IoT Security And Privacy Considerations For Digital Ventures

IoT (Internet of Things) is a complex technology and business domain touching many aspects of technology infrastructure, business applications, and commercial services.

A symbolic IoT devicePhoto by Jorge Ramirez on Unsplash

Digital ventures use a plethora of IoT devices, process tools, storage, hosting, and consumer products, including customer services. IoT is rapidly growing globally and being a substantial contributor to the economy.

When compared to all aspects of an IoT solution, Security comes at the top of the list. The perception of IoT systems being insecure and easily hackable require critical considerations.

This perception and security concerns are valid to some extent. The consequences of hacked IoT devices and services can be life-threatening. We read bad news on media about them in the nascent stages of IoT. However, IoT service providers made substantial progress.

In addition to Security, the other concern for IoT solutions is privacy. In IoT solutions, Security and privacy go in parallel. While we are analyzing and validating the security requirements, we also need to consider the privacy requirements.

New IoT solutions are like unchartered waters due to many technology and geographic factors. IoT Solution Architects must understand the security pain points in these unchartered waters. IoT is an emerging field; hence there are still loopholes that we need to identify and address case by case systematically.

We need to start asking powerful and open-ended questions to understand the security issues, risks, concerns, constraints, and dependencies. At a high level, we must always ask these three questions:

“What are the security pain points in this solution?”

“What are the new technology stacks that can create risks?”

“How can we mitigate the identified risks?”

And keep asking many more exploratory questions and attempt to answer them.

By asking such exploratory questions, we prompt our mind to find effective resolutions for each concern.

IoT technical solution leads cover the breadth rather than depth in architecting, designing, and developing solutions. They depend on security subject matter experts (security architect, specialists, and consultants) to delve into the details of Security and privacy risks, issues, dependencies, and constraints.

These selected consulting subject matter experts can validate solution proposals. Security subject matters experts review the security architecture and design constructs of the solutions and provide approval.

In addition to the security subject matter expert, the solutions must also be reviewed by a security governance body in digital ventures. The members of the governance body may review various aspects of the Security. Some common security concerns are identity management, access authorization, and traffic encryption.

IoT solution leads must ensure that the recommended security actions fit into the overall solution. Specialists in specific domains of Security may not be aware of the big picture, other domains beyond their expertise areas, and the broad solution constructs. Understanding the importance of this point is critical. The problem is technical solution leads sometimes assume that the subject matter experts in security fields know every aspect of the systems or solutions. This assumption is incorrect.

IoT technical solution leads must analyze and define the key security threats. They need to propose solutions to address those threats in the security model of the IoT solution for the venture.

The security model must cover each solution building block. Then, they must be carefully reviewed by the security subject matter experts and peer-reviewed by other specialists in the venture who have expertise in the security landscape of applications, middleware, data, hosting infrastructure, functional integration, databases, mobility, communications, and network.

IoT security and privacy requirements pose specific characteristics due to unique communication mechanisms across borders reaching out to multiple domains extending to other ecosystems.

IoT Security and privacy requirements must be analyzed using reliable and trusted security and privacy assurance frameworks. These requirements can consider the privacy laws in the geographies of the solutions that are developed and concerned with.

These requirements might not fit into and use the traditional security controls. These requirements might be developed quickly using agile frameworks and may differ from state to state, country to country, and continent to continent.

The analyzed IoT security requirements for the IoT solutions can be validated by multiple stakeholders responsible for various aspects of the Security in the venture.

Once the IoT security and privacy requirements validated, the security solution buildings blocks must be traced to each validated requirement.

Mandatory requirements must be given priority and proven to comply with the validated requests from business stakeholders. Optional requirements should also be met as much as possible to strengthen the solution security aspects and features.

Like other solution components in digital ventures, conducting a Viability Assessment for Security and privacy is essential for the integrity of IoT solutions.

Specifically designed security assessments can systematically help the technical team analyze the risks, issues, dependencies, and assumptions. This critical solution work-product can help the decision team find the optimal resolution points by prompting the fundamental aspects to be addressed in the viability metrics.

The security assessment work-product is usually owned and initiated by the IoT solution leads. However, multiple domain experts, security/privacy subject matter experts, and key business stakeholders can support the content details.

A security Viability Assessment solution work-product can include the following important security points:

• Security between the Things (individual IoT devices)
• Security from Things to the Gateways
• Protection from Gateways to the Edge devices
• Security from Edge devices and Gateways to Cloud where compute power is
• Security of data and databases integrated into the cloud
• Security between end-user devices and users
• Encryption requirements for data flow
• Security for application to middleware to IoT devices
• Mobile application to interfacing devices (e.g., mobile phones)
• Digital Certificates
• Security of APIs Security of databases
• Cryptography
• Access authentication
• Access authorisation
• Identity of Things
• Privacy of consumers
• Overall end to end infrastructure security

Each of these security points requires an expert to undertake a detailed critical review. The review items can be documented in the security Viability Assessment matrix under the titles of Risks, Issues, Dependencies, and Assumptions.

It is essential to categorize IoT security risks as high, medium, low for impact and likelihood to occur. The severity of issues also can be classified in the matrix.

Dependencies must be clearly defined and their impact to be articulated. Interdependencies amongst the security building blocks and solution design constructs need to be identified and documented in the assessment matrix.

Assumptions are usually underestimated. But without addressing assumptions, solutions cannot be completed successfully. The final version of the security and privacy assessment must not have any assumptions as they need to be resolved before a solution is proposed. We cannot offer a solution with assumptions. Validated assumptions can be converted into risks, issues or dependencies and updated in the assessment matrix.

IoT security requires teamwork, including technical solution leaders, security and privacy experts, and business stakeholders working in harmony. The governance body consists of these professionals responsible for reviewing and approving the assessment before a solution starts being developed and deployed.

Thank you for reading my perspectives.

Follow me to see more articles like this.

...

Follow

Related articles on digital venture leadership on News Break

What Does Digitally Intelligent Mean?

10 Critical Tips To Unfold Digital Intelligence

Financial Considerations For Digital Ventures

A Methodical And Innovative Approach to Digital Venture Cost Management

Effective Use of Innovative And Inventive Thinking For Digital Ventures

Smart Simplification For Business And Market Competition

Accelerated and Pragmatic Approaches In Digital Ventures

Collaborative Intelligence And Fusion Culture In Digital Ventures

Creating Trust And Credibility In Diverse Digital Ventures

Why The Cloud Services Matter To Digital Ventures

Digital Ventures Can Save Money And Get Work Done Fast With Open-Source

Leveraging Ethical Hacking for Cybersecurity Requirements of Digital Ventures

Dealing With Demands Of Mobility In Digital Ventures

Empowering Talent And High Performing Teams In Digital Ventures

Technical Mentors, Business Coaches, And Change Champions In Digital Ventures

Vital Business And Technical Roles In Digital Ventures