There are still many people who view the Internet of Things as focused on ‘the things’ and not the data they provide. Granted there are definitely some issues with the thing itself, but there are also concerns for enterprise, like the need to monitor the flow of information coming from these things, especially as we begin to automate the enterprise response to events.
A holistic perspective is needed and these are the top issues I believe an organization needs to think through when digging into their IoT strategy:
- What business value do the devices provide – independent of the data they collect?
Having said that it is not really about the devices, it remains true that the devices should be delivering value in themselves – the data may be just a side effect of this role. Understanding those functions will increase the reliability and usefulness of the data over the long haul. No one wants to put an approach consuming a data stream just to have it dry up.
- What access will the devices have to the enterprise?
Is it bi-directional? If it is the security risk of the devices is significantly higher than those that just provide raw data. If a positive feedback loop exists, it needs to be reinforced and secure. If the data flow is too narrow for this level of security, the need for bi-directional information flow needs to be scrutinized – if the interaction is that valuable, it really needs to be protected. Think about the issue of automotive data bus attacks, as an example.
- If attacked, how can the devices be updated?
Does the devices support dynamic software updates and additions, if so how can those be delivered, by whom? Users of devices may download applications that contain malware, since it can be disguised as a game, security patch, utility, or other useful application. It is difficult for most to tell the difference between a legitimate application and one containing malware. For example, an application could be repackaged with malware and a consumer could inadvertently download it onto a device that is part of your IoT environment. Not all IoT devices are limited SCADA solutions, they may be smartphones, TVs… pretty much anything in our environment in the future.
- How will the data provided be monitored?
Wireless data can be easily intercepted. When a wireless transmission is not encrypted, data can be easily intercepted by eavesdroppers, who may gain unauthorized access to sensitive information or derived behaviors. The same may be true of even a wired connection. Understanding the frequency of updates and shifts in data provided is usually an essential part of IoT’s value, and it should be part of the security approach as well.
- Can any personal or enterprise contextual information leak from the device connection?
I blogged a while back about the issue of passive oversharing. As we enable more devices to provide information, we need to understand how that data flow can inadvertently build a contextual understanding about the business or the personnel and their behavior for other than the intended use.
- Is the device’s role in collecting information well-known and understood?
No one like the thought of ‘big brother’ looking over their shoulder. People can easily feel offended or manipulated if a device enters their work environment and provides data they feel is ‘about them’ without their knowing this is taking place. A solid communications plan that keeps up with the changes in how the data is used will be a good investment.
- Who are all the entities that consume this data?
As IoT data is used to provide a deeper contextual understanding of the environment, the contextual understanding may be shared with suppliers, partners and customers. These data flows need to be understood and tracked, like any consumer relationship, otherwise they may easily turn into a string of dominoes that enable unexpected shifts in results as they change. Awareness of enterprise context management will be growing in importance over the coming years – note that was not content management but context management.
All these issues are common to IT systems, but with an IoT deployment, the normal IT organization may only be able to influence how they are addressed.