Q&A: How to control access to IoT data
To understand more about these security issues, Digital Journal spoke with Gerry Gebel, about how technologies like dynamic authorization can deliver finer-grained access control to protect data lakes as IoT data flows in.
Digital Journal: How important is IoT becoming for businesses?
Gerry Gebel: There are at least a couple ways to answer this question: 1) from the consumer perspective and 2) from a business/industrial view.
For consumers, mobile phones and tablets are already part of the “IoT Culture” – and most businesses support a Bring Your Own Device (BYOD) approach to allowing devices on networks. IoT devices and sensors embedded in a wide range of goods, like connected vehicles, smart home technologies, connected health wearables, connected home appliances, etc. produce huge amounts of data. For companies, this means a different way to store this potentially enormous amount of data is needed, and that’s often a data lake. Businesses analyze and leverage the insights found in this data to make smarter, faster, better business decisions. In addition, this data is extremely valuable and there is a huge incentive to monetize collected IoT data.
On the business/industrial side, IoT systems have been around for decades but they were called something different (such as SCADA systems). What’s new is that modern IoT devices have become commoditized and embedded in almost everything – and they are network-connected. A factory floor can have thousands of sensors for monitoring/controlling temperature, pressure and other assembly line functions. Fleet managers want to track vehicles, the drivers and their mobile devices, as well as monitor the maintenance status of the trucks.
In both the consumer and business cases, IoT devices provide greater insight to device usage, status and other data. Data lakes are required to store massive amounts of data, machine learning and other analytics are applied to the data in search of better business visibility, and businesses want to exploit the data value that has emerged.
DJ: What are businesses doing with the data?
Gebel: That depends on the industry. In manufacturing, businesses are using IoT data to help manage and track inventory changes to help solve inventory related challenges. Some use cases require granular control of access granted based on actions the user has taken previously. For example, factory sensors have permission settings for individual functions like read temperature, set temperature, read pressure, set pressure. Users who can execute these commands are determined by their role in the assembly line and must be applied across potentially thousands of devices in an efficient manner. Other businesses are using IoT data to collect more consumer information to understand product usage patterns, to uncover the customer lifecycle, better understand consumer demands, enhance the customer experience and ultimately, make the right offers to the right customers.
DJ: Are most consumers aware that data is being collected?
Gebel: To some extent, most consumers understand data is being collected on them, and the recent GDPR compliance activity has given consumers more control over their communication preferences – and the right to have their data expunged from a company’s network. Awareness is growing in Europe, however, a significant portion of consumers aren’t aware of when and how it is being collected and what that data is being used for.
DJ: Does this process generate data privacy concerns?
Gebel: Absolutely. As more data is generated through IoT devices, it becomes increasingly important to share that data securely across an enterprise to generate analytical insights, which of course comes with privacy concerns. And with so much data generated through IoT devices, companies must control who can and cannot access that data.
The collected data is extremely valuable, both in its raw form and in the business intelligence derived from analysis. Consumer privacy is potentially vulnerable if data is exposed to the wrong department within an organization, for example, or if data is not adequately de-identified when shared/sold to third parties.
DJ: Should consumers have more control over their data?
Gebel: In a perfect world, yes! The new GDPR legislation implemented in 2018 goes a long way in enabling the end consumer to have more control over their data. Consent for data usage in a particular context and the right to be forgotten are examples of how GDPR provides more control.
The real key is to have transparency for the consumer: What data is being collected? Can I easily adjust data sharing parameters? What data is the app collecting vs. what data the device itself is collecting? How is this data being monetized? Are there different price points if the consumer disables data collection/sharing? Having these explicit options will lead to a more informed consumer that can adjust to their own privacy preferences.
DJ: How great are cyber security risks?
Gebel: At least two areas are of concern. First is the network connectivity for IoT devices – can your car be hacked or are the IoT sensors in a factory or utility vulnerable to new threats?
Second, where is all this data stored and how is it secured? Data storage systems are evolving rapidly, are commonly deployed in a cloud platform, and use a varying range of security capabilities to secure the data system and the content within. With so many moving parts, it is a challenge to keep data systems properly configured to prevent unauthorized access to the data.
The risk is commensurate with the advances in technology.
DJ: What can be done to ensure data privacy and security are in place?
Gebel: To help protect the data that IoT devices are generating, businesses require finer-grained access control to protect data lakes as IoT data flows in. One example to consider is dynamic authorization delivered with Attribute Based Access Control (ABAC). ABAC is a data access control model that allows organizations to securely share IoT data across an entire enterprise by only allowing authorized users access to sensitive data under the right conditions.