Data Protection in the Internet of Things
Some experts see the Internet of Things (IoT), or the Internet of Everything, as the next industrial revolution, in which a new category of devices will start communicating with each other with little or no human intervention. But how does data protection fit into the picture?
In the IoT, multiple sensors, tiny computer chips and communications devices will be integrated with physical objects such as appliances to enable communication between them and other computing devices such as cloud servers, computers, laptops and smartphones.
The IoT offers enterprises and businesses tangible benefits. For instance, through the IoT, information analysis will be available in real time. People and companies alike will be able to make more accurate decisions, reducing operational costs and increasing efficiency with real-time analysis. The IoT also offers more control and automation. Having sensors and smart devices will allow corporations to program the execution of automated and repetitive tasks by defining multiple scenarios with their corresponding responses.
Data Protection and the IoT
To put this in context, the following are some interesting implications (including ones concerning data protection) that relate to the explosion of these interconnected devices:
- These devices will constantly generate huge amounts of data, so we will need faster networks, larger storage capabilities (likely in the cloud) and more bandwidth to support the growth in Internet traffic.
- There is not yet an open ecosystem to host these devices to make them interoperable like there is on Microsoft Windows, Apple iOS and Google Android ecosystems.
- Vendors are creating private networks for interoperability among their own products, but these are incompatible with others. This creates a major challenge for integration across multiple solutions.
- The current Internet protocol (IPv4) cannot handle the growth in the number of interconnected devices on the Internet. This will trigger the need to switch to a more scalable protocol, such as IPv6.
Security and the IoT
With this in mind, you may be concerned about how to deal with security in the IoT. The following are several security challenges that will need to be faced as the IoT gains steam:
- If we already have trouble today keeping our computers, smartphones and tablets updated with the latest version of code, won’t it be a nightmare trying to keep these millions of devices updated and free of security bugs?
- With the amount of data these devices will generate, how do we navigate the sea of data to identify suspicious traffic over the network? What if we miss incidents because we are unable to identify them?
- Proprietary and enclosed implementations such as those that vendors are creating today make it harder to find hidden or unknown zero-day attacks.
- Even though IPv6 has been present for some time, this protocol has not yet been fully perfected. As with everything that is new, we have to handle new and unknown weaknesses. That being said, the way we apply security controls over IPv4 may not be useful or relevant for protecting IPv6.
There is no simple answer to address these challenges and manage the security of these interconnected devices. However, the following are some actions we must take to overcome these adversities:
- We must have a truly open ecosystem with standardized application programming interfaces that enables interoperability with a reliable and automatic patching system.
- Devices must be hardened with the best practices in the market to protect against common security exploits.
- Devices must be well-protected on the connected networks (intranet and Internet).
This technology is still in its infancy, and we will have to wait a while before it gets to a more mature state that is driven by the whole industry. What can we do in the meantime? Look into existing proprietary ecosystems and analyze which ones have the features that best fit your business needs. These include their scalability and the ability to isolate these small and elusive devices on a separate network (using virtual local area networks) protected by firewalls or at least with screening routers.