Dynamic authorization with attribute-based access control allows agencies to securely share IoT data by only allowing authorized users access to sensitive data under the right conditions.

This article originally appeared in GCN.

How agencies can control access to IoT data

BY GERRY GEBEL | MAY 09, 2019

Mobile devices, embedded software and internet-of-things sensors are now used almost everywhere – in automotive systems, industrial control, health care, construction and climate monitoring. IoT devices and smart technologies are now slowly emerging in the government  sector, providing significant opportunities for agencies to operate more efficiently and effectively.

IoT devices collect data that is moved into a storage platform from which users can run analytics to generate insights on anything from productivity and security to perfecting processes, reducing costs, creating new services, protecting public health and safety and so much more.

Due to the quantity of data that is collected in IoT networks, data lakes often are used to help speed processing. By storing IoT data in data lakes where data is stored in its native format until it’s needed, it’s easier to apply machine learning and other analytics to capture real value, provide unparalleled intelligence and increase visibility into the data.

IoT opportunities for government

IoT has significant potential to enhance a variety of government services as outlined in this Deloitte research. With data from GPS sensors on public transportation, city transit agencies can monitor trains and buses to provide more accurate arrival times to commuters. In addition, swipe card information from passengers boarding trains or buses can be analyzed to determine peak use times and ensure more trains and buses are available during busier hours.

Health care agencies can automate medication dispensing to ensure that patients get the correct doses. Wearables and other medical devices can monitor people with chronic conditions like diabetes or heart disease and send alerts if a patient’s device detects an abnormality. Similarly, environmental protection agencies can use IoT sensors to detect leaking oil pipelines and catch spills before a disaster occurs. They can also monitor pollution or seasonal pollen levels.

Possible IoT use cases for the government expand far beyond public transportation, health care and environmental protection. With so much sensitive data being collected, IoT raises critical security and privacy concerns that government must confront head-on.

IoT privacy and security worries

As agencies analyze massive amounts of data generated through IoT devices, it is vital to secure access to and the content itself from unauthorized access.

With so much data at stake, heightened awareness of data privacy issues is essential.

Citizen privacy can be compromised if data is given to the wrong person at a government agency or if data is not sufficiently anonymized, masked and redacted when shared across agencies.

Other critical considerations are the where and how of IoT data storage. Data storage systems are rapidly evolving. Most are deployed in the cloud, on platforms that have a variety of security capabilities to protect the IT system and its contents. With so many moving parts, it is difficult to keep data systems properly configured to prevent unauthorized access to the data.

Agencies need finely grained access control to protect data lakes and other data storage systems as the flow of IoT data increases.

Implementing a flexible access control solution

One technology government agencies are implementing is dynamic authorization delivered with attribute-based access control. ABAC is a data access control model that allows agencies to securely share IoT data across multiple agencies by only allowing authorized users access to sensitive data under the right conditions.

Dynamic authorization leverages a policy-based approach to govern who can and cannot access certain information under what conditions. Agencies can build policies using attributes that help define precise situations in which access should be granted. This standards-based protocol is supported by a  rich policy language to decipher policies and rules and is also supported by guidelines from the National Institute of Standards and Technology.

Dynamic authorization also enables explicit policies allowing for many diverse inputs into an access-control decision, providing an extensive set of possible combinations of those variables to reflect a wide range of possible rules, policies or restrictions on access. This is all done in real time to provide the level of service required by today’s users. A dynamic authorization foundation is critical for securing sensitive data generated through IoT devices.

The potential of IoT devices to improve government services cannot be understated. Still, agencies lag far behind the business world when it comes to leveraging IoT data. Before government agencies can catch up, they must familiarize themselves with the resources needed to secure their IoT data stores properly, including dynamic authorization.

 

About the Author

Gerry Gebel is vice president of business development at Axiomatics.