The Puchi Herald Reblog

A reblogging blog

GDPR and the technology market

GDPR and the technology market

Question: will the new privacy policies and laws impact the technology market?

This is an interesting question to ask ourselves; whether we are consumer of the technology market or technology vendors the impact of the new technologies (from cloud to IoT, from industry 4.0 to big data just to name the most acknowledged from a marketing point of view) privacy regulations can affect heavily our behaviours and the market.

so let try to understand what could be the implications of this new focus on privacy and data protection.

First of all we should try to understand what we are talking about.

Privacy, GDPR and the rest.

Privacy: the state of being alone, or the right to keep one’s personal matters and relationships secret:

In nowadays environments the presence of data related technology is pervasive: from business to  personal life technology play a big part of our life.  data related technology means we use technologies that is able to manipulate information: informations are collected, changed, communicated, shared all in form of data. Bit and bytes that describes our job, our business, our personal life.

Although in the past privacy was mainly a physical issue, and therefore legislation was focusing on those aspects, this increasing presence of data collection and sharing makes people realize that there is a new abstraction layer that involve privacy that is no more related to be alone or in a confined physical space, but in a undefined and without borders digital virtual space.

Email, Blogs, social networks, chat, E-commerce, electronic payment, smart phones all this and more shifted the same perception of privacy from a simple concept to something more hard to be defined.

Rulers and consumers started to deal with those issues in the last years whole enterprise and technical world has been remained almost frozen waiting for indications. the first indications that this would have been a wakeup call for enterprise has been the ending of the safe harbour agreement, privacy was not longer a secondary issue even for the economy.

The latest development can be easily identified in the new  European Union’s General Data Protection Regulation (GDPR), which comes into effect in May 2018, has far-reaching implications that extend far beyond the EU.

Businesses that fail to meet the new mandates aimed at protecting personal data face severe consequences. They can be fined up to $20 million, or 4 percent of global revenues — a cost that makes this regulation impossible to ignore.

But other areas of the world are moving toward a more cautious approach toward data privacy, not only Europe. While it is not yet clear how will be the new USA administration approach toward this subject, it is out of doubt that data privacy is becoming a major issue in the next years; how this will impact business is, although, not yet clear.

For sure is that GDPR will enforce companies to deal with a tremendous amount of data to be protected. Any data used to make inferences linked tenuously or otherwise to a living person is personal data under GDPR. Cookie IDs, IP addresses, any device identifier? All personal data. Even metadata with no obvious identifier is caught under the GDPR’s definition of personal data. Truth be told, such assertions are not entirely new. The difference under GDPR is that they will be enforced and the non compliance fined.

Today swathes of business practices unlocking data monetization rely upon data not being considered personal. So they apply weak consent, onward transfer and data reuse concepts. These models are going to change; either by choice, or by obligation.

Data Privacy , Data Protection and Cyber Security

One aspect that is not yet completely perceived and understood is the correlations between data privacy, data security and cyber security. The requirements that enforce the companies to respect data privacy legal requirements are intrinsically bound with the explicit request for data protection and, therefore, cyber security.

GDPR clearly define data should be fairly processed and protected: the implications are not only in terms of procedure to adopt inside the enterprises, but also technical in terms of data manipulation, retention, storage and security.

Recent security outbreaks as the one related to ransomware are an example of how basic cyber security threats can impact directly on this area, as well as common and well known cyber attack directed to data exfiltration.

This is a growing phenomenon and is affecting not only the classical online services (think of classic dating site attacks, as an example, to collect username and passwords) but, as an example, extensively the healthcare industry.

While in the past those outbreaks could have been just a relative minor issue, the new GDPR structure of fines could affect in a heavy way any company, regardless its sector, and some departments that in the past have never considered those issues as a business imperative, as marketing or Human Resource, will have to face a difficult transaction in terms of awareness, policies to be implemented and technology approach.

It is easy to forecast that this situation will shape in the next years the technology market in different areas.

Impact on the technology market

When we talk about the technology market we face different aspects, “technology” as a term can cover a wide range of things. We can talk about hardware vendors or software vendors. We can talk about service vendors (cloud, CRM or whatever you like more), IT enterprise or carrier HW providers, Security vendors, End user HW providers (as smart phone makers).

Recently the trend is to aggregate functions and offering, making those areas overlapping in the same company although not often integrated.

