team such as surgeons, doctors, and lab technicians access EHR and dispense prompt and timely patient treatment. The lab professionals would store MRI scans, X-Rays, and serum reports in cloud database or EHR after proper consent and permission from the patient. This EHR could be shared via cloud platform with other medical experts across the globe for their expert opinion and diagnosis, and hence, the patient could benefit with their prompt suggestions with shorter turnaround time period. Further, the clinical professionals can suggest certain drugs and emergency medicines which should be readily stocked at the pharmacy warehouses. The pharmacist can beforehand make those drugs available so that any shortage in future could be avoided. Additionally, the pharmacist can study the medical profile of a patient available to him via EHR for any allergic reactions, before he recommends or issues any drug to the patient. In the same way, the hospitals and nursing care institutions dealing with an exigency case such as accident can check patient’s blood group, medical history and other pre-conditions before operating with any medical treatment. All this sensitive information would be available pervasively via EHR stored on the cloud and can be accessed from anywhere across geographical boundaries. Using CloudIoT healthcare system, e-health record of patient which includes medical history, serum sample reports, body scans, and information regarding allergic reactions can be available in digital format and can be accessed in a ubiquitous manner under secure authentication policies, thus implementing the idea of smart health management system.

11.4.5 Design Considerations

The wearable things that monitor and archive patient’s bio-medical data consist of low-power sensors, small microcontroller chip, and a data transmission [26]. However, putting on bio-medical sensors by patients pose quite limitations on the overall design of bio-medical sensors [41, 122]. As an example, the sensors need to be light, minimal in dimension, and should not pose any hindrance to physical mobility of patient. The patient’s should feel comfortable while wearing these devices and should not affect their daily work routine. One of the critical design considerations is regarding the energy efficiency of the sensor. These sensors are usually battery powered and thus have limited operational working capacity [30]. Though sensor batteries are recharged or replaced, however the prototype should guarantee that no information is deleted during idle transition periods. The sensor design must ensure that they are able to work for extended time periods without any downtime or idleness [126].

Nowadays, research has focused on designing low-power sensors that can augment the working lifespan of the wearable sensor devices [101]. One of the feasible steps toward achieving this would be to harness other sources of power such as solar energy [103].

A similar feasible approach involves designing programmed intelligent sleep procedures for sensing nodes [31]. The programmed routines would force the sensor device to go into inactive stage when no perception task occurs during particular time period. If an external event occurs in the environment, the sensor would be triggered automatically to work again. Additionally, the sensor devices can be turned on/off based on relative importance of a task, its usage and patient’s current health status. As an example, in particular cases, when power usage is severely limited and health status of person requires working of only one particular bio-sensor, the other sensor devices attached with the patient could be turned off or put into sleep mode to conserve energy and increase working lifespan [127].

As data transmission consumes considerable energy, the limited battery power in sensors also entails for the design and usage of low energy consumption protocols. One of the efficient protocols for low-power communication is Zigbee using IEEE 802.15.4 which is usually utilized in “Low Rate Wide Personal Area Networks (LR-WPANs)”. This protocol supports communication between sensors that operate in the radius of 10 mts (10m). The Zigbee standard underpins reliable fully connected networking with optimal power usage.

Bluetooth Low Energy (BLE) is another wireless communication standard protocol that operates with minimal power and enables short range sensor communication [125]. BLE works in the similar fashion as traditional Bluetooth standard (IEEE 802.15.1), however augments the overall communication efficiency by enforcing programmed sleep routines to optimize power usage. BLE achieves reasonable accuracy with precision.

To further optimize communication, “IPv6 over Low Power Wireless Personal Area Networks” or 6LoWPAN is currently employed to achieve seamless data transmission in energy constrained devices [31]. 6LoWPAN breaks down IPv6 datagram’s in smaller fragments which are put as a payload in restricted IEEE 802.15.4 frame in order to achieve network connectivity.

The limited battery life also proves to be a bottleneck in determining data quality aggregated by a particular sensing node. The sensors need minimal power threshold to operate, however, if the system fails to maintain the minimal power threshold, then the sensor device may malfunction.

