Can the Internet of Things be Secure?
We’re coming up on a May 27 OASIS virtual session 11 AM EDT session:
Can the Internet of Things be secure? The impact on privacy and data control with Jamie Clark, Mark O’Neill, Dan Blum and Jonathan Rodriguez. For full details on the session, see https://www.oasis-open.org/events/Hangout5-27-2014.
This will be a one hour session, and I understand it will be post on Youtube afterwards if you can’t make the live event. I’m expecting the following questions, or similar ones, that have been mentioned in the OASIS promotion.
- Will there be an “SOA of Things” or a “Cloud of FitBits”?
- Do adequate security and access control methods exist for the IoT?
- Who owns the data?
- Can privacy rights be designed into the IoT?
As I prepare (a little) I’ll try and answer these questions on the blog now, and perhaps again tomorrow. But before I talk about this subject, I need an acronym I can tolerate using, so to get this out of the way:
Not “IOT”
IOPT = Internet of People and Things
Can the IOPT be secure? You may be interested to know the Webster dictionary definition of “security” starts with “the quality or state of being secure: as freedom from danger, freedom from fear or anxiety…” Few ecosystems, even tightly controlled and well-defined ones can really hit that definitional bar. Due to its wide distribution, ownership and diversity the IOPT cannot be “secure.” Except, perhaps in a relative sense of being “secure enough” – but for whom?
Who owns the data? This really ought to have been the first question, in my opinion. After all, possession (of your data) is nine tenths of the law. The answer, of course, is “it depends” on the jurisdiction, the thing generating the data, the relationship of buyers, sellers, renters, insurers, regulators and other parties. Still, there are many cases in most democratic jurisdictions where the person for or about whom data is being generated should own the data or at least have a degree of control over how it is used.
Do adequate security and access control methods exist for the IOPT? Might be my second question and the answer is again, “it depends”, because with a word like “adequate” you can go anywhere. But if we were to set the bar anywhere close to the definition of “security” the answer would be adequate security doesn’t exist for the IOPT.
How can we get to “adequate security?” Security Architect says: We need an architecture! In general, a security architecture is a systematic, comprehensive arrangement of people, process and technology to meet the security objectives of the owner of some domain, or a community of owners and their domains. So you see, “adequate security” for a cell phone manufacturer in the absence of any regulatory requirements might just mean measures to prevent the user from switching out their expensive branded battery for a cheaper third party one. But for the user, adequate security implies safety and privacy. If we write it for both user and provider, which we should, its some kind of balance. That’s why important to make some assumptions on ownership up front. And if this is also going to be a “privacy architecture” the ownership rights of the people (suspiciously silent in the industry buzzword IOT) must be respected. Then we can bring in Privacy By Design. Then Safety By Design. And we’ll be off to a good start.