Tuya Smart (NYSE: TUYA, HKEX: 2391), a global IoT development platform service provider, was named as an exemplar of cybersecurity best-practice in the 2022 Global IoT Security White Paper.
The White Paper applauds Tuya Smart for its holistic approach to cybersecurity leadership; specifically for acquiring international third-party security certifications, establishing the Tuya Security Team, creating secure and independent data storage centers, and developing innovative security products in-house: a security-operation platform solution designed to help developers eliminate security risks, Tuya Sage, and the first IoT module of its kind with a built-in secure element (SE) and Common Criteria (CC) EAL6+ certificate, WBR3N.
The 2022 Global IoT Security White Paper was jointly prepared by the Research Center for Cyberspace International Governance (“RCGCG”) and the global standard for IoT security, ioXt Alliance. The White Paper was written with input from scholars in cybersecurity and Sino-U.S. technology at the Stimson Center, Albright Stonebridge Group, Stanford University’s Cyber Policy Center, Yale Law School, MIT Computer Science and Artificial Intelligence Center, and more. It is the first prominent white paper to focus on global IoT cybersecurity and includes case studies and best practices from global IoT leaders and 12 suggested initiatives to strengthen global IoT security.
To view the full 2022 Global IoT Security White Paper, please visit: https://www.ioxtalliance.org/content-and-resources
Expert in-house InfoSec team, numerous third-party certifications
The White Paper states that enterprises should focus on enhancing cybersecurity, assemble security teams, improve information-security systems, strengthen corporate-compliance capacity and eliminate IoT system security risks by perfecting management models, processes, tools and platforms.
The White Paper research group commended Tuya Smart for building an in-house security team and for partnering with top international third-party institutions. The Company’s in-house information-security team secures its data from cradle to grave, safeguarding the software development life cycle (SDLC). The information-security team creates security classification standards for smart hardware devices, compiles security-test cases to ensure the defense of the technology, and protects the code of the firm’s software during the development phase.
Cooperating with top international third-party institutions in security assessment and certification is a best practice in the global IoT industry. Tuya Smart has met or surpassed most global information security standards. This includes an endorsement from the well-known international organization, Information Security Organization (“ISO”) certification of SGS, BSI's ISO27001 standard for information security system, ISO27017 standard for cloud security management system, ISO27701 standard for cloud platform privacy and security, and the Connectivity Standards Alliance (“CSA”) STAR cloud security certification. The Company is a recipient of the TrustArc's Enterprise Privacy Certificate (EPC) and regularly partners with Rapid7, wizlynx group, ScienceSoft, Chaitin Tech, DAS-Security, and UnderDefense to test Tuya's information security capacity with professional penetration testing.
IoT enterprises can ensure their products meet fundamental international safety standards by submitting relevant certificates. When it comes to product safety standards, Tuya Smart has passed TÜV SÜD's EN 303645 and NIST IR 8259A certifications. In 2021, Tuya announced a partnership with ioXt Alliance to improve hardware developer security and launched a certified components program.
" ioXt Alliance is thrilled to cooperate with Tuya to increase IoT security adoption. With a global leader in IoT like Tuya wrapping ioXt’s Certified Components Program into its platform, Tuya and ioXt can make devices more connected and smarter,” said Craig Miller, Director of Intellectual Property at ioXt. “With the assurance of the ioXt security certificate, Tuya ecosystem members and customers can enjoy the highest level of IoT services and security,” concluded Miller.
Secure and independent data centers
The White Paper noted Tuya’s security and quality assurance across global data centers. Tuya owns six data centers that provide speed and stability for customers around the world. Each data center operates independently. Concerning regional compliance, Tuya Smart has passed Ernst & Young's SOC 2 Audit as well as TrustArc's GDPR and CCPA's regional compliance validation.
While Tuya neither directly faces consumers nor stores consumer-end data, one of its core missions is to protect businesses’ customer data and provide secure systems to store user data. Tuya has strict internal regulations, a clear access-control strategy and a robust technological architecture.
Initiatives to safeguard the global IoT industry
To accelerate the construction of IoT security systems and improve the governance level of IoT security, the White Paper proposes 12 relevant measures to enhance public confidence, advance governance efficiency, encourage the innovation of IoT enterprises, and deepen the development of the global digital economy with IoT. Some of the key measures highlighted in the White Paper are below:
With siloed and fractionalized IoT ecosystems, countries and transnational IoT enterprises should embrace global cooperation, develop mutual trust across the cybersecurity sector and work to remove obstacles that are stifling mutual confidence.
Building a safe, secure and robust IoT ecological system is crucial for its long term growth and sustainability. Relevant parties should give full play to the role of third-party testing and certification institutions, prioritize suppliers with cybersecurity-protection capacity, and form a zero-trust security model IoT supply chain, to elevate security-protection capacity and to provide users with security commitments on products and services.
Weak consumer awareness paired with vulnerabilities on connected consumer devices poses a large threat to the industry. According to a December 2020 study on corporate IoT devices from Zscaler, a leader in cloud security, 76% of surveyed devices were still communicating on unencrypted plain text channels. Companies and organizations in the IoT industry should increase cybersecurity knowledge through public awareness campaigns and training, so that users can fully understand cybersecurity risk and operate IoT devices in a safe and responsible way. Through cooperation at all levels and with leadership from IoT enterprises, the industry can make headway in effectively protecting personal privacy and data security.