Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

The Internet of Things: Privacy and Security Issues

10,938 views

Published on

The Internet of Things: Privacy and Security Issues,
Stefan Schiffner
NIS expert, ENISA

Published in: Internet
  • Login to see the comments

The Internet of Things: Privacy and Security Issues

  1. 1. The Internet of Things: Privacy and Security Issues Stefan Schiffner NIS expert, ENISA European Union Agency for Network and Information Security www.enisa.europa.eu
  2. 2. ENISA’’s Mission European Union Agency for Network and Information Security www.enisa.europa.eu
  3. 3. Securing Europe’s Information Society Operational Office in Athens Seat in Heraklion European Union Agency for Network and Information Security www.enisa.europa.eu
  4. 4. ENISA activities Policy Recommendations Implementation Mobilising Communities Hands on European Union Agency for Network and Information Security www.enisa.europa.eu
  5. 5. Privacy in the internet of things European Union Agency for Network and Information Security www.enisa.europa.eu
  6. 6. What is the internet of things? • Network of interconnected objects for data processing – Cyber physical – Self configuration • Specialized & Embedded – Seamless integration – Reduced HCI • Multiple stake holders – For common or individual goals • Integrated in legacy systems O i i d d t i f t t • Or in independent infrastructure European Union Agency for Network and Information Security www.enisa.europa.eu 6
  7. 7. Privacy concerns • An object can reveal information about the individual • IoT introduces new ways of collecting and processing such information from objects: – collection of data from different sources – correlation and association – > abuse potential S i i d h • Storing is easy and cheap European Union Agency for Network and Information Security www.enisa.europa.eu 7
  8. 8. Security concerns • Objects are small and everywhere – Prone to environmental influences – Unprotected places (unnoticed manipulation) – Weak calculation power (limited crypto) • Autonomous – Acting without user awareness European Union Agency for Network and Information Security www.enisa.europa.eu 8
  9. 9. The data protection challenge and requirements European Union Agency for Network and Information Security www.enisa.europa.eu
  10. 10. Trust assumption for crypto trusted environment trusted environment protected communication adversairial environment European Union Agency for Network and Information Security www.enisa.europa.eu 10
  11. 11. Security silos • The world is divided in In and Out group • They might be nested and intersecting • complex structures • Rather static •• Administrative overhead • Fragile European Union Agency for Network and Information Security www.enisa.europa.eu 11
  12. 12. To avoid new silos we need: • Reduction of management burden wrt security and privacy policies • Dynamic Automatic negotiation of policies •• Resilience • Leads to new (priority) of requirements European Union Agency for Network and Information Security www.enisa.europa.eu 12
  13. 13. Control • How to obtain informed consent? – How can information be presented? – How can individuals have overall control over their data? European Union Agency for Network and Information Security www.enisa.europa.eu 13
  14. 14. Liability and enforcement • Who is responsible • How can rights be exercised – access, deletion • How can data be safeguarded – Detection of attacks and damages European Union Agency for Network and Information Security www.enisa.europa.eu 14
  15. 15. Data Protection requirements • Privacy & security by design • Purpose limitation – no use beyond predefined purposes • Data minimization: – collect & process only necessary data – anonymize or delete data after use • Distributed protection models – move away from walled gardens – multi layer security – Resilience • Automated decisions European Union Agency for Network and Information Security www.enisa.europa.eu 15
  16. 16. The role and needs for standards • Privacy – as part of the IoT ontologies and semantics • New protection protocols • As an integral control mechanism for the development and implementation of M2M architectures European Union Agency for Network and Information Security www.enisa.europa.eu 16
  17. 17. ENISA’s work on IoT & data protection European Union Agency for Network and Information Security www.enisa.europa.eu
  18. 18. ENISA activities Policy Recommendations Implementation Mobilising Communities Hands on European Union Agency for Network and Information Security www.enisa.europa.eu
  19. 19. Current activities • Support all involved stakeholders in the translation of legal requirements to technical solutions: • Privacy by design and by default – Technical tools and mechanisms for information and control – Privacy Principles – Anonymisation and pseudonymisation techniques • Technical protection measures – Cryptographic algorithms, parameters, key sizes European Union Agency for Network and Information Security www.enisa.europa.eu 19
  20. 20. Published Reports – Survey of accountability, trust, consent, tracking, security and privacy mechanisms in online environments (2011) http://www.enisa.europa.eu/activities/identity‐and‐trust/library/deliverables/survey‐pat – Privacy, Accountability and Trust – Challenges and Opportunities (2011) http://www.enisa.europa.eu/activities/identity‐and‐trust/privacy‐and‐trust/pat/activities‐initiated‐in‐2010 – Bittersweet cookies. Some security and privacy considerations (2011) http://www enisa europa www.enisa.europa.eu/activities/identity‐and‐trust/library/pp/cookies – Study on the use of cryptographic techniques in Europe (2011) http://www.enisa.europa.eu/activities/identity‐and‐trust/library/the‐use‐of‐cryptographic‐techniques‐in‐europe – Report on trust and reputation models (2011) http://www.enisa.europa.eu/activities/identity‐and‐trust/library/trust‐and‐reputation‐models – Study on monetising privacy. An economic model for pricing personal information (2012) http://www.enisa.europa.eu/activities/identity‐and‐trust/library/deliverables/monetising‐privacy – Study on data collection and storage in the EU (2012) http://www.enisa.europa.eu/activities/identity‐and‐trust/library/deliverables/data‐collection – Privacy considerations of online behavioural tracking (2012) http://www.enisa.europa.eu/activities/identity‐and‐trust/library/deliverables/privacy‐considerations‐of‐online‐behavioural‐tracking – The right to be forgotten – between expectations and practice (2012) http://www.enisa.europa.eu/activities/identity‐and‐trust/library/deliverables/the‐right‐to‐be‐forgotten – Security certification practice in the EU ‐ Information Security Management Systems ‐ A case study (November,2013) http://www.enisa.europa.eu/activities/identity‐and‐trust/library/deliverables/security‐certification‐practice‐in‐the‐eu‐information‐security‐management‐systems‐a‐case‐study – Algorithms, Key Sizes and Parameters Report. 2013 Recommendations (October 2013) http://www.enisa.europa.eu/activities/identity‐and‐trust/library/deliverables/algorithms‐key‐sizes‐and‐parameters‐report – Recommended cryptographic measures ‐ Securing personal data (November 2013) http://www.enisa.europa.eu/activities/identity‐and‐trust/library/deliverables/recommended‐cryptographic‐measures‐securing‐personal‐data – Securing personal data in the context of data retention. Analysis and recommendations (December 2013) http://www.enisa.europa.eu/activities/identity‐and‐trust/library/deliverables/securing‐personal‐data‐in‐the‐context‐of‐data‐retention – On the security, privacy and usability of online seals. An overview . (December 2013) http://www www.enisa enisa.europa europa.eu/activities/identity identity‐and and‐trust/library/deliverables/on on‐the the‐security security‐privacy privacy‐and and‐usability usability‐of of‐online online‐seals European Union Agency for Network and Information Security www.enisa.europa.eu 20
  21. 21. Thank you very much for your attention Follow ENISA: European Union Agency for Network and Information Security www.enisa.europa.eu

×