Securing the Internet of People and Things (IOPT)
Listening to Jim Kobielus – IBM’s Big Data Evangelist – speak on security for the Internet of Things (IoT) I was struck by the need for big companies to incorporate more of a user-centric perspective into their thinking.
As Kobielus noted, we’re seeing a proliferation of mobile devices, appliances or other objects with embedded sensors and advanced wireless or cellular networks to connect them. Applications such as quantified self, home automation and connected cars abound.
A synonym for the IoT is the Internet of Everywhere and Kobielus highlights that its also smart everywhere – you have smart phones, smart homes, smart schools, smart wearables, smart healthcare and on and on – integrated, interconnected intelligent.
Gartner and other promulgators of statistics estimate 10s of billions of things are persistently or intermittently connected to the Internet today and fifties or hundreds of billions more will be connected soon. I highly recommend to your attention the book “Trillions” to really learn about this transformational space.
But now to security. As Kobielus noted, there is no comprehensive framework yet for securing the IoT. Yet the IoT will have many of the same needs for security services like authentication, access control, encryption and vulnerability management as does the Internet of conventional devices. The IoT will differ mainly in terms of SCALE and PROXIMITY to people.
Kobielus makes the case that Big Data is required to deal with IoT’s scale issues, to handle the 3 V’s of volume, velocity and variety. Big data systems can keep track of the things in all their V’s, detect threats through analytics and accomplish bulk provisioning of protections.
Members of the audience at the talk, however, raised the question of privacy and trust. “Will people just withdraw from the connected life?” In answering them, Jim correctly (in my opinion) predicted that relatively few people will substantially disconnect. But I thought he should also have said that many people, though connected, are also “creeped out” and that withdrawal occurs by increments.
To be successful, to be desirable, to be useful to the greatest numbers and types of people, both IoT and Big Data have to address privacy concerns because of the PROXIMITY of IoT to our lives. Just the other day, I blogged about Direct Memory Access that Kills (On CSI Las Vegas) as an example of awareness that IoT could be not just privacy-invasive, but lethal..
Just as with conventional security, IoT security won’t be effective unless ownership, accountability, responsibilities and incentives are well-aligned. In free market ecosystems for free peoples, I believe the only scalable solution is to put individuals in control wherever possible, to achieve a positive sum outcome where privacy, big data analytics and the usefulness of connected things can all flourish. Privacy is really about control, about delegating information sharing decisions about their things to the user s within an opt-in framework of informed consent. In the complex world of IoT users will also need intelligent authorization managers to facilitate smart defaults within a framework of trust minimization and personal data collection minimization.
In thinking about leveraging big data for security generally and for the IoT in particular, don’t forget the little people. Although I used used the acronym “IoT” in deference to covering Kobielus’s talk as it was given, I prefer the acronym IOPT in the title.