There is no privacy without security
These are exciting technological times in Ireland. As a finalist in the 2017 World Smart Cities award, Dublin is now firmly on the map as a global leader in smart urban solutions. Gemserv’s Sarah Fuller writes.
With National Geographic naming Dublin as a capital for the Internet of Things, and IDA Ireland successfully attracting investment and encouraging indigenous innovations by promoting the country as the most connected place in the world, 2018 will be the year in which we will see the Internet of Things (IoT) reshaping the business and home environments.
Perhaps what is most astonishing is the projected rate at which the IoT will grow not only in Ireland, but globally. 2017 was a big year for connected devices, with an estimated 8.4 billion devices, a number that is set to grow to 20.4 billion by 2020. Whilst this growth will undoubtedly bring a myriad of innovations there is one lingering question. With the lack of a defined security standard for the IoT, what is happening to the data?
One answer may lie with the General Data Protection Regulation (GDPR). May 25 2018 will mark the introduction of the biggest shake up in data privacy laws since the 1990s. As the GDPR comes into effect it is important that IoT businesses address their security challenges to effectively enable privacy. Imagine the GDPR in the context of the poem by Rudyard Kipling: “I keep six honest serving men (they taught me all I knew); Their names are What and Why and When and How and Where and Who.”
It defines the What (the rights to privacy of an individual), Why (to ensure the right to privacy is enforced), When (we all know when), Where (anywhere in the EU) and Who (all businesses, both in and outside the EU, offering services to EU citizens). Security provides the How.
Now imagine an IoT device that collects personal information, let’s say location data. GDPR tells us that we are obligated to protect that data from the point of collection until its deletion. So how do we protect the location data collected? First, we ensure that no one (other than those authorised) can read it, so we encrypt the data. To encrypt data, we need a secret (or key) and that secret must be known to the data receiver, so they can decrypt the data. We now have the data encrypted, no one without the secret can read it. Job Done! Except for the fact we now have another piece of data, the secret. If someone gains access to the secret, they can read our data.
So, we store the secret in a safe. Job Done? Not quite. The secret in the safe is not the only copy, there is a copy held on the device, so now we need to think about how we ensure the copy of the secret, held on the IoT device is secure; and come to think of it, how do we securely get the copy of the secret from the safe to store it in the device in the first place? This is an example of the mindset that needs to be in place when considering IoT security, and the emergence of the GDPR will aid the transition to this mindset. There is no privacy without security.
For more information:
T: +353 (0) 86 044 1458
E: Sarah.fuller@gemserv.com