New security mindset needed for internet of things
Thinking about passwords not enough, claims Axway.
Users and service providers need to think beyond traditional models in order to ensure they are secure when it comes to connected devices.
So claims Mark O'Neill, chief innovation officer at API management specialist Axway.
"One of the problems, when it comes to security and the internet of things, is peoples idea about how the internet and devices work is lagging behind reality," O'Neill told IT Pro.
"In the past, it was all about the browser. If you were clicking on things and entering passwords, information was being exchanged. But if you weren't, then it wasn't.
"Nowadays, connected devices, whether they are phones, wristbands or even cars are creating and communicating data constantly without you doing anything," he added.
We are moving away from a password or interaction-based web towards a permission-based web, but people are still thinking in terms of strong passwords as the main line of defence, according to O'Neill.
"If, for example, you give a device permission to tweet on your behalf how far you have run today and that device is somehow compromised, having a strong password or changing your password isn't going to help you," he said.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
"That device or piece of technology has the permission to access your account, so you need a way to revoke that permission," he added.
According to O'Neill, this may entail the development of a whole new field of technology that secures permissions, rather than passwords and credentials.
Furthermore, the development of internet of things technology, which O'Neill sees becoming a part of everyday life within the next five years, raises new questions around privacy and data ownership.
"The question becomes to whom the data generated by the connected device belongs. Does it belong to you, the data generator? Does it belong to the device maker? If there's a separate app, does it belong to the app's developer? These are questions that really need to be answered," he said, adding that the fact different jurisdictions have different rules around personal data collection and protection adds another layer of complexity.
On the other hand, there are also questions around fraud, O'Neill argued.
"If you are using an app or device that provides data to your health insurance company, what is to stop you giving it to a more active friend, making it look like you are fitter than you are?" he asked. "This is also something that needs to be resolved."
Jane McCallion is ITPro's Managing Editor, specializing in data centers and enterprise IT infrastructure. Before becoming Managing Editor, she held the role of Deputy Editor and, prior to that, Features Editor, managing a pool of freelance and internal writers, while continuing to specialize in enterprise IT infrastructure, and business strategy.
Prior to joining ITPro, Jane was a freelance business journalist writing as both Jane McCallion and Jane Bordenave for titles such as European CEO, World Finance, and Business Excellence Magazine.