The Unified Secure IoT Framework
The Unified Secure IoT Framework: The next Generation Unified Secure Framework for Secure IoT – The Internet Of Things!
This post efforts to explain a unified security solution for the commonly observed threats in the field of Healthcare, Insurance and Payment during the implementation of connected solution as a part of the next frontiers in IoT.
IoT is nothing but Internet of things. When we say IoT, it’s actually a set of connected things (especially devices, now everything including smart wears like a T-shirt). It’s soon going to be Internet of feelings, health or personal life as IoT includes devices that record health data of a user, his own house related information and control, which is usually termed as Connected Home. By 2020, the world will have thirty billion IoT Devices is one of the estimates given by IDC.
2. CURRENT TRENDS IN IoT
Healthcare Industry is seeing a major impact of IoT with the evolution of connected technologies and sensors, which help in measuring heart rate and track fitness. Nike, FitBit are some examples of fitness trackers. Apple and Google have their own health recording platforms namely, Apple HealthKit and Google Fit. These provide unified environment for user’s health record access on a handy mobile device which is simple and many health care organizations are coming up with various fitness apps with the help of APIs exposed by these platforms. Fashion brands are upcoming with technology trends like smart t- shirts, shirts for sportsmen, which help in measuring sportsmen’s activity (number of steps taken etc), analyze mood and track their fitness. Ralph Lauren has their own glimpse of the Polo Tech smart shirt, new wearable technology which reads activity (steps, how long the player is active), breathing and heart rate and delivers it all in real-time to a Bluetooth- connected smart phone. Google Glass is another example of smart wear technology.
Insurance Industry is adopting smart technology with the concept of Connected Home, Connected Health and Connected Cars for calculating premium, rewarding, risk assessment etc. Retail Industry is however implementing smart pay, credit card payment techniques, EMI offers, with the evolution of devices and sensors. Banking is another major sector which is adopting IoT concepts for smart payment, online purchase/payment etc.
3. COMMON SECURITY THREATS
So everything on the earth seems connected through Internet in one or the other way, be it an Insurance Industry, or any personal information like health record of a user. Now, the major concern in all these areas is Security and Privacy! How secure is the connection, process and data that’s being used by these IoT techniques?
3.1 Digital Payment
We know that credit card information is the most common information that a retail purchase will have access to, and it will not be difficult to get access to user’s personal information through credit card details. Making online payment is always through a secured gateway is what the websites claim but, user may not be aware of how secure really the system is.
3.2 Connected Home
When we say Connected Home, user can remotely control the door locks through his mobile device and sensors at his home refrigerators send constant data logs on usage, power consumption etc based on his customization. Home Inventory details may be captured in his own mobile device if he has any smart app installed to do so. Also, Apple is coming up with its indoor positioning system with which user will be able to track his own historical visits to different places, floor number, etc. Though Apple says its very much secure, we are unaware of man in the middle attack or what if the device is lost? How secure is the device and data stored in it?
3.3 Connected Health
Health related information may have direct access to user’s personal information (PII – Personally Identifiable Information), insurance details, credit card details, most importantly user’s biometric and health information which is very private. Also, digital data dispose is another head ache when the users block their credit card during fraud or a hacker attack. Home security systems have alarms and web camera but, what about the connection privacy and secure access to these, though they are designed keeping in mind the safety of the house.
3.4 Social Share
Social media play a major role in data sharing. Many apps or many devices or solution offer social media connectivity and single sign on. This again raises question of user data privacy and security. Google’s Oauth authentication technique is being implemented in most of the authentication mechanisms. But, how easy it is for hackers to break this technique and get access to private data or cause vulnerabilities in different ways. This technique has been there since very old days and many programmers are capable of studying the pattern and finding the loop holes to break it. Apps like true caller have their own database where, anybody whose data is fed by any person to the true caller will be available publicly; raising a privacy concern. Though this app helps a lot in blocking unwanted calls, manage contacts list etc, it doesn’t ensure data security and privacy to an expected level.
4. UNIFIED SECURE FRAMEWORK
Industry is coming up with its own security framework, and techniques to prevent all these security threats and privacy concerns. One better technique will be Multiple Authentication with at least one being the biometric features like fingerprints or face recognition or retina scanning. A centralized control system can be implemented to monitor privacy and security in IoT. The centralized hub will provide access to complete IoT system for a single user. Industry can adopt this security framework, where in each registered user will be provided access to private data and connectivity to his own connected devices.
