IoT needs security, but security radically different from information technology. IoT devices can’t have security “bolted on” after the device reaches a customer. Instead, IoT devices must have security built in from the start. Unfortunately, this is harder than it sounds, and not much guidance exists on how to do it right. We’ll present four simple cornerstones. We’ll describe how each must be adapted to work, practically AND effectively, in the often (very) challenging environments of IoT. We’ll describe how these cornerstones mitigate an extremely wide range of threats. We’ll present performance data on how newer implementations of newer algorithms now make legitimate security possible even in seriously constrained environments, such as 8-bit, 8 MHz micro-controllers with only 30kb flash, and battery-constrained devices that depend on energy harvesting.