Since all the industry will have to face the new privacy requirements it is to be expected a increase on data privacy expertise requests hitting the market, and a growing demand for IT solutions that will help companies to manage the requirements. this could, as an example, give a small impulse to historically neglected areas as DLP solutions, data categorization solutions and so on.

Some little advance and effort will be probably put also on more traditional areas as backup.

An heavier impact will be seen in the growing online market with the need to protect not only privacy of users but also to save the economic transactions, content providers, social or gaming platforms will be heavily impacted too.

In a second run we will probably see a renewed interest for baseline security solutions, as the stakeholders will, sooner or later, realize that there is no compliance without data protection and there is not data protection without cyber security.

The request for expertise and consulting services will be mostly redirected outside to technology vendors (here considering HW\SW vendors as cisco, hp, huawei, SAP, Microsoft; service vendors as cloud providers – azure, AWS, google –  but also app stores, CRM online providers), consulting companies and technology integrators.

On the other end technology vendors will have to face a strange situations where they will be both requested to provide solutions compliant with the new rules, be the driver of the new requirements and implementations (public-private partnership basically means this)  and in need to implement solutions to protect themselves in different areas as:

Product and Services development

Here vendors will have to start developing products\services considering data protection a major issue. It is clear the impact on cloud or services, where data protection can be easily identified, but also the HW product side will have to face issues. Although it can seems trivial we can remember the problem related to GPS tracking in apple and, at some extension, android happened some years ago. privacy implication with products can be wider than expected, since we have to protect not only the data per se, but also the metadata (this is the wider range of GDPR and new privacy regulations).

Usually we tend not to consider, as an example, system logs as a problem in terms of privacy, but in effect they are if they contains data that can point to a physical person and being used to track somehow the person behaviour.

Firewall and router logs, as an example, could be used to determine what is someone doing online, and therefore can expose information that are subject to GDPR realm. minor features apparently but the truth that also metadata are object of GDPR.

Privacy By design and Privacy Enhanced Technology will be mandatory component of any product\service developement.

Marketing and Sales

Marketing(and or  sales)  has always been considered agnostic towards technology, but the ultimate scope of marketing is to get in touch with the market, this means customers and ultimately people. Marketing activities will get a huge impact towards GDPR requirements both in terms of operations, since is up on marketing to manage a large amount of data coming from outside the company, and communication.

Technology vendors, somehow, will be expected to lead and drive the request both in terms of consulting and example. The result of a breach or misinterpretation of GDPR guidances will impact severely the business from a brand point of view and undermine vendor credibility.

Internal protection

As any other company there will be a direct impact on business operations of any vendor dealing in the technology field. But this case the extension of the problem will not focus just on the standard cyber security procedures, since technology vendors enter, somehow, almost directly on customers IT or data processing infrastructure the request will be to implement an end to end protection system which include GDPR compliance and cyber security application. This will require technology vendors to operate on:

  1. supply chain
  2. production and vulnerability disclosure
  3. product and service delivery

all three area are still trying to develop standards and good practice although something is moving.

So what are the changes expected under the new regulation?

There are around a dozen headline changes which technology companies should be aware of.

Some of the key areas include:

  • Privacy by design and Privacy enhancing technology – privacy by design calls for the inclusion of data protection from the onset of the designing of systems. Companies must also only hold and process data which is absolutely necessary.

Privacy enhancing technology (PET) and Privacy by Design (PbD) are obligatory and mandated requirements under the GDPR. There remains no generally accepted definition of PET or PbD, but PbD is considered an evidencing step for software development processes to take account of privacy requirements. So the incorporation of what can broadly be defined as PET in such solutions represents PbD.

Two particular PET techniques that control downside and enable upside risk are differential privacy & homomorphic encryption.

