IoT and Data Security
One cannot speak on IoT without referring to the data collected from the smart devices all around us. This is a key topic of discussion with our clients at Lab651. As I have taught students taking my Internet of Things class at the University of Saint Thomas, what’s so special about the data that comes from physical devices is just how personal that data can be. “If someone got a hold of my banking information, that would stink,” I tell them, “but if they got ahold of biometric data about my activity, location, or things I said, saw, or felt, that could be catastrophic.” Thus, IoT data is personal on the most personal level it can be. Also, that’s just in the consumer space. What about if this was data concerning the machines on your factory floor or your fleet of assets?
It’s because of this sensitivity of the data getting into the wrong hands that we continue to see many companies and some consumers put a pause on IoT rollouts. To be clear, these rollouts aren’t stopping by any means, but there are many questions that people are asking regarding the security, ethical and legal landscape that hasn’t had to be addressed in the past. Here are some things to think about as you begin crafting a strategy for making your products and service smarter.
This is usually where many conversations start. Is my data secure? Both in motion and at rest. For example, if we take an industrial grade sensor application that is monitoring manufacturing equipment, this on the surface might seem harmless, but in the wrong hands, like your competition, they could start to gain insights into your production levels, types of machines you have and maliciously try to overrun them and cause failures. Even something as simple as a hacked security camera footage could show them how your facility is run.
The good news is that standards and protocols used on the Internet for devices such as laptops, and servers can be easily applied to these smart devices that are sensing the physical world and reporting critical data. There’s very little reason not to be using cryptography and secure channels on your devices, and this covers the data security aspects. However, there’s often a whole side of security that customers don’t think about and that’s the physical security of the device. You’ll need to make sure you take additional steps to ensure that the physical security of the device is not compromised or malicious firmware loaded on the device. When you have a physical product in the field, it’s a whole different game than a software application running a desktop.
Now that you are collecting data securely, you’ll want to make sure that you are covered by data privacy. Having a clear distinction on the ownership and the appropriate use of the data being collected is an area where companies have lacked in the past. More and more, consumers are starting to ask the questions: Where is my data going? What is it being used for? How can I delete it? These questions are some of the most important features that lead to the implementation of GDPR. If you have not read up on them and you are collecting data from your customers, you most certainly should be taking a look. Laws around data and privacy are only going to get stronger over time and unless consumers feel that their data is being used in a way that helps, not harms them the adoption of IoT devices will stagnate.
A final piece in the puzzle when talking about data, no matter what the type, is being able to move your data to wherever you wish in the future. The thought that all your information is locked into a system that you can not migrate away from or control will be a non-starter in the coming years. I was the VP of Engineering at Code42 for more than four years, through which we helped thousands of customers secure their most precious commodity, their data from endpoint devices. All the while knowing that if they wanted to move/remove/update to another service, they certainly had that option too. With data being the most personal of its kind from the physical world, the stakes are even higher not only from a security and privacy standpoint but also from a portability one as well. Any data solution you build needs to consider this.
In closing, the data from IoT devices is a unique beast that we can help companies learn, and adapt and secure in a variety of ways. Our team has decades of experience in helping you make the right decisions, backed by our workshop process. Even if you don’t use Lab651 for your next project, keep these key points in mind as you look to build your next smart, connected solutions that change the world!