We Need a Trust and Transparency Model for the Internet of Things

Watch the Recording


Sean Martin, CISSP


Co-Founder and Editor-in-Chief, ITSPmagazine



David Billeter

Chief Information Security Officer
CA Technologies

Mandeep Khera

Information Security Thought Leader and Executive

Naresh Persaud

Sr. Director Security, Product Marketing
CA Technologies

Poll Responses

How and where does the Internet of things fit in your business?

How far along are you in your IoT deployment?




Question: Does this require a "Global" standard for regulation rather than conflicting standards as imposed by the USA, EMEA, China, etc.? Is there such cooperation? 

Persaud: A global standard would be nice to have, and while we do need levels of global collaboration and information sharing, this is an area where governments may not be ready to regulate - the commercial sector is accelerating at a rapid pace and should take the lead to self-regulate. First, there is a lack of consensus on what the data security laws should be, and the regulatory climate varies depending on the country. The imperative is for businesses to step up to provide the highest level of safety, privacy, and governance as they commercialize the technology. 

Question: How do you propose manufacturers (textile, auto, etc.) address the threats they face with their legacy systems (SCADA, PLCs, etc.) on which their business model is heavily reliant?

Persaud: There are a few ways to adapt infrastructure system not previously designed for the internet access. NIST has provided a good write-up of how companies can do that here is a link. 

Question: With the scale interoperation between authentication chains, there should be a way to delegated (federated) authentication and trust? 

Persaud: Today Federation is applicable especially as we look at interoperation of multiple standards. Here is a link to a great article that explains. Blockchain is also emerging as an opportunity here as well. Here is a great blockchain example done by Etherium

Question: EU has a General Data Protection Directive coming in May 2018. How does this relate to IoT ecosystem for companies which do business in EU? Any comments?

Persaud: This is a big topic, and there are lots of intersections with GDPR that would make my answer too long. Here is a short answer.

  • Businesses deploying IoT would need to address the responsibility for privacy between the data controllers vs. data processors. May of the IoT deployments depend on cloud back ends that are managed by a 3rd party, and they would all need to be compliant. Can you provide access and portability of the data are critical? The IoT devices are producing more data than ever before.

  • IoT devices collect PII that was previously uncollected, so companies need to review and place controls on the IoT data - it can't leave the European Union etc.

  • Right to be forgotten - what does it mean to be "forgotten" in cases where the device and the person are closely related (especially in the case of wearables) - can I depersonalize Fitbit data?

  • Breach notification is also challenging, imagine a utility company potentially responsible for disclosing the data breaches on any of a million plus thermostats that leased to consumers.

Question: Is there a minimum security standard in place for manufacturers of Internet connected devices? Do you think such a standard is possible and enforceable?

Persaud: There should be a standard, and it is possible to create one and enforce it. With examples like Stuxnet and the Mirai Botnet, we have plenty to build on. We just need to do it.

Question: What is the testing approaches in IoT? And how it will be helpful for the product?

Persaud: Cleary IoT software will devour the world. Successful companies will deliver their IoT software as part of a repeatable, continuous delivery process incorporating automated testing. In particular, many of the IoT breaches are in fact exploiting weaknesses in the software. Companies should make automated security testing a part of the process. If companies incorporated security testing in the context of the delivery cycle, they could dramatically reduce the attack surface. 

View Naresh Persaud's full recap on LinkedIn.

Today, security on the Internet is dependent on the trust between participants on the network. This is challenging because trust involves more than humans in this case and there are over 8.7 Billion devices already online today. And, trust is about to become more involved because, according to a Cisco study, 99% of the things in the world today will be connected to the Internet in the near future which means we will need a new model for trust and digital identity to manage this massive scale of trust we will need.

In this ITSPmagazine webinar, a panel of subject matter experts will explore the challenges and solutions to building trust on the Internet of things, looking at what identity means in the world of mobile devices and other Internet-connected things. Remember, it's not just the user that has an identity...

Some of the topics planned for the discussion include:
- What are some of the devices we see being used in business?
- Why do devices need identities?
- What does device-to-user authentication look like?
- What does device-to-device authentication look like?
- What role do applications play in the IoT world?
- How can all of these identities and activities be managed and policies enforced at scale?