  • Differential privacy counters re-identification risk and can be applied to anonymous data mining of frequent patterns. The approach obscures data specific to an individual by algorithmically injecting noise. More formally: for a given computational task T and a given value of ϵ there will be many differentially private algorithms for achieving T in a ϵ-differentially private manner. This enables computable optima’s of privacy and also data utility to be defined by modifying either the data (inputs to query algorithms) or by modifying the outputs (of the queries), or both.
  • Searchable/homomorphic encryption allows encrypted data to be analyzed through information releasing algorithms. Considered implausible only recently, advances in axiomatizing computable definitions of both privacy and utility have enabled companies such as IBM & Fujitsu to commercially pioneer the approach.
  • Data processors – those who process data on behalf of data controllers, including cloud-providers, data centres and processors. Liability will extend to these and businesses that collect and use personal data.
  • Data portability: Empowers customers to port their profiles and segmentation inferences from one service provider to another. This is a reflection by lawmakers that data is relevant to competition law, whilst not conceding an imbalance between a companies ability to benefit from data at expenses of us all as citizens.
  • Data protection officers – internal record keeping and a data protection officer (DPO) will be introduced as a requirement for large scale monitoring of data. Their position involves expert knowledge of data protection laws and practices, and they will be required to directly report to the highest level of management.
  • Consent – explicit permission to hold any personal data in electronic systems will become mandatory. It will no longer be possible to rely on implied consent with individuals having the option to opt-out.Customers consent to privacy policies that change. Being able to prove which contract was agreed to, in court or to a regulator, requires  registration time stamping and tamper resistant logs become de rigueur.As we move into an opt-in world of explicit consent and ubiquitous personal data, data transmissions beyond a website visit must be explicitly permissioned and controlled. In this world, default browser values de-link machine identifiers from search queries. In other words, in this new world, online advertising to EU citizens is in line for fundamental change.And given particular regulatory emphasis on profiling, explicit consent will require loyalty programs to differentiate consent between general and personalized marketing consents. Those consent flags must cascade through registration, reporting and analysis, targeting and profiling, contact center operations and all other processes that handle such data.
  • Breach notifications – the notification of a breach, where there is a risk that the rights and freedoms of individuals could become compromised, must be reported within 72 hours of the breach being identified. it is underestimate the relationship between breach notification and vulnerability disclosure. While for an end user those two aspect seems to be unrelated, there could be a higher impact on vendors for, at least, a couple of factors:
    • The breach notification could expose the vendor as the main source of the breach itself due to lack of vulnerability management and disclosure.
    • The victim could consider liability against the vendors which “vulnerabilities” caused the breach redirecting to them part of the costs.
  • Right to access – data subjects will now have the right to obtain confirmation from you of what personal data is held concerning them, how is it being processed, where and for what purpose.
  • Right to be forgotten – data subjects will now have the right to be forgotten which entitles the data subject to have you ensure that information is deleted from every piece of IT equipment, portable device and from server back-ups and cloud facilities.A framework to comply with this obligation would include the following steps:
    • Spot identifiers which tie together datasets, e.g: machine identifiers link together our social media experiences;
    • Prescribe how re-identifiable data flows in and outside the organization;
    • Document a scalable process to overwrite identifiers in all datasets where re-identification can be established, upon the validated request of a user, and
    • Third party contracts and SLAs should be adjusted to ensure compliance with validated requests.
  • Data Bookkeeping: Field level data, linked to an identifier, flows across geographies and legal entities, processed by machines and people. Organizations will account for these flows with evergreen reporting. It stands to reason that these flows will be threat-modeled for integrity and confidentiality so controls can be readily evidenced upon request.

 

GDPR impact

Privacy regulations as GDPR and the growing awareness and concerns related to data privacy and security are related to the expanding presence in everydays life and business of smart mobile devices able to process data, the growing online market, consolidated trends as cloud services or newcomers as IoT.

Technology market face this transition in front line, and will see the impact of new regulations and customer reactions in several ways. This is both a chance and a problem; implementation of new mandatory requirements will impact all areas, from design and production to sales and delivery. But this will means also new area of business in the consulting area, in the technologies to support GDPR and privacy compliances in the market where data analysis technology, artificial intelligence and other high end technology areas could provide a competitive\price insensitive advance vs the consolidated technology market.

The key success factor is to embrace this change and drive it acquiring internally the needed competences, implementing the correct corrections and driving the needed improvement related to product and services provided.

Future trend will see a prevalence of  technologies related to “data” processing and services related to data vs products. The new Data paradigm is already visible nowadays as example in the Big Data market (take data lake implementation as an example). in terms of technology market this will means to focus on Data Science which will pose a new and somehow unpredictable relationship with privacy regulations.

GDPR Risks and “Data Science”

The term data science describes a process from data discovery, to providing access to data through technologies such as Apache Hadoop (open source software for large data sets) in the case of Big Data; and distilling the data through architectures such as Spark, in-memory and parallel processing. That data science creates value is understood. What isn’t are the risks it exposes investors to under the GDPR, of which there are principally three:

Risk 1: The Unknown Elephant in the Room – Unicity: a general misunderstanding in monetization strategies is that stripping away identifiers of a data model renders the data set anonymous. Such a belief is flawed. So-called anonymous data sets can often, without implausible effort, be re-identified. Unicity is a measure of how easy it is to re-identify data. It quantifies additional data needed to re-identify a user. The higher a data set’s unicity, the easier it is to re-identify. Transactional and geo-temporal data yield not only high monetization potential, they carry statistically unique patterns which give rise to high unicity.

