Let’s be honest. When was the last time you read the ‘Terms and Conditions’ before downloading a smartphone or tablet app? No? Okay, I’ll go first.
I think I saw something about that before downloading a free flashlight app I used to find widowed socks under the bed. Then a couple weeks later this happened:
For Millennials like myself, the “information required” asterisk that accompanies “free” app price tags has, to date, typically carried with it the annoying but tolerable consequences of irritating pop-ups, not-so-coincidental banner ads, or spam emails that are deleted before ever being opened. With today’s smartphone, tablet, and other web-based applications, this is an expected norm. But while we currently assume that regulatory compliance and company reputation provide a level of security to our online interactions and identities, third party advertisers will be the least of our worries in the app-centric Internet of Things (IoT).
For the average person, the IoT will have the greatest day-to-day impact by blending data from multiple sources, essentially creating “personal profiles” that optimize the environment to fit tastes, habits, and schedules. But, for all the potential that melding location, usage, and other types of data brings, it also changes the game from a security perspective in that no longer is just personal and financial data at risk, but also physical infrastructure and devices that could have a direct impact on people’s lives. Take, for example, the possibility of wearable electronics issued to patients after being released from the hospital. They could conceivably:
- Transmit location-based information so emergency services can respond to a traumatic event
- Store and forward biometric, nutritional, and Personal Health Record (PHR) data for remote patient monitoring
- Remotely administer topical or intravenous medication
Patient excluded, four parties could reasonably require access to application data: physicians, emergency responders, insurance providers, and the device manufacturer (not counting business associates that provide billing or legal services). While HIPAA outlines privacy rules for some of the described data, multi-source information could conceivably be accessed regularly by multiple individuals. How can we ensure that only relevant data is available to each entity, and, summoning Edward Snow
den and the Target data breach, that the information provided is securely stored and handled?
This is a big question for the IoT, as it requires enterprise-class application protection that spans from the device to back-end infrastructure. From a software perspective, this requires a layered approach to security that ensures applications are uncompromised from initial execution through future access.
As a widely used and highly scalable software platform, Java has traditionally used a sandboxing approach that isolates application execution within certain processes (so, Location-Based Services (LBSs) in our example could be activated once a biometric alert is issued). However, to manage the complexity of IoT security, Oracle has developed a number of technologies to improve data integrity from edge to cloud:
- Application security (Java Card) –Originally developed to secure sensitive information on smart cards, Java Card technology encapsulates application data within a Virtual Machine (VM) environment that is isolated from the Operating System (OS) and hardware, and uses containers to partition individual applications from each other as well. “Applet firewalls” between various applications are used to monitor and restrict data access from one application to another.
- Device security (Java ME) – The recently released Java Platform, Micro Edition 8 (Java ME 8), was designed for small- to gateway-sized device development, and includes the Security and Trust Services API (SATSA), which is a collection of security-related functionality that includes encryption and decryption, user credential management, and other security provisions. SATSA can also leverage the Java Card Remote Method Invocation (JC RMI) and APDU protocol to communicate with smart cards, which enables a streamlined security and scalability from very small target devices to larger embedded systems.
- Network security (Oracle Identity Management) – For sensitive data being stored locally or in the cloud, Oracle Identity Management is a suite of enterprise-level authentication and authorization controls for information that needs to be accessed remotely and/or by multiple parties. In addition to mobile security features that provide secure application containerization for BYOD-style access, identity governance and access management tools also help simplify regulatory compliance.
The business case for an IoT world
As consumer awareness rises about the risks and rewards of the IoT, comprehensive security will have a greater impact on the company reputations buyers rely on for connected applications; and, without consumer confidence, IoT apps and services will struggle to become the $19 trillion market some analysts project.
On June 17th and 18th, the Internet of Things World conference in Palo Alto, CA is assembling more than 100 speakers from across the embedded industry to define and discuss challenges like IoT application development, and will include keynotes such as “Building the Business Case for IoT” from Oracle’s Henrik Stahl. You can view the event program or find out how to take part at www.iotworldevent.com/register.
If you’re interested in meeting at the show or just want to talk tech, feel free to drop me a line. Meanwhile, I’ll be looking for an app that reads the terms and conditions of my apps, although I guess I’d have to read those terms and conditions too. But nah, they’d at least have to have my best interest in mind, wouldn’t they?
For more on protecting data in the IoT, read “Internet of Things security concerns.“