Last week I discussed Security and Privacy in Internet of Things with fellow panellists at the GSMA Mobile 360 Series event in the Hague. I talked about three technologies that will help bring privacy and security to the IoT.
- “Fog” computing – or processing data at the edge of the network.
- User Managed Access (UMA) – an extension to OAuth2 that puts users in control of data resources.
- Trusted Execution Environments – a way to protect 1 and 2 above.
If you want to know more then please contact me. But enough about what I said, here’s what I learned and how it could impact you.
EU regulation will make Security and Privacy top of boardroom agendas. On the 27 April 2016, this law was passed and will be enforced on 25 May 2018. I’ve skim read it so you don’t have to. Jump to Article 83 – the section on Administrative Fines.
If you’re processing sensitive personal data and you fail to protect it, you could be liable to a fine of €20 million or 4% of your global revenue. Let that sink in. That’s not profit. Revenue. We all know that profits can be shuffled in a shell game.
Now the stakes for collecting what Bruce Schneier calls toxic data stockpiles just got higher. If your IoT strategy is to collect all the data and monetise later, then maybe it’s worth rethinking. The three technologies that I talked about have some connections with the law:
- Data protection by design and default. Start with a secure system by default. Adding security later doesn’t work. The cost of building Trusted Execution at the design phase is a lot lower than a potential Administrative Fine.
- User Consent and Withdrawal. Enabling the users to control their data, being explicit with what is collected, how it’s used and allowing users to “set the dial” on privacy. UMA seems to fit the bill quite nicely.
- Pseudonymity and encryption – if this is done at the edge of the network (in the “Fog”) in a user managed device, then you can detoxify your data stockpile.
It strikes me that the Administrative Fines may be harsh for smaller businesses and startups, and the winners may be larger organisations that can employ legions of InfoSec professionals. Or perhaps there is a new role to play for Identity as a Service companies to transform Big Data with a detox diet and help smaller companies offload their liabilities.
The first step is to put trust in the Things before adding the Internet into them.