Build digital trust to unleash the full commercial potential of IoT
Eve Maler, ForgeRock
The API revolution is fuelling digital transformation across a spectrum of industries and opening the way for new IoT use cases. But capturing the full commercial potential of the IoT will depend on addressing lingering consumer concerns over consent and privacy, explains Eve Maler, the vice president of Innovation and Emerging Technology at ForgeRock.
Application programming interfaces (APIs) are driving increasingly sophisticated digital business ecosystems as leading companies adopt APIs to build innovative applications and services. Indeed, the rise of the public API has enabled a spectrum of industries – from telecommunications and media, to finance, travel and tourism – as well as national government agencies, to pursue broad-based digital transformation strategies that prioritise new processes and workflows.
Today’s new API-powered economy is disrupting known business models. The financial services sector, for example, is currently exploring open platforms in a bid to compete with the likes of PayPal and Amazon, which have used API-driven services to make inroads into the payment industry. It’s a move being encouraged by state institutions like the UK Treasury, which recently tasked the industry-led Open Banking Working Group (OBWG) with the development of a new framework for using open APIs in order to encourage innovation and boost competition.
But while APIs are becoming the de facto integration model for IT systems, they are the fundamental building blocks of the IoT. Providing the all important interface between the ‘Internet’ and ‘Things’, APIs expose the data that enables multiple devices to be combined and connected – and that has considerable implications for cyber security.
How trustworthy are APIs?
Since APIs expose data, services and transactions, enabling assets to be created, shared and reused to build new products or offerings, it’s a given that APIs designed and built with security in mind will provide protection for every application they enable. However, the application risks multiply significantly should digital identity or authentication not be handled well.
Insecure APIs is an issue currently impacting motor vehicle manufacturers whose cars are becoming more ‘connected’ thanks to on-board WiFi and integrations with smartphone apps that allow car owners to track their location or remotely lock or unlock car doors. But earlier this year, a security expert exposed how security vulnerabilities contained in the Nissan LEAF smartphone interface made it easy to run API commands via an internet connection. This would enable a potential hacker to turn on a car’s heated seats or air conditioning to drain the electronic vehicle’s battery – or easily monitor a driver’s movements.
Security flaws such as this serve to fuel consumer fears of potentially intrusive new technologies and continue to spark general concern about the risk of terrorist cyber attacks on IoT devices. Should a hacker successfully attack IoT endpoints like a medical device, a car, or a smart city’s traffic management systems, the consequences could be considerable.
But privacy and data protection issues are another primary concern for consumers and service providers alike. API developers will need to carefully consider these challenges in the context of local regulatory requirements and user needs. For example, it’s simply not realistic to expect users to utilise a companion mobile app to provide consent or configure their sharing preferences every time they interact with a smart device.
Addressing key privacy challenges
The complexity of IoT value chains, and the number of stakeholders involved in the exchange and processing of data, raises significant regulatory compliance challenges. New data protection policies are being implemented around the world in an attempt to address the IoT ecosystem, but rules about data security vary widely across global territories.
The EU arguably has the most highly developed policies on privacy and protection, and the new General Data Protection Regulation (GDPR) will drive better security and privacy in the IoT and will have a direct impact on device manufacturers, application developers and other entities involved in bringing IoT solutions to market.
Due for implementation in 2018, the new regulation requires ‘privacy by design and privacy by default’, conferring on EU citizens substantive rights in relation to their personal data – including the right to be forgotten, data portability rights, and the right to object to automated decision making. The issue of explicit consent in relation to the processing of an individual’s data is another primary consideration.
As the regulatory landscape continues to evolve, developers and manufacturers will need to be fully aware of the requirements of multiple watchdogs and regulators around the globe. Similarly, data security standards are currently being evolved to ensure that data is securely collected and that internet communications can be appropriately authenticated, utilising deep encryption to avoid eavesdropping.
Engendering digital trust
The promise of the IoT is vast, but so too is the potential for security flaws and privacy lapses. New data privacy methods and technologies will soon make an appearance in the US and the EU, and tech companies involved in creating IoT devices and applications will need to keep abreast of these changes and ensure the APIs they use are secure and compliant.
User-Managed Access (UMA) is an important new standard in this area. Defining a protection framework that features a unified control point for authorising who and what can access a variety of cloud, mobile and IoT data sources, it empowers developers to incorporate UMA protection and authorisation for API enablement into applications, services and devices. The advantage conferred by UMA is that while it protects any API on a standardised basis, it also lets people share directly with other parties or revoke access whenever they see fit. In other words, individuals can set, view and change sharing preferences from a single online control console.
Companies operating in the health data-sharing ecosystem have been quick to grasp the opportunities made possible by UMA. Companies like Philips are developing IoT platforms that will transform how healthcare and medicine is delivered, enabling patients to selectively share data with family members and health professionals. Organisations like ARM are also undertaking pioneering work on developing strong trust models for sensor-to-device-to-service security.
As the regulatory landscape around security, consent and privacy standards continues to evolve, developers and device manufacturers will need to ensure that the integration APIs they use are bullet proof – and have undergone rigorous evaluation to assure end-to-end effectiveness and compliance. Those stakeholders that can demonstrate privacy compliance will win consumer trust and gain competitive advantage in an increasingly connected world.