Risk 2: Relevance & Quality: Income, preferences and family circumstances routinely change, and preference data on children is difficult to ethically justify processing. While this creates a problem for predictive analytics, that data and the inferences it engenders can be considered inaccurate at a given point in time, which creates a GDPR cause-of-action. Data quality needs to stay aligned to business objectives.

Risk 3: Expecting the Unexpected: When data science creates unexpected inferences about us, it tends to invalidate the consent that allowed data to be captured in the first place, which, again, is a big deal. Data collected today, particularly from mobile devices, is subject to a constant stream of future inferences that neither the customer nor the collector can reasonably comprehend. Consider a car-sharing app that can model propensity for one-night-stands from usage patterns. While that data may not result in propositions today, the market will consider upside risk/option value to have been created (the market still does not seem to believe in GDPR impact), but this incremental data coming into existence creates downside risk (such data is difficult to find a legal-basis for, given the vagaries of a given consented disclosure).

More generally, the problem of negative correlations is brought to the fore by algorithmic flaws, biased data and ill-considered marketing or risk practices, the enduring example being U.S. retailer Targets’ predictive campaigns to pregnant teenagers, spotted by parents. These are examples of a new form of systemic control failure, leading to potentially actionable GDPR claims.

 

Related articles

var aid = '6055',
    v = 'qGrn%2BlT8rPs5CstTgaa8EA%3D%3D',
    credomain = 'adkengage.com',
    ru = 'http://www.thepuchiherald.com/wp-admin/post.php';
document.write('');

GDPR and the technology market was originally published on The Puchi Herald Magazine

Happy new insecure 2017: my resolutions and wishlist for new year

Happy new insecure 2017: my resolutions and wishlist for new year

Here we are, a new year comes and we, as cyber security expert, will keep warning the world about the deeply insecure world we are living.

And we will announce new technologies and new devastating scenarios related to new technologies. IoT and Cloud will rise their evil face while bad people will be lurking in the dark waiting to attack the innocent lamb crossing the road.

But, in all of this, the most of the damage will be still done by bad designed systems, by managers that does not understand what means living in a digital world, by politicians that understand cyber security issues only when they have something to gain, by entrepreneurs that still will invest in security as a disturbing side effect.

If I can make a wish for the new year is to see finally a different approach to information security, an approach that take into account that

1) to be secure you need well designed systems first and then cover it with some security geek technologies. If the design is crap all your security is crap no matter what you use on top

2) there is not security if your devices are not designed with security in mind, good code and code lifecycle is the best insurance, so if you buy the cheapest then do not cry … is your job to look for what you need and so yes is your fault if something goes wrong.

3) that finally companies, managers, entrepreneurs understand that security is within process, and not just a bunch of technologies put on top of something that you do not have the slightest idea what it is, you can’t protect what you don’t understand

4) that if people do not understand then people will not follow even the most basic rules, so training is not an optional, but the very basic. And to be sure the first that have to learn are the “CxO” which should get off the throne and start learning the world they crafted.

5) that if we keep thinking that IoT is wonderful but do not understand what IoT will bring in terms of cultural and technical problem we still will never understand what means putting security on this.

6) that if you hire an expert and then you don’t listen to himher then you are wasting hisher and your time. then do not blame the messenger.

7) that if you think that this complex field we call security can be covered by a junior that knows it all you are probably wrong unless the junior is a genious

8) that if you, security expert, think your counterpart has the slightest idea what you are talking about, you are probably wrong because you did not realize they do not understand what they does not know.

9) that all of this is part of the business, and therefore the business should took all this as one of its element, and not just a nasty annoying add on.

10) that next time someone talk about APT tells you the truth, the only way to stop an APT is to stop the attacker otherwise…. it would not be an APT

I know I know I am a but naive and still believe in fairy tales…

 

happy safe and secure 2017 to you all

security awarenesssecuritysecurity culture2017

var aid = '6055',
    v = 'qGrn%2BlT8rPs5CstTgaa8EA%3D%3D',
    credomain = 'adkengage.com',
    ru = 'http://www.thepuchiherald.com/wp-admin/post.php';
document.write('');

Happy new insecure 2017: my resolutions and wishlist for new year was originally published on The Puchi Herald Magazine

The IoT Files – intro and security

The IoT Files – intro and security

The IoT Files – intro and security

I will start a series of posts on the IoT (Internet o Things) since it seems me that most of the talking about IoT are missing some key aspects.

