I’m excited to have a guest on today’s blog – Craig Spiezle, the Executive Director and President of the Online Trust Alliance (OTA). The OTA is well known for its online security initiatives, including Data Privacy and Protection Day and the annual Online Trust Audit and Honor Roll, and earlier this year announced it was expanding its sights to the Internet of Things (IoT).
Their goal is to develop a security, privacy, and sustainability trust framework for IoT devices, with the intention of using the framework as the basis for a potential certification program for IoT devices and their manufacturers. The framework is initially focused on connected home and wearable/fitness technologies. To create the framework, the OTA has a created a working group of industry leaders and is holding a series of workshops (the most recent of which was June 16).
A focus on building security and privacy into the IoT? That sounds right up our alley! I was eager to learn more about the OTA’s initiatives, and fortunately Craig was kind enough to oblige.
GlobalSign (GS): How will the OTA’s IoT framework outline the guidance or measurement around a provider's infrastructure security?
Craig Spiezle (CS): We are in the early stages, but need to look at security (and privacy) holistically. For example, how is data stored and transmitted on the device, to a mobile app and then to the cloud service? The general view is the data in transit must be encrypted, the apps hardened from platform exploits, the device protected to sniffing, and the backend must adopt traditional best practices.
GS: Can you tell us a bit about the pillars that the OTA's IoT framework is being built around?
CS: We're focusing on three pillars - in many case the same side of the coin - privacy, security and sustainability. By sustainability, we mean lifecycle issues beyond the traditional product warranty. Such as, how will it be patched? What happens if the company is no longer in business?
GS: Where is regulation and guidance most needed as the IoT dream becomes more concrete?
CS: As the IoT continues to grow and develop, its unique characteristics and security concerns are becoming more apparent:
- Highly personal, dynamic, persistent collection and transfer of data
- Reliance on a combination of devices, apps, platforms and cloud services
- Multiple data flows, touch points and disclosures
- Sustainability / lifecycle issues
- Lack of defined standards
Our goal is to define voluntary best practices that a company might assert to. From a regulatory perspective, we expect to see a rush of state laws pertaining to data collection, consumer notice, and control of their data. For example, there may be a move from an opt-out to an opt-in regime.
GS: What do you think are some of the key security mindsets organizations need to leverage when building and IoT solution?
CS: They must look at security and privacy simultaneously. Second, they need to look at the flow of data and touch points, and hold their partners and service providers accountable.
Below are some of the key concerns we've identified for organizations entering the IoT ecosystem, particularly those in the B2C market:
- What will happen to the data you’re collecting and transmitting in the future? There is the potential for unknown secondary data usages with unintended consequences
- Compatibility – does the consumer have the ability to roll back updates and patches in the event the device is no longer compatible with the network or other connected devices?
- The typical cell phone is kept for about two years, while a garage door or thermostat may be for 15 years or more. What is the expected support policy for vulnerability patches? While this is beyond a typical product warranty, what can a consumer expect?
- Are you relying on installers or third parties? What are they doing and setting on behalf of the consumer?
- Similarity to PCI - If you handle, touch, store or transfer credit card information you must be compliant
- Will you have some type of anti-virus solution? How will you prevent your devices from being compromised?
- As more homes are being billed as “Smart Homes” what are the implications when a house is sold? Who has access to the data? What is the process for removing and resetting access to, for example, the garage door, smart devices and thermostat?
- Consumers need to understand key issues pertaining to their data. What happens if they stop using the device? What if they want to change from one fitness band to another? Is the data portable? Is it compatible? Can they request their data to be retracted and deleted if they are no longer a customer? Will you notify them of a breach?
GS: What are some of the key things the industry should be doing to help providers build security and privacy into their IoT ecosystem from the start?
CS: There is a significant need to come together to set and establish best practices. This is especially important given how many non-traditional players are entering the market. A set of standards and guidelines that can be adapted to multiple device types and environments would be a vital asset to these industry newcomers (and veterans alike).
We expect retailers will also want to embrace these guidelines as they evaluate which “smart” products they wish to sell and promote. An independently certified IoT device may win shelf space over one that doesn’t meet established guidelines. Retailers have a significant voice, and they can help drive and accelerate vendors to adopt best practices.
The lack of established standards or guidelines can be a major obstacle for organizations developing IoT ecosystems – how are they supposed to know where to start? We’re very excited to hear that the OTA is taking on the issue, and are eagerly anticipating the resulting framework.
Want to get involved and help the OTA define best practices for the IoT? Their working group is open to all interested partied! Learn more and get the application at https://otalliance.org/IoT.