A connected world is a convenient world for both work and play. Too often, however, the price of convenience is privacy. If data within the Internet of Things (IoT) is not secured properly, it puts people’s overall safety in jeopardy — and it’s not just about loss of sensitive personal data.
In fact, according to UL, the even greater threat is that an attacker could take over the functionality of poorly secured devices. Imagine if someone hacked into a connected home and cranked up the heat through the IoT thermostat, took over appliances or, worst of all, gained control of medical devices, such as pacemakers and insulin pumps that could create a life-or-death scenario in the wrong hands.
Isabelle Noblanc, VP and general manager, Identity Management and Security at UL, said the answer to these concerns is to practice security and privacy by design, not as an afterthought. When developing IoT technologies, she said, go-to-market time is much too late to think about security.
“Security isn’t the hot sauce you add on the side,” Noblanc said. “It’s a key ingredient to any system, and it’s something IoT manufacturers need to think about from the very beginning.”
In a recent interview with PYMNTS, Noblanc explained how traditional identity management and authentication models must be rethought and re-engineered, moving control from enterprise contexts into the hands of end users.
The Evolution of IoT
The phrase “Internet of Things” may be a relatively new term, but the concept, said Noblanc, is anything but new. The world has long been transforming into a more connected place. Today’s dramatic transformations are just increasing the trend and adding more complexity to it.
This complexity is the reason traditional identity management must be rethought, Noblanc said. It was once enough for people to use resources within an enterprise context — managed by, for instance, Microsoft Active Directory and similar solutions — but now, she said, it is necessary to bring resources into the end consumer environment, where machines are connected to machines and mutual authentication is needed.
Since there are so many devices by so many brands, Noblanc said communication and authentication protocols must be interoperable — that is, they must be able to handle things produced by multiple vendors. This gives end users self-control and freedom of choice in terms of brand, rather than presenting options that are either convenient or secure and forcing consumers to pick one.
Today’s privacy and security solutions must be both convenient and secure, said Noblanc, and they must be that way by design, from day one.
Pros and Cons of Regionalization
Many organizations take different approaches to security depending on the region, product or business line. A customized approach, Noblanc explained, enables them to meet compliance and regulatory standards, which vary by region.
It also makes it possible to adapt the protection level to match the potential consequences of a security breach. Situations where a breach could have massive repercussions require greater security, driving a need for a stronger customized approach, she said.
However, when everything is connected, the network is only as strong as its weakest link. In the IoT, data that’s generated is held and accessed by third parties, which can open new attack angles for organizations that fail to take a holistic approach.
Therefore, even if individual elements are secure, the system, as a whole, may not be. Noblanc said organizations must now apply an end-to-end approach and move toward looking at things globally rather than individually, considering systems rather than products.
Digital Identities Must Be Trustworthy
Whether in business or in personal life, people are growing more dependent on tech, to the point where it becomes a handicap if the devices in their lives can’t trust them or each other. For instance, if a smart car can’t definitively authenticate a driver, then that person will not be able to get in or drive it.