Handling Privacy and Security Concerns in the IoT: Protecting Data
Given the intimate association our IoT devices have with our personal identities, once device registration, chaining, and capture has taken place a complete end-to-end data-storage and access-control pattern needs to be implemented. Basic data encryption, from both a transit and storage perspective, is a given and should, in theory, be no different than any other cloud-based storage solution. A more complex puzzle to solve, however, is how to implement the “who,” “where,” and “when” questions regarding data access. A fourth question, the “why,” also needs to be considered when focusing on registration and approval of data consumers.
Data privacy raises several interesting topics. Firstly, the data itself requires an owner --someone to be accountable when it comes to making consent decisions. The data itself may also need labeling, in a way similar to the data classification system used by many governments. Will some data be public? Will some data be accessible by some parties but not others? Will some of the access-control decision making be dynamic and change at run time? How can those access-control decisions be managed and enforced, while simultaneously being understood by a non-technical approver? All of these data-management topics are well understood and observed within the enterprise world, but now they have to be applied to a more scalable, consumer-facing world.
Authentication, authorization, and context
The data landscape shown in Figure 1 requires several security components to make it function. Authentication (confirming the truth of an identity) and authorization (confirming what that identity has access to) are the two main components. Both, however, require a context in order for a decision-making process to be fully optimized.
A basic example of authentication for a person-based identity is the username and password. This is the “something you know” concept, as opposed to “something you have” (onetime password generator) and “something you are” (biometric proofing). Authentication plays a significant part in the data landscape. Data owners, consumers, and generators all need to be identified and verified.
The authentication approaches for these groups will vary significantly. A physical device performing machine-to-machine (M2M) style communication is unlikely to leverage username and password, for example. Would a physical device need to register with the data custodian, or perhaps be claimed by the data owner? Either way, the device needs a process that allows proof of its identity in order to validate the data that it can generate. Much M2M-style communication is often encrypted with other crypto architectures such as Public Key Infrastructure (PKI) or JSON Web Tokens (JWT) being used to perform device authentication.
Data consumers require both an authentication and authorization process. Verifying their identity is simply a prequel, necessary to then allowing them access to certain aspects of the data repository. Consider the training shoe example from the first blog in this series. Figure 2 shows the main players involved, and they may have different authorizations. The shoe manufacturer may just be interested in the shoe age and distance run statistics, for instance, while completely ignoring the location and GPS data of the runs completed that the consumer wants.
Mechanics and existing standards
The Internet and the identity-of-things approach both contain many different, complex, and more importantly, continually evolving components. These components include mechanics for things like user and data-owner registration and authentication, through to the smart–device communication and storage protocols. These protocols potentially need to be optimized to run with a tiny memory and processor footprint.
OAuth2 is perhaps the most popular with regards to consumer-based authorization, having been a familiar component of social networking. OAuth2 is often used to allow third-party clients to access social network information such as a user’s email address or profile attributes without the need to share password details. OAuth2 also gives the ability for the data owner to remove previously granted access through the revoking of an access token.
Figure 3 gives an example overview of the some of the existing and fast becoming popular protocols for the IoT landscape.
From a device perspective there are several avenues to follow for protecting data. Things like transport protocols, the encryption and privacy of those protocols, as well as approaches for things like data storage, device registration and interfacing—using lightweight concepts such as QR (Quick Response) codes—all need to be considered from an identity and interaction perspective.
The main concern is how so many disparate protocols, devices, and components can be easily integrated to form scalable and lightweight infrastructures to manage the IoT landscape. Modular and loosely-coupled services would allow for the rapid provisioning of new consumers and publishers of IoT-related projects. The modular aspect could be based on standard web technologies such as REST, which would allow for powerful, highly customized web- and mobile-based user interfaces to be kept separate from the underlying registration and access-control infrastructure. Standards-based integration into existing identity-provider-based infrastructures such as social networking sites would allow for the rapid sign-up and viral marketing capabilities so often required of new platforms.
Today, the data custodian aspect is probably the well-serviced, with numerous cloud-based environments for platform, infrastructure, and software as-a-service style subscriptions that can scale rapidly to allow for the potential of multi-million user deployments.
The area developing the most rapidly would seem to be at the device level. Newer, more advanced micro devices requiring crypto processing, JWT integration, and the ability to act both online for data publishing and perhaps offline for authentication and authorization are seemingly being released weekly.
One of the longer-term aspects of the IoT landscape is the analysis of the generated data, user interactions and access-control decisions. Business intelligence for the IoT world would help drive consumer marketing decisions, manufacturing product research, and many more. The use of an identity context in such analytic processes is key to helping define areas such as behavior profiling, peer comparison, and fraud.
IoT brings together devices, people, and services into loosely coupled but highly optimized chains of data. To protect the privacy of that data, while allowing access to the various data consumers, requires a complex balance of authentication, authorization, and contextual awareness. Underpinning those requirements is a need for unique identities, at both the local and global level, along with strong registration, claims, and implicit approval processes that allow people-to-machine, machine-to-machine, and people-to-service relationships.
While there are vast opportunities to create new personalized services and content, the opportunities comes at a cost—data privacy. Device registration and ownership need to be carefully mapped to a flexible identity and access-control mesh that is easy to implement, scalable, and easy for a non-technical end user (the ultimate data owner) to understand and embrace.
Simon Moffatt has over 13 years information security experience with a specialization in identity and access management. He is currently Principal Engineer at Open Source ISV ForgeRock. He may be reached at simon@ infosecprofessional.com.