I will start with a general introduction, taken from a webinar I delivered recently.

There is a lot of rumors around IoT lately. It seems the new holy grail of the technology industry, the panacea that will solve every business pain and will drive us to the next point.

All those talking are interesting, but somehow a little bit apologetic, since there is a lot of things still to be evaluated in an IoT world, and some could give us some headache and concerns.

so let us start trying to understand what we are talking about when we talk about IoT.

IoT,internet of things is the extension of the consumerization of connected device, that will cover much more than we are used nowadays. the key target of the IoT is the User and its world.

This does not means that IoT is not about scada systems or industrial contol systems, or e-government or smart cities. is all about this and more, but the focus point will be the user, the new hyperconnectd guy: mr Guy Smart.

But aren’t we already hyperconnectd with our always present smartphones, tablets and now smartwatch?

What is the difference between us now and mr Smart?

The difference rely on the level of devicesystems connected that are related to the new user. Way more than the simple phone and watch; we can think of wearable devices, medical devices, glasses for augmented reality, smart shoes that tell us how we walk or belt that monitor pour waste and diet.

But My Smart is not only using those stuffs he wear, he is also living in a hyper connected world. driving a smart car (autonomous and more…) on smart roads, with intelligent traffic lights, in a smart city where he find its smart home.

All connected, all sharing information, all dynamically changing status upon the user request and the context.

A way to live quite different from our actually way of life, since everything can modify the behavior related to the heat of the moment.

All this look wonderful, a personalized environment that follow our needs and provide us a completely new experience. A new industrial revolution able to shape our needs and think and way of life.

But is this real? how far are we from this?

To understand what all this means we should start from the definition of Internet of Things. A good definition is the following:

The  Internet of Things ( IoT) refers to the ever-growing network of physical objects that feature an IP address for internet connectivity, and the communication that occurs between these objects and other Internet-enabled devices and systems.

According to most of the analyst this is the main trend we should expect in the next years.

All analysts forecast billions of devices connected, a great hope for a growing business….

  • But is this coming without a price?
  • Is this so easy to achieve?
  • What are the consequences?

 

IoT is a great opportunity, but is also something should make us think about the consequence. as every thing there is always a price to pay, and we should understand what is this price.

I will try to give a short description of 5 aspects related to IoT we should take care of:

  1. Security
  2. Privacy
  3. Infrastructures
  4. Business Models
  5. Culture

IoT and Security

I know that security is on everyone mouth recently, the rising of cyber crime and the warfare has put security under everyone attention.

But yet we are far away from a real understanding of what security really is, and what means make security. We usually focus on particular aspect of the security domain, or on specific technologies, forgetting that make security is a complex affair that cope with behavioral science as well as technology. Is more a process than a product or service.

What should be put us on alert is that in a IoT world the dependency of our lifestyle and life from the devices will be so tight that security will assume a completely new meaning for the normal user. We are not talking about an annoying virus on our laptop, but something that can literally kills us as in the case for medical device or smart drive systems.

IoT bring a lot of security concerns, some quite easy to understand, other alas too often neglected. Let us try to name a few:

Hacking

This is something everyone knows, every years the knowledge about hacking rise up as well as hackers ability. Is a never ending run.  But can we try to imagine what would happen in a world where the number of hackable devices is in the range of billions?

This is something we should take into serious consideration, no OS is secure (sorry Linux, Unix and Mac guys) and we are talking of billions of objects that exchange data, transmit data, manipulate data, collect data through sensors. the attacking surface will become incredibly wider, and the result unpredictable.

The classical reactive approach of OS designer have to be radically modified, since this can be the door for a hell. A new security design approach is needed. And don’t think for a moment that IoT device will have few lines of code and therefore easy to be secured. Even the smallest simplest device will have its sensor and will have to communicate data and receive orders (otherwise wold not be SMART). so there is nothing like a simple OS here. beside the smaller the OS the herder can be to secure and patch it. in bigger environment it is a common operation to wrap the vulnerability into something that solve somehow the problem, will this be possible in the smaller IoT OS?

Cyber Criminals

And if the hacking surface will grow, we can expect also criminal activities to grow and find new way to monetize the risks.

