Governing the 'Internet of Things' Wave of Connected Devices Poses Security, Privacy Challenges
Governing the 'Internet of Things'
ISACA's Rob Stroud

The privacy and security risks posed by the Internet of Things will pose a growing challenge for IT security professionals managing online transactions and relationships in the coming years, ISACA's Robert Stroud says.

The Internet of Things - only 16 percent of respondents to an ISACA survey know what it is - refers to various devices such as GPS systems, electronic toll devices and smart TVs, to name a few, that are connected to the Internet. Cisco Systems estimates that 50 billion objects will be connected to the Internet by 2020.

"One risk is going to be privacy," says Stroud, chair of ISACA's COBIT Growth Task Force, in an interview with Information Security Media Group (see transcript below). "Who has our information and how are they using it?"

ISACA, an association that develops information systems and security practices and guidance, has issued a new study, Risks and Rewards of the Internet of Things, which shows the shift in perception about risk and privacy as the world becomes increasingly connected through the Internet of Things.

"As this Internet of Things starts understanding the inter-relation of things, your data privacy is going to be a real issue in terms of understanding who has it and how they're using it effectively," Stroud says.

Managing the vast amounts of devices connecting online will be a key hurdle to overcome. "In the Internet of Things, we're going to be making connectivity or decisions on identity by a set of inter-connected objects," Stroud says. "This requires the effective identification of the consumer of the service."

In the interview, Stroud discusses:

  • Benefits and risks to individuals and organizations posed by the Internet of Things;
  • Governance challenges the Internet of Things presents to enterprises;
  • Safeguarding privacy.

Stroud is a member of ISACA's Strategic Advisory Council. A past international vice president of ISACA, he serves on ISACA's Framework Committee. Stroud is also a governance evangelist as well as vice president of strategy, innovation and service management at CA Technologies.

Defining the Internet of Things

ERIC CHABROW: ISACA decided to use this year's barometer to explore the Internet of Things. The Internet of Things is more than just various devices, GPS systems, electronic toll devices and smart TVs connected over the Internet, right?

ROBERT STROUD: Yes. The Internet of Things is becoming a total inter-connected web of devices that we all deal with every day. We're all very familiar with the basic things that we've got, like you just mentioned. We're seeing more of that. We're seeing homes connected on the Internet of Things, our vehicles ... and things that we buy in stores, a virtually and totally inter-connected the world.

Lack of Awareness

CHABROW: Your survey shows that fewer than one in five Americans are familiar with the term "Internet of Things". From the security, risk or privacy perspective, should that unawareness matter?

STROUD: I'm a glass-half-full person, so I like to look at the side of the coin where people are aware of it. But the reality of it is that people should be aware that the Internet of Things is coming into their lives and it's going to be something that's going to be an opportunity for them to do things faster and cheaper. On the converse side, it's going to be an area where they're going to have to watch some things like privacy issues. What's happening with their information? Is their identity secure? Like you would manage your identity today, you're going to have to look at that in the future.

Then there's the other aspect of security. You might want to be concerned about some aspects of people knowing about the security of your devices and the total dependence on the Internet of Things that may follow will lead up some interesting comparisons of safety vs. realities as we move forward into the future, how these devices connect together and the outcomes of that inter-connectivity.

Providing Personal Information

CHABROW: I guess it's a new way of thinking. I'm aware of what I do when I use banking. When I use Netflix, to me it feels like I'm using cable; but in reality I'm using one of the Internet of Things, my smart TV, to access information which may be a show. But there may be also information about me out there, right?

STROUD: Absolutely. If you think about it today, many of us give away our personal information anyway when we sign up on a website or we subscribe to systems. There's an interesting trust aspect there. You trust that the provider of that information will not use it in a way that's not inappropriate. Sometimes that trust is well-founded, and other times it's not. Right now, there's a number of IT professionals who say that the biggest concern related to the Internet of Things is they don't know who has access to their information. Secondly, how they use that information is going to be a real concern as we move forward.

Benefits of the Internet of Things

CHABROW: Let's discuss a little bit the risks and benefits organizations face with the Internet of Things. First, what are some of the benefits for an organization?

STROUD: As you talk about the benefits, you're going to look at a number of things as you move forward. One of the things you're going to be able to look at is greater efficiency. We can start to streamline our processes so that we've got devices and processes which are connected together and can communicate and collaborate. We can take the streamlined processes and actually be more efficient in organizations.