4.1 Secure Authentication
When the user registers his device in the security framework, the framework should be capable of identifying and storing the unique device id like UUID (Universally Unique Identifier) or ASHWD (Application Specific Hardware Identifier) in an encrypted format. The same id will be used by the framework next time when there is a request from the same device to authenticate the device. Next, to identify that device is not stolen or authenticate the right user, the security framework can implement / provide app that authenticates the user using his biometric feature like face recognition. Once this is confirmed, the user will be redirected to the OAuth or any other authentication mechanism provided by the IoT apps. Be it Health Kit or Google Fit, everybody should think of implementing such two-way or multiple authentication technique and encryption and decryption mechanism for data transfer.
4.2 Secure Data Transfer
This security framework will be a layer on top of app-level security implementation techniques. Still, the concern regarding privacy in case of credit card based retail purchase remains. This can be prevented by implementation of this security framework in the payment gateway as well. The framework should enable purchase with data being shared only between the retailer and the consumer. The communication channel should have completely encrypted data transfer and it should be identified with a biometric feature. The credit card number should be stored in encrypted format in the retailer’s firm using this security framework and whenever there is request to retail purchase, the payment should pass through this gateway and identify user using his face recognition and immediately a secure PIN should also be sent to user’s mobile device for second level authentication. Once the user enters the PIN, the secured framework will authenticate the device in the same way as discussed above. We can expect the card manufacturers too to implement such technique soon, which will make this easier.
4.3 Secured Analytics Engine
Sharing of data in social media must be restricted based on user’s permission. Access level should also be restricted for each app. The security framework should implement a constant polling or a technique to ensure secure data sharing and reserve privacy of users in the media by running a script once in a month/week to ensure the secure access and privacy protection. This should be customized according to the user’s needs. e.g. If a user has any concern on his privacy he can request the framework to run the script and make use of analytics, which can detect any security threat. The analytics engine is part of this security framework, which will be constantly studying the usage pattern and analyze the user behavior on his IoT connectivity pattern or statistics. So, this analysis will also contribute towards identifying the threat.
5. POWER CRISIS
Another upcoming major challenge in IoT is power management. We know that, power is the main means of connectivity in IoT. For IoT, we need connectivity and that connectivity is through Bluetooth, WiFi or any mobile networks. Bluetooth low energy or Bluetooth LE is the latest trend in Bluetooth technology, which is the future of Bluetooth. It’s marketed as Bluetooth Smart. Wi-Fi Direct is a P2P standard for devices to transfer data without being connected to the same Wi- Fi network. But, we all know that, all these consume battery power of the device. And, mobile device usage is based on power consumption. Power management is critical in case of sensors and connected devices. So, we need to think in terms of power management in IoT.
6. RENEWABLE ENERGY SOURCE – THE SOLAR POWER
Solar power is available in plenty on the planet which can be utilised as a source of power. We can install a solar power panel for energy storage in the IoT hub and utilise the same for power during connectivity. Innovation and invention should be carried out in sensors and areas of solar energy utilisation for the same as soon as possible.
Security, privacy and power management are going to be the biggest challenges in the next frontier IoT. It is always good to be prepared for the future rather than worrying later about the issue. Implementation of secured framework and a proper power management plan at the early stage helps in identifying the risks, and pros and cons of the implemented technology for further improvements. This stabilizes the solution when there is a huge need for the same soon.
This post was posted to TCS as a part of TCS ‘ call for paper on IoT Security and Privacy. I would like to thank for the opportunity to TCS.
I would like to improve this Solution with more ideas flooding in and “Unified Secure Framework” need to be improved a lot with concrete solution. So suggestions and ideas are welcome in this regard.
- http://www.business-standard.com/article/beyond- business/now-simply-wear-a-smart-shirt-to-monitor-your- heart-rate-114082600509_1.html
- http://www.cisco.com/web/strategy/docs/energy/network- security-perspective.pdf
- http://www.intel.in/content/dam/www/public/us/en/document s/white-papers/developing-solutions-for-iot.pdf
- http://www.windriver.com/whitepapers/security-in-the- internet-of-things/wr_security-in-the-internet-of- %20things.pdf