For the ones who works in the Cyber Security arena, it is well known that Cyber criminality move more money than drug and weapon illegal market.  this can only grow, making cyber crime more important than ever. And when something is so important, corruption and collaboration between the underworld and the official ones is to be expected.

So IoT brings with him a great concerns from this point of view.

Cyber Warfare

But if it is not a criminal organization, can be a government. Do we really think that this will be an area where government will not play the part? Do we realize that IoT will be tied to our life, and our productive environment. So targeting the IoT could harm a country more than a conventional war, blocking its productive system.

Science Fiction? Try to remember stuxnet and may be we can agree that this is a plausible scenario: a country that attack the IoT infrastructure in order to harm another country.

And if it is not a state, a government can be a terrorist organization, activism …..

Geopolitical Issues

And if it is not on purpose, may be the system can be harmed by geopolitical issues. In an Hyperconnected world damage can be done even targeting something else.

Censorship

Let’s take censorship as an example. we can not realize that censorship can harm the functionality of a device, at the end we are not talking about nor twitter nor facebook, but…

Take your android phone and go to China, as an example, and you will see directly the effect of censorship on IoT. Your wonderful android functions and services will not work since Google has be banned for censorship reasons from china. (Sure you can use VPN, but please, try to see the picture here).

Errors and Incidents

And even if it is not on purpose, accident and errors can anyway harm the system. probably in ways at the moment we still don’t see, due the complex nature of the various interrelationships between the objects.

Compatibility

And if will be not error or incidents the harm can be done by compatibility issues. At the end you will like to change object or location from time to time. some IoT objects will travel with you, compatibility will become a great issue.

What if you change medical device provider and the new does not support vital data taken from the old one? or if you go in place that does not allow the same level of communication? (may be because encryption is not allowed there).

What More?

Many other scenarios can be recalled related to IoT and security, this is not an exhaustive list, but it is good to make the point. Security is a serious issue in an IoT world.

The classical approach that consider security an “Add ON” of IT and a business weight to avoid have to change dramatically. Security Must become part of normal thinking because the risk is higher than ever.

When consider IoT and security ask yourself:

  • Would you drive or feel safe in a easy to hack car, in a easy to hack road.
  • Would you like to depend on easy to hack medical device?
  • Would you like to count on a hackable safe city system?
  • ….

We have to realize that Security is important in all realms.

It is not just a product add on §(the antivirus….) but we will have to deal with new things like:

Operating System security

  • Vendor Security Approach
  • Service Provider Security System
  • Supply Chain Security

Authentication

Communication security:

  • Reliable
  • Protected

Compatibility

Open Sources vs legacy code

Vulnerability and Vulnerability Disclosure policy

Hacking accidents communication

Training and awareness

Reliability

alas we are still far form the arrival.

Next post I will talk about Privacy in the IoT

var aid = '6055',
    v = 'qGrn%2BlT8rPs5CstTgaa8EA%3D%3D',
    credomain = 'adkengage.com',
    ru = 'http://www.thepuchiherald.com/wp-admin/post.php';
document.write('');

The IoT Files – intro and security was originally published on The Puchi Herald Magazine

IoT, Internet of Things or Internet of Terror?


Why we all talk about IoT

I know that there are a lot of good reasons to love the IoT or IoE (where E stand for everything) idea. I can just highlight a couple: Business and easier life.

The business behind IoT

The first point is quite clear, the tremendous growth of the Smart devices has create a new business that has gone beyond any analyst prevision. Nowadays it seems that it is impossible to think a world not interconnected. Anyway there are still great areas of improvement in terms of quality of the services provided and the spread of the population covered.

Source: Euromonitor, ITU, US Census.
Source: Euromonitor, ITU, US Census.

If we take a look at the growth of internet users from 1995 to 2014 we can perceive the dimension of this business. But as well we can see that yet the majority of the population is not internet connected. Even in the most developed countries Digital divide is a sensitive matter of discussion, that separate the digital literate from the digital illiterate people.

IoT can dramatically improve this market, while making the separation between digital connected and not digital connected wider. Some efforts are made by government or private company to cover this gap, I think, as an example, the UK effort to cover rural areas or the India project to bring internet for free to poor and not developed areas. But those effort are somehow inadequate to cover the great part of the population that is not connected. And even in developed countries as Italy, digital divide is still not perceived as a problem.

