Protecting Data in the Internet of Things (IoT)

Protecting Data in the Internet of ThingsThe Internet of Things (IoT) or the Internet of Everything (IoE) has taken over conversations in conferences and the media.  Some tout it as the next revolution of the Internet as connected devices communicate in real-time and can make faster decisions than any human.

IoT can refer to things as diverse as automobile sensors communicating with a smart road, an infusion pump that delivers medicine to a hospital patient and wearables like the Apple Watch that collect and communicate your health information.

The devices or things collect data and share it with other devices or systems using either Wi-Fi or other existing networking technology.  The goal is to bring intelligence into everyday activities and enable faster decision making.  This will bring tremendous automation to business and people’s lives, but generate large amounts of data that will need to be stored and processed.  One challenge is how to protect the data that’s collected.

Under the EU Data Protection Directive, personal data can only be gathered legally under strict conditions, for a legitimate purpose.  If you collect and manage personal information, you must protect it from misuse and must respect certain rights of the data owners.  There is no federal law in the United States that is equivalent to the DPD; HIPAA, for example, protects only health information, but not general personal information.  Most states in the US have data protection and/or data breach notification legislation that affects personal information, but there is no consistency.  There is also little protection as information crosses state boundaries.

There are no clear guidelines, laws or regulations on securing data collected from things.  Estimates of devices collecting data range from tens of millions to over 10 billion.  Gartner and others predict that close to 25 billion devices will collect and transmit data by the end of the decade.  If the data is not protected and its access controlled, hackers and insider theft could violate privacy rules and potentially cause catastrophic damage.

Data is stored in databases, information management systems or file repositories.  As someone runs a report or otherwise extracts the data, it should be encrypted as soon as it comes out of the system; in the case of information inside a file, it should be encrypted as soon as it’s created.  The system should apply persistent security policies automatically that control access and remain with it regardless of location.  This guarantees that if someone steals the information or has other unauthorized access, they can’t misuse it.  With all the recent cyber attacks, its evident that nation-sponsored groups, independent hackers, terrorists and other bad actors will eventually come after this data.

The future of IoT looks promising, but so is the potential for data breaches and misuse.  If you collect or process data gathered from internet devices, you should examine how to protect and control this growing amount of data.  Use a data-centric approach to ensure that you always control access to the data.  This guarantees that only authorized users can access the information and that you will comply with current and proposed regulations around data security.


Photo credit Betsy Weber

Book a meeting