The sensor devices are capable of recording data efficiently and accurately when proximity with the patient’s body is close [127, 141]. Most of the sensors available today are non-invasive sensors that with greater accuracy and precision [15, 32, 80].

One of the essential considerations for designing an efficient healthcare system is to offload and migrate complex computations and processing from sensor nodes to the cloud platform [136]. Cloud platform provides substantial computational processing and humongous warehouse capacity that increments the limited sensor resources, thus dispensing optimal interface for ubiquitous communication [3]. The processing capabilities of Cloud can further be augmented by implementing the concept of Fog computing. The Fog layer offers a feasible interface for low latency in real-time and sensitive services like healthcare. The Fog also acts as an intermediate component for performing complex operations before actually moving the data to the cloud.

An essential and sensitive design consideration for healthcare framework is the ability to maintain confidentiality of patient and ensure safe and reliable information storage in Cloud [94, 112]. When sensitive medical data is transacted in the CloudIoT environment, robust security and efficient privacy procedures need to be operated so that no information is openly susceptible to abuse by malicious users. The data needs to be protected from unauthorized and illegitimate access. This implies applying feasible authentication and authorization policies and firewall rules that secure access to the data [39]. To encrypt data, light weight and low-power consumption cryptographic algorithms like Elliptic curve cryptography (ECC) should be applied.

11.5.1 Security Characteristics and Objectives

The CloudIoT enables information communication between interconnected sensor objects and remote systems to attain certain predefined objectives. For a secure communication in hostile scenarios, it is quite evident that security principles such as confidentiality, authenticity, privacy need to be protected [113, 115]. However, with limited security infrastructure and constrained resources, the models demand restructuring of existing security tools and algorithms to achieve perceptible security goals [22, 124]. The security framework should be imposed in CloudIoT throughout its developmental and working lifecycle [62]. Some of the secure principles that need to be practiced include the following:

• – All installed software on CloudIoT platform should be authentic and robust.
• – The initialization of IoT devices should be authenticated with the network servers before the device starts data perception and transmission.
• – There should be periodic security updates on CloudIoT devices in order to plug security loopholes; however the process should not consume additional network bandwidth.

The following security parameters as depicted in Figure 11.8 need to be safeguarded for secure transmission between IoT and Cloud platform.

11.5.2 Security Vulnerabilities

Security loopholes inherent in CloudIoT model involve problems in IoT sensor network including those immanent in the Cloud platform [12]. This section first highlights security vulnerabilities ingrained at each level of IoT model and thereafter draws attention toward vulnerabilities inherent in Cloud architecture. Figure 11.9 depicts list of CloudIoT vulnerabilities.

11.6.1 Security Countermeasures

For seamless integration of two disparate technologies, i.e., Cloud and IoT, the security framework should cover both these platforms. However, this security framework should ensure that principles of authentication, integrity and confidentiality are not violated. In this section, we discuss research highlighting security vulnerability awareness and various security counter measures that handle varied security threats.

11.6.2 Security Considerations

Given the fact that collaboration of IoT and Cloud, i.e., two varied technological platforms will outpour security issues considerably, thus impregnable defense policies are required for averting threats [22, 23].

While designing the security for CloudIoT platform, the security of entire whole system should be taken into consideration [109]. The security setup however cannot be built by simply deploying solutions at each layer of the architecture together. Different CloudIoT applications such as smart home, traffic management, and intelligent healthcare entail for diverse heterogeneous security solutions [25, 65]. For example, for intelligent traffic management and smart healthcare, data privacy is of utmost importance [66]. However, for applications such as smart city and smart environment monitoring, data authenticity needs to be ensured [24]. This implies that every applications demands different level of security to be enforced. Applying security at only one level will not cater to the security requirements at other levels. For example, if a system has weak security applied at the application level, no matter how much strong security we implement at the lower levels (such as perception level); the system would still be insecure. Thus, we need to design a system that provides cross layer security and helps integrate the system as one entity [111]. The security systems should be designed keeping cross layer heterogeneous integration in mind [69, 121].

The security framework should also take into consideration security challenges in IoT as well as those inherent in Cloud platform [22, 97]. As an example, in order to avoid illegal access to a sensor node, strong authentication measures should be put into place. Also, strong cryptographic encryption should be practiced to guarantee data confidentiality. To ensure this, advanced encryption algorithms such as ECC should be practiced. This should be coupled with efficient key exchange policies [124]. As IoT sensor nodes are driven by batteries, thus to maximize their working time period, efficient power utilization mechanism like programmed sleep procedures should be executed so that nodes do not drain the limited battery power. Additionally, other renewable sources of power generation for IoT such as solar energy should be harnessed. Table 11.6 lists the various energy drainage factors of sensor nodes along with their potential solutions. To check for physical damage to sensor objects, it is recommended that periodic watch and monitoring needs to be implemented at remote deployed site. To prevent network-based attacks like DoS and DDoS, the optimal policy could be firewall implementation and access methods. The security at the network layer can be viewed from two perspectives: wireless and wired security. To ensure security via both communication mediums, development of authentication protocols and key management is one of the essential components. Protocols such as SSL/TLS need to be employed to encrypt the communication link. Additionally, for IP security, IPsec-enabled communication needs to be practiced. This will ensure that data authenticity, confidentiality and integrity are maintained at each layer. Before establishing a new network, guest access and default passwords should be disabled and cleared immediately in routers and gateways. Ensuring periodic password changes, applying strong passwords with alphanumeric characters and numbers should be practiced. For mitigating replay attacks, synchronized timestamp techniques should be practiced. In general, it is recommended that cryptographic algorithms that dispense E2E security need to be implemented. It would ensure that data authenticity, integrity and genuineness is maintained [124]. To protect security threats at the Application layer, the mitigation policy would be writing secure programming algorithm and implement malicious script identification procedures. For sanitizing vulnerable scripts, code rewrite techniques should be implemented.

To secure data at the cloud platform, client access should be authenticated and authorized with no room for illegitimate access. The fundamental step toward this is to ascertain that only legitimate users get access to critical information perceived by sensor objects. The entails demand for defining the required physical identity and platform access policies. Any client nodes trying to access cloud should first identity and authenticate itself with the platform. Once authenticated, access may be given; however, the access may be restricted depending upon the user and mode of operation desired. Since cloud offers pervasive access to the users, the security professionals need to implement concurrency control measures so that data is not corrupted and redundancy operations could be avoided. Also, to ensure data security, approaches like multimedia compression, image stenography and compression, water marking, cryptography, and session timers should be practiced [123].

To track cybercrimes aimed at CloudIoT platform, the efficient solution would be to log every action on the cloud platform. This logged record can be checked in future to detect for any anomaly. Logging also enables the cyber forensic investigators to check and ascertain which operation went wrong so that it can be rectified. The Cloud as well as IoT are two completely different heterogeneous interfaces, and thus, to dispense optimal level of security is a daunting job for security researchers.

11.7.1 Security Architecture

The CloudIoT integrates varied objects, platforms and standards to realize certain goals. However, to fuse smaller micro frameworks for designing a larger framework entails for following well defined standards. The CloudIoT security framework demands data models and standard security protocols that underpin diverse range of devices, platforms and operating systems [76].

As CloudIoT security threats vary from application to application, so are their specific solutions. Different applications demand diverse solutions and security requirements. Thus, single security framework cannot provide solution to all application contexts [78]. However, what is required is to design an abstract security architecture that features similarities among the applications till a concrete security model comes up. This model hides the differences between different applications and offers an interface that highlights similarities.

11.7.2 Resource Constraints

The constrained power of sensor devices are the major bottlenecks in designing a vibrant and powerful security system for CloudIoT [109]. In contrast to traditional security systems, the cryptographic and encryption systems need to scale down and work with minimal features for working under these limitations. In addition to this, resource limitation also causes minimal broadcast or multicast of keys and certificates, access control and authentication as well as intelligent communication and storage of data that consumes less power.