This although statistics tell us that the digital economy can improve company’s revenue and way of life of the population, but at the same time requires skills and infrastructures that, in many cases, are still obsolete.

Source: Morgan Stanley, Capital IQ, Bloomberg. Note: Market capitalizations are as of May 22, 2015 and December 31, 1995, respectively
Source: Morgan Stanley, Capital IQ, Bloomberg.
Note: Market capitalizations are as of May 22, 2015 and December 31, 1995, respectively

 

It is interesting to notice that China and USA are covering the top positions, two countries that heavily invested in developing such technologies (USA as historical leader, China as underdog working to close the technology Gap).

Not to mention the other technological Asian giants, Japan and Korea, that have been anyway able to capitalize this growth.

Now it is clear that to maintain this thread we have to offer something new, and IoT is a good instrument to allow a solid growth in that market that start to show a little slowing:iot3

Offering new Services is the Key to maintain a solid growth. And IoT from this point of view promise a tremendous growth: from demotic to cars, from wearable to control systems IoT can expand exponentially the business related to internet.

Can IoT makes us live better?

But can this means we can have a better life? This is questionable, of course, but overall the life experience with internet is way better than without. We can get access to more services, more communications, more information. Of course all of this has a cost, we still are creating the cognitive infrastructures to manage this enormous flux of information, but it is out of doubt that where internet arrive form a social point of view there is a dramatic change in use and costumes of the population. Sometimes this lead to nasty behaviors, I know, but at the same times it let ideas spreads, and ideas are like a virus so hard to stop when find a channel of infection.

It is not a case that the diffusion of internet saw a revamp of censorship efforts from government, as well as efforts to rules and control this communication (even without citizenship acknowledgment, think of Prism as an example). But I will turn back to this later.

Anyway is clear that the people that have access to the internet can enjoy and use a wider range of information, services and tools that people without internet can’t have. This is just a good justification per se to affirm that IoT can be a powerful instrument to improve our lives.

Thinks about smart object that can help you in the most tedious daily tasks, or able to give you some fun and relax to improve your quality of life, or help you to better manage resources to allow you to make savings…

What challenges ahead

So from this is the picture, a great business chance and a great life improvement, as internet showed us can provide.

But it is right now possible? What are the challenges?

To Connect or not to Connect?

Well there are a lot of things that have to be clarified around IoT. First of all is the business model behind, who will pay the bill?

IoT means always connected object to the internet, able to communicate between them and the owners, and, may be, with something else. A great flux of data that will flood our already congested networks. The connection is one of the main limit at the moment of the IoT approach.

While we like to think connectivity is not an issue, we have to realize that , on the contrary, the issue is quite big. And the obstacle is not technological but business related. Carriers have to change their business model somehow to allow this growth, and this is not an easy task to accomplish.

There are still great obstacle to a real interconnected world, and some are particularly nasty, think at roaming costs as an example.

Since we does not live in a world where a single carrier cover perfectly all the countries, we have to face with a plethora of carriers that cover partially an area. Some areas are well covered, other are suffering bad coverage due to 2 main reasons:

  • Lack of connectivity
  • Congestions

IoT can just increase this problem exponentially. Even in our better connected areas we can face congestions. One possibility to temporarily mitigate this problem is to allow the device to connect to another carrier if the preferred one is congested, but this will open to the roaming issues mentioned before, as well as the resistance of carrier to open their networks. And if is the case in rural not dense populated areas, can you imagine what they could say in dense populated areas?

Interoperability and universal access

Let be clear, if we think we can create an interconnected world with IPv4 we are out of our mind. There are a world of good reasons to think this is a bad idea, and security is one of them. But there are other considerations to take in account: what protocols and services will be necessary to IoT to work?

Just the simplest example. The real DNS infrastructure is not solid enough to guarantee such device explosion. The hierarchical DNS infrastructure has worked till now, not without some problems. thinking to increase the load of DNS traffic at a greater scale would make the situation unstable and put at risk the basic of communication itself: name resolution.

So different way to resolve address have to be implemented, some effort to implement peer to peer resolution has been done, but still we are far from a solid solution that would allow IoT to growth at the desired scale.

Would be too reductive to think that IoT device does not need a sophisticated name resolution capability, maybe it is the case now, but we should think ahead, what the future improvement could be.