The second thing - and this is really reinforced by the survey - is the fact that you've got increased customer satisfaction. In delivering these services, we can do things like communicate better with our recipients about goods and services. We can set expectations which ... are effectively managed. That leads ultimately to the third benefit enterprises are looking for, which is improved services. I think that's a key driver of what we're looking for as we move forward.

Privacy Risks

CHABROW: What are some of the risks associated with it?

STROUD: There are some interesting risks. ... The first risk is going to be privacy. That's one that we're all becoming very aware of and the global survey talked about that to a large extent. Who has our information and how are they using it? Are they sharing it? Are they not? If you think about online information today, most of us have an option to opt-in or opt-out as we give out our information online. As this Internet of Things starts understanding the inter-relation of things, your data privacy is going to be a real issue in terms of understanding who has it and how they're using it effectively. The second thing I like to talk about is identity and access management issues.

CHABROW: Before we get into that, can you address a little bit what the organization's responsibility is toward privacy?

STROUD: I think organizational responsibilities, whether implicit or explicit, are on the fact that if they've got your information, they should be effectively managing that information, securing that information and ensuring it links into the second one, which is identity, ensuring that the right person has the right information and the right components are connected together. In my mind, an enterprise has a duty of care if they have that information to ensure that information is well-protected and not available to third parties for inappropriate use.

Identity and Access Management

CHABROW: You were starting to discuss this, but I don't know if you want to go further with access and identity management?

STROUD: If you think about it, one of the things we need to do is have valid identities. All of us have passwords today and we leverage and use passwords. Now we might argue that the passwords are an inappropriate device in terms of ensuring that we have the right level of access to information. In the Internet of Things, we're going to be making connectivity or decisions on identity by a set of a number of inter-connected objects. This requires the effective identification of the identity of the consumer of the service; if that information is on that person, we've gone through the right steps to understand who that person is. Then, how do we change that information? How do we update it? How do we keep it current and fresh? ... What's going to happen in the world of Internet of Things is there are going to be many devices that actually don't have personalities, but will be connected in some structured way. I think that's a key aspect of what we want to know and how we're going to manage this in the enterprise space.

Big Data

CHABROW: We've had devices connected through the Internet as long as the Internet has been around. What's different today about that and how does that play into risk and information security?

STROUD: We absolutely have had the Internet around for a long time. What's happening today is in the past we didn't have the volume of information and the connectivity of devices to such a level that we have today. We have both intelligent and unintelligent devices on the Internet of Things. We need to understand this intelligence, this volume of data, and be able to correctly form this relationship so that we understand the entities and how they impact the end user and the consumer of whatever the goods and services are. That's going to be a key aspect.

There's a large amount of data. It's this fact that we're going to have devices that are both intelligent and unintelligent, all working together, all there to deliver goods or services. We need to understand how those things are going to be connected because we're effectively going to be trusting them to deliver us a good and service, and this is going to be very complex. It's going to be very hard to reconstruct these relationships if we go backwards to look at all the components that go together to come to an end-outcome.

CHABROW: Sounds like big data is a very big aspect of the Internet of Things.

STROUD: Big data is definitely an aspect of where we are, and one of the things I often talk about is enterprises really need to prepare for the large volume of data that's going to come with the Internet of Things. One of the interesting points I got out of the survey is that only four percent of the respondents said that they were extremely prepared for big data, the levels and volumes of data they're going to be dealing with. That will be an interesting one for us as we move forward as IT professionals.

Governance Challenges

CHABROW: What are some of the big governance challenges organizations face?

STROUD: In terms of governance challenges, we need to look at the three things that I've talked about before. What are the security threats? Where are they? Where are the vulnerabilities? How do we effectively identify them and ensure that, where appropriate, we mitigate those threats?

Second, let's help with privacy. Privacy is an issue that's going to be something that we're going to need to manage. People are becoming aware of privacy and the way that the privacy issues are going to impact them, which is great. We still need some more awareness in privacy.

The third thing is how we ensure that we solve these access management issues. We've got to ensure that we identify identity correctly and we manage the appropriate access to make sure, as I keep telling people, we access the right things at the right time. One of the things I often talk to people about is Internet of Things is just another opportunity for us, and the work we've done on governance and governance structures in the past is very applicable here and can really help us ensure that we have the right balance of risk and reward.

Around the Network