However, this demands revamping of existing protocols and employing light weight cryptographic encryption algorithms such as ECC. The focus should also be on exploring and harvesting alternate energy sources such as solar power [74]. The applications computational and security requirements can also be broken down into several levels. Each level runs a different set of algorithms which have different energy requirements. In this way, some levels would consume less power while some need to be optimized.

11.7.3 Heterogeneous Data and Devices

The CloudIoT systems generate humongous volumes of data also known as big data. Research should focus on developing ways and techniques for efficiently handling this massive data volume [45]. Also, secure protocols and algorithms need to be developed that can effectively protect this data and comprehensive security solution is put into place. Also, multilayer and cross platform security framework needs to be employed for heterogeneous devices ranging from low-power sensors to high-end server systems. The security framework should be dynamic and should adapt itself to the existing resources.

11.7.4 Protocol Interoperability

To develop a global standard security framework for CloudIoT, the protocols functioning at various layers of IoT as well as Cloud need to interoperate and communicate with each other [115]. This entails designing conversion routines and dialog controllers. However, the interoperability design should take into consideration the architectural limitations and constraints. With heterogeneous networks such as CloudIoT, the security framework becomes vulnerable to a single point of failure [12]. Most of the data in the network gets transacted through a central controller node. If that node is compromised, then the security of entire network is at stake. It is thus required to introduce some amount of redundancy in the network while maintaining and balancing reliability and cost.

11.7.5 Trust Management and Governance

The level of compatibility in the network and flexible expansion capacity of a sensor device helps it to decide other trustworthy nodes in the network. This decision can be quite challenging because it is arduous to distinguish between a genuine and a rogue node in a pervasive and wireless environment such as CloudIoT. The IoT device must also not reveal identity to adversary that could prove fatal to the system. What is required is a robust and pliable authorization mechanism that performs identity management and grants access to the legitimate devices in the network. However, the identity management should be properly encrypted because the process is susceptible to interception by malicious users which can leverage man-in-the-middle attack and imperil entire CloudIoT architecture [9].

The actual security and control of the CloudIoT network is determined by the degree of governance. The security of the network and level of governance are directly proportional. If more control and monitoring mechanisms can be employed, then the network would become more secure. This implies that if every data transaction in the network is monitored, then any malicious activity would get easily detected and tracked. However, the amount of monitoring and surveillance should be balanced as it should not amount to the level of nuisance and uneasiness for user’s privacy.

11.7.6 Fault Tolerance

The CloudIoT systems and objects should possess a certain degree of fault tolerance and self-repairing ability. These defense mechanisms should allow the device to recover from any possible damage on its own if the threat is not so severe. Different options are available for a device; for example, one way would be to report in case of intrusion to the central controller node or backend server. Another approach could be to lock sensitive operations and shutdown the entire system. However, there has to be a balance so that normal working of the node is not hampered. The decision depends upon the conditions and level of severity of the threat. In some other scenarios, complex approaches may be required.

11.7.7 Next-Generation 5G Protocol

For fully exploiting the potential of CloudIoT platform, Ipv4 will shortfall and lack behind in assigning IP address to each and every connected device. This is the prime reason for the genesis of Ipv6 which has 3.4 x 10³⁸ addresses; enough to cater every connected device on earth. However, such a large address space and connected devices will generate large volumes of data that can draw network congestion and delay. Also, substantial bandwidth is required to support seamless access to internet for connected devices. The new generation communication protocol, i.e., 5G is expected to provide speeds of up to 800 Gbps. When compared with 4G which offers speed up to 1,000 Mbps, 5G is expected to efficiently manage traffic generated by connected devices in CloudIoT network. The 5G network is also expected to facilitate Ipv4 to Ipv6 migration by implementing inherent framework translation. The 5G security and implementation is one of the hot areas of research today and must be extensively studied [109]. The adoption of 5G network will completely realize the concept of CloudIoT.