Just, as an example, think of a medical device connected to a person travelling. May be would be useful to allow this device to connect to the closest interface when something happen to the person wearing it, and this can change related to the kind of analysis the device is able to do. Could be a pharmacy or a hospital, or a doctor or whatever. Being able to resolve a complex set of name resolutions would make the difference between a good device and a bad one. Of course we can ask Google to do all the job for ourselves and allow them to decide what are the next name resolution technologies we want, unless you live in china where Google services does not work.

DNS systems demonstrate its limits several times those years, and are also subject to geo political crisis that could badly interfere with an internet of things enabled world.

From a technological point of view the biggest obstacle is still the Operative System under which this IoT will run. The Operative systems, actually, it has not sense to think about a single OS, it would be inapplicable (although some governments would like this approach) so we will have a plethora of different OS running on small machines able to perform complex activities and able to connect in a quasi autonomous way. Interoperability and standardization will be imperative to avoid the chaos. As well as some general agreement on a minimum level of security features related to data acquisition and transmission (including what kind of sensor are allowed), authentication and so on.

There are concerns about privacy, kind of data processed, security also today, can you imagine what would be to be spied by your refrigerator?

But also networks can become our bottlenecks as mentioned before. Being able to set up enough bandwidth and quality of service is mandatory.  And i can just imagine the workload that border routers, firewalls and other network gears will have to deal with.

Wondering if Carriers are preparing themself to face this change (I can’t see good signs at the moment, honestly).

Why IoT scares Me

I confess I am scared by the IoT affair. And there are good reason all related to security and privacy. My concerns are various, and cover a lot of aspects:

From a security perspective I can start from the basic, the operating systems that will run on those things.

I am aware that most of the code will be written in C or assembly like languages, and this open a world of vulnerability, since coding with C allow you to do basically everything with memory and device, and, as a matter of fact, it expose the device to your error. Buffer overflow is a typical example, this vulnerability generally is related to a lack of control in the C code at driver level, where speed and efficiency are mandatory and so controls are not always implemented.

A small lightweight OS would be prone to this kind of error, since it would not implement security controls on top of the driver set.

Let’s then talk about authentication. Another difficult realm to address. The authentication is of course related to the service provided, less important services can use a lighter authentication model, but thin about medical devices, or cars…would you like to leave your authentication efforts to a 4 digit password (“1234” of course) and a username?

But we cannot even force our user to remember 150 hexadecimal digit, right?

Do we want to talk about encryption? I love it till it works. But then we discovered that encryption is all but a simple affair, and as for authentication, it has a very weak point, the key exchange. Encryption per se will not solve all our security concerns during data transfer just because in the IoT world we will let the device manage the process, and since the device is prone to error or hacking also the encryption will be weaker.

Even the strongest encryption is easy to decipher once you have the key.

I don’t know what will be the computational  power of my oven or fridge, considering the growing of processor power we continuously see, probably it will be more powerful than my T440 but I don’t expect a fully implemented OS running on it in the next 5 years (but, may be, I’m wrong and soon we will have an apple fridge that will download our sodas from I-grocery-store).

And there are also the bad guys to take into account: if we are suffering about cybercrime, cyberwarfare, cyberacktivism  right now, what will happen in the IoT world?

Let assume your fridge can make shopping by itself, because it is so smart that understand you finished your eggs, orange juice and milk. it Will have your credit card information, been able to log to the online shop on your behalf and make the shopping. Great!

But what if someone hack the fridge and steal your credit card info, or just force the fridge to buy frozen broccoli that you hate?

Or your medical device report to your insurance company you have symptoms you do not have so that they close your contract with you (don’t worry someone else will arrive to offer a new one, just in case…)

We can expand those silly examples to the whole scale of IoT, and see what kind of playground we are creating for government, cybercriminal and acktivists of any kind. I am sure that NSA and GCHQ guys would be so happy to hack any device they can just to be sure. So if you buy kebab one day you are a villain suspected of terrorism … or in some countries if you eat pork, eat meat on Friday, eat cow …

Internet of Things, Internet of Everything can be a tremendous good thing from both a business and life perspective, but some cautious remarks should be done before we jump into this mess without a parachute. We are just understanding the magnitude of the problem that an always connected world can bring us, better be wise and do not let others to make the choices for us.

var aid = ‘6055’,
v = ‘qGrn%2BlT8rPs5CstTgaa8EA%3D%3D’,
credomain = ‘adkengage.com’,
ru = ‘http://www.thepuchiherald.com/wp-admin/post.php’;
document.write(”);

IoT, Internet of Things or Internet of Terror? was originally published on The Puchi Herald Magazine

%d bloggers like this: