The secret key to the Internet of Things
By Nancy Zayed and Sam Shawki
In 2000, Professor Neil Gershenfeld director of MIT labs published a book called “When things start to think” and while it was more about artificial intelligence, it really had a lot to say about wearables and their ability to sense, respond and communicate with their environment.
We are not yet at a stage where your coffee pot can recognize your mug, then serve a hot beverage to your preferred temperature like the book predicted, but we are getting close and as usual with a little bit of a twist.
Today it’s not just the Apple Watch represent these smart devices, but larger objects weighing several tons and moving at 60 miles an hour, like our cars, will need to communicate with all kinds of other objects large and small, stationary or moving at high speed. Moreover, the line will continue to blur between enterprise and consumer and across countries and borders.
“Recent research by Earl Perkins at Gartner indicates that, by year-end 2017, more than 20% of enterprises will have digital security services devoted to protecting business initiatives using devices and services in the Internet of Things”
While many are addressing the security aspects of the Internet of Things (IoT) most are focused on the same old concerns from when the internet became a commercial entity. These concerns are usually the typical enterprise concern list : Perimeter security using Firewalls, VPN, Denial of Service prevention policies and procedures, CTO/CISO, budget and focus, employee training, review and update of network architecture etc.
While these are all good practices, they are really reactive to things we learned from an earlier era. The problem is that in internet time this was enough a million years ago.
From digital commerce to Internet of Things
Several industries lead the way when it comes to securing transactions, validating identities, and orchestrating authentication and trust. One that we know all too well is the digital commerce industry. Recent advances in hardware rooted security, tokenization, Host Card Emulation (HCE), and the more promising advances in software rooted security are promising to be extremely useful for IoT. Think about Apple Pay for a second, it uses some of these new advances and enables your finger to be scanned by your phone which then talks to the cashiers point of sales system, which in turn starts a quick conversation with both your bank and the merchant’s bank. Through the channels of Visa Amex or Master Card, in milliseconds identities are verified, devices are authenticated, accounts are checked, limits are analyzed, rates are set, fees are deducted and finally a digital transaction is concluded. This is an Internet of Things scenario that will be followed by many where cars, TVs, pots and pans and maybe even shoes can be party to a secure digital conversation.
A new connectivity paradigm, a new security paradigm
For all these devices coming out of different industries to converse, new protocols and standards have to be developed, a new vocabulary needs to be created, or at least, new extensions to an existing set needs to be in place. Expect to see many players trying to position themselves for this new paradigm. Many in digital commerce are actually well positioned to do so.
It is all about freedom of ownership, which means it is all about software
The security part however may need to come from outside those players. Given the diversity of the objects or “things” that construct the Internet of Things, most use cases are going to be harder to implement than Apple Pay, where security is somewhat hardware bound and owned by one party: Apple.
For IoT security to work it has to have ubiquity, transportability across devices and operating systems, as well as freedom of ownership, where freedom of ownership is a crucial part. Just think of a case where your iPhone needs to talk to a GE medical device, do a Google search, then relay a message to your brand new Jaguar which needs to double check with your wife’s BMW before connecting with a certain doctor’s Galaxy tablet so that you can be at the hospital in time for your grandchild’s birth. More complex and unexpected scenarios will be possible Check Libelium's smart world infographic in higher resolution here
For this to work neither Apple, Google, GE, Ford, BMW, Samsung, nor Jaguar can hold a secure solution hostage based on owning a chip, a device, or a phone. In other words the Internet of Things security has to be mostly in software that is common across devices or at least has a standard set of common APIs across such devices.
So who has the key?
Who is great at orchestrating secure transactions among many devices made by many manufacturers across countries and borders? Very few players, mostly the credit card networks and their layers of security and technology suppliers, especially the up and coming software security players that may become the next big thing of the internet of things.
Sam Shawki, CEO, and Nancy Zayed, CTO, are founders of MagicCube, a digital commerce security start-up based in Sunnyvale, CA. Nancy is an expert in mobile devices, having spent the last decade working on the OS group at Apple. Sam has led several payment companies throughout his career, and most recently he lead the Global Remote Payments area at Visa Inc. You can find both on twitter@sshawki and @zayena.
VP Finance at emnify
9 年Trond's point about "already compromised network elements" is key. Of course the hardware and software architecture and its parts need to be secure. But nobody can guarantee there won't be failures. Hence the need of dedicated anti-fraud monitoring systems, continuously sniffing all transactions in search of anomalies. Telecom operators run similar solutions, but their approach might need to evolve and be adapted to the new IoT reality.
executive director
9 年not only very interesting Trond Johannessen but so recognizable; so how do we go about achieving the change (needed) we are already long into the transition time of things (within all aspects not only the "internet"related) and there is no turning back to my humble opinion - at the same time you start to notice the cry for a more personal touch and at the same time people tend to "change" slower (conditioning) then application, intenternet and all of the above require - looking forward to your valuable comments
Venture Developer, Board Member, Pre-Seed Investor
9 年Network access, applications access, storage access, access device control, identity – so many points where security breaches occur. Sometimes the best way to rob a bank is 11 people with Kalashnikovs on the freeway, taking down the security van. I think the internet was a nice demo. Now that we're sold on its advantages, and aware of its risks - let's build the Internet!
Venture Developer, Board Member, Pre-Seed Investor
9 年Which leads me to a point: security and identity are two concepts tightly coupled. The internet has grown to be a bit of an offshore Platform, a cyberspace where anything goes. When we try to integrate our complete lives with the internet, and not only our frivolous moments, identity becomes crucial. It is a dual sword, as the same identity verification that allows us to command our own assets allows other to track us and find us. If you are lost under an avalanche, you want to be found. If you caused the avalanche, maybe not.
Venture Developer, Board Member, Pre-Seed Investor
9 年The credit card companies have by their nature been able to provide relative security, but as the net grows, and more people are trained in its intricacies, the percentage of crooks present in the general population also have their representation on net, and these are increasingly inventing new ways of compromising any security arrangements. We read about how card details are stolen from databases, so I cannot possibly think of security and credit card companies without thinking that more needs to be done. Until recently, contact center databases were stolen for voice recordings of credit card security codes.