Security in a data-driven IoT world

UX-led design for mobile and IoT is as much now about data as it is about interaction and experience.

security 2016 iot

"Stick in the mud.”

That is how I am often referred to when I take part in the design phases of the projects in my day job.  And that’s when they’re being kind. I am called this because I often ask the questions I want to ask when my “security hat” is on: where is the data; what are you doing with it; and what steps are you taking to protect it?

Talking about data during the initial design phase is a relatively new concept. Until now UX-led teams have focused on building user interactions with personas, storyboards and wireframes. But data now plays such a critical role in understanding how to best interact with a user, particularly in the areas of mobile and IoT that it's critical that we address the data needs and protections as early in the process as possible.  

The path that an application takes to react to a user’s immediate needs or demands, or to collect vital information about a user’s context, is critical to long-term engagement of that particular user. Successfully engaging with the user at this point is as much about elegant and simple transitions as it is about understanding as much as there is to know about the user’s disposition in order to present the right options. Understanding context comes down to collecting user profile data from a variety of sources in a safe and secure manner to protect the user’s privacy. This data could include the time of day when a user adjusts a home thermostat, the peak heart rate times for a user, the various events pending in social calendars or how the user interacts with a new app’s tutorial.

This is where the IoT frameworks are coming into play in 2016 -- frameworks designed to provide the services and resources required to power simple devices, interact with users, collect and protect data, and analyze that data in numerous ways to suggest the right course of action. Some frameworks are designed for specific sets of products and personalization, such as Apple’s HomeKit and Google’s Brillo, while others support larger ecosystems, such as the AllSeen Alliance and AWS IoT Platform.

The key for these frameworks is to engage at several levels to collect and leverage the personal data associated with the user; data that helps shape a profile of the user contextually across time, location, and disposition.  

Much of this starts with the small helper services distributed to users via such products as Apple’s Siri or Amazon's Echo. While they provide delightful voice-driven information delivery services, their potential goes far beyond that. Behind Amazon’s Echo personality Alexa, for example, is a powerful set of AWS services that can drive almost any interaction desired by developers. From no-server, scalable code execution in Lambda, to powerful data warehousing and analytics in AWS RedShift, to real-time data ingestion with Kinesis, AWS services make it possible for skilled cloud developers to design solutions that leverage sources of real-time information about the user’s disposition to determine the most appropriate engagement path.

With that great power, comes greater responsibility.

Providing the ability to secure user data against unauthorized or unwanted access, such as advertisers or malicious actors, is key. The concern is that by collecting so much data about a user and their behavior, the raw information without security parameters could be exposed  to “the world at large.” This is why protecting PII or PHI data demanded by PCI and HIPAA standards becomes tantamount to ensure that individual privacy demands are met for the user.  

To do this requires a holistic approach to security that winds its way from governance to market scoping, through secure DevOps, architecture and development, advanced application and device protection, and to intelligent defense-in-depth monitoring and intrusion prevention.  

Often there are multiple development organizations working piecemeal on solutions, tying together through an API or other bridging component, which provides significant opportunities for exposure. This is because consumers aren’t buying and using single-product services in this new connected world, but are instead piecing together an ecosystem within which they expect to operate safely, effectively, and securely.  

Frameworks such as AllSeen must have an overarching security program in place for partners to follow. They also must ensure that all organizations meet appropriate certification standards. For IoT platforms like AWS and HomeKit, an in-depth understanding of security models is critical.  Appropriate toolsets and training for monitoring and managing access to these platform services need to be provided.   

Companies looking to deploy IoT solutions need to either ramp up and engage with their internal security team up front, or partner with a security leader who can apply well-trained resources that are experienced in data protection for IoT. Security of data throughout its entire journey is one of the most critical components to ensure success, as exfiltration of that data is one of the simplest ways a company can end up on the front page of every news journal touting the latest information security breach.

This article is published as part of the IDG Contributor Network. Want to Join?

Computerworld's IT Salary Survey 2017 results
Shop Tech Products at Amazon