This document summarizes a presentation by Dr. Rachel O'Connell on assessing security issues related to emerging digital identity, personal data, and internet of things ecosystems. She discusses how these systems are converging and creating new commercial opportunities but also pushing legal, security, and regulatory discussions into new areas. Some key points are: (1) these nascent ecosystems evolving at different rates could introduce diverse new threat vectors; (2) a siloed development approach creates perception issues that need addressing; (3) interactions between citizen-centric and machine-to-machine systems may require the most oversight. International rules may also be needed to govern cybersecurity threats and warfare in these interconnected new domains.

1. CITIZEN CENTRIC DIGITAL AND
MOBILE-IDENTITY, PERSONAL
DATA ECOSYSTEMS AND THE
INTERNET OF THINGS:
ASSESSING THE NATURE OF
OPERATIONAL SECURITY ISSUES
Dr Rachel O’Connell
RSA Conference 2013, Europe

2. WHO AM I?
 PhD online criminal activity: implications for investigative strategies
 Chief Security Officer Bebo, VP AOL
 Research Consultant
 Oxford Internet Institute:
 Effective Age Verification Techniques: Lessons to be Learnt from the Online
Gambling Industry
 Ctrl_Shift
 A market analyst and consulting: changing personal data landscape.
 Member of OIX and the GSMA’s UK Assured legal working group
 Advisor to commercial organisations on both the policy requirements and
business opportunities associated with digital and mobile ID
 Co-founder of GroovyFuture.com.

3. NASCENT INTEROPERABLE
ECOSYSTEMS:
I

4. DATA DRIVEN ECONOMY

5. CISCO’S PREDICTIONS: IoT

6. DATA GENERATED BY IoT

7. ELECTRONIC AND MOBILE ID
 NSTIC
 STORK
 IdAP
 GSMA Mobile ID
 Proposed regulation

8. PERSONAL INTERNET OF
THINGS
• Multi-tenancy cloud
based personal data
stores
• Targeted attacks,
• Cryptolocker virus

9. PATH TO ROI
Gigya's series
'Path to ROI',
focuses on the
different
technologies
and tools that
businesses can
leverage to
generate
valuable ROI
from their
marketing
efforts

10. IoT TRUSTED CREDENTAILS
 Education
 Assert trusted credentials (LoA)
 Recognise trusted intermediaries
(accreditation)
 Quantified self - Databetes
 Convenience, security
 Active participants

11. IoT SECURITY AND TRUST
 Inofsec properties of the IoT are often hidden in
pervasive systems and small devices manufactured
by a large number of vendors.
 uTRUSTit enables system manufacturers and system
integrators to express the underlying security
concepts to users in a comprehensible way, allowing
them to make valid judgments on the trustworthiness
of such systems.
 How security conscious is the average user of IoT
devices?
 Data mining
 End-to-end security telemetry – automated scripts,
correlating data points from multiple machines across
multiple sectors

12. M2M VISION

13. MARKET EVOLUTION
FOR TELCO IN M2M

14. PDETS TRUST FRAMEWORKS
 Forging new social contracts
 The Respect Trust Framework is designed to give individuals
control over the sharing of their personal data on the Internet.
 Mydex, the personal data store and trusted identity provider,
has also had its “Mydex Trust Framework” listed by the Open
Identity Exchange.
 Connet.me has had its Trust Model and Business Model for
Personal Data listed by OIX
 The Personal Network: A New Trust Model and Business Model
for Personal Data
 Access to data that companies make available and
authoritative personal data sources – university exam results
 Penetration testing, SEIM, ISO27001,

15. GOVERNANCE AS A
SOFTWARE SERVICE
 ID³ believes, governance principles should be expressed as
software that is then able to evolve to incorporate advances in
technology and to support changing market and societal
requirements.
 Using these tools, people will be able to ensure the privacy of
their personal information, leverage the power of networked
data, and create new forms of online coordination, exchange
and self-governance.
 Forge new “social contracts” and participate in new types of
legal and regulatory systems for managing organizations,
markets and their social and civic lives. These systems will
conform to both international legal standards and to the
specific social norms and priorities of its members.

16. LEGAL FRAMEWORK
 European Network and Information Security Agency (ENISA)
comprehensive duties and responsibilities, which are inter
alia motivated by the protection of critical infrastructures
 Cert (Computer Emergency Response Teams)
 Directive and working paper
 Proposal for a Directive of the EU Parliament and of the
Council concerning measures to ensure a high level of
network and information security across the Union
 Cyber-security Strategy of the European Union: An open,
Safe and Secure Cyberspace

17. INCREASE IN NUMBER OF
THREATS VECTORS
 Structured and unstructured data
 Information security management systems – threat intelligence
 Security Information and Event Management (SIEM)  Access management – lessons from enterprise solution providers
 Data access, control, leakage, revocation, audits,
 Social engineering
 Scale of attacks
 Complex crypto based attacks, e.g. flame
 Vulnerabilities of inter-operable trust frameworks
 LoA’s associated with different ecosystems

18. NEW APPROACHES
 Existing solutions – each ecosystem is an island
 Security incident and management systems – usually utilised in
a single system (SIEM)
 Stephen Trilling, Symantec, keynote speaker: Massive cloud
based security - SIEM on steroids – apps that run on security
telemetry data
 New era of operational security
 New attacks – automatically looking for anomalous behaviours
 Forensic graph for Attack ID
 Security system with a world view – looks across ecosystems,
industries and geographies …
 Proportionate, self fulfilling prophecies, balance
 Security in critical infrastructures – Future pre-condition for
operating license?

19. POINTS FOR DISCUSSION
 Will the convergence between e-identity, Mobile ID
and personal data ecosystems in concert with the
Internet of Things, foster new and diverse commercial
opportunities, whilst pushing legal, security, policy
and regulatory debates into new terrain?
 From a security perspective, what are the nature,
scale and extent of the threat vectors we can
expect to be associated with these nascent
ecosystems that are evolving at different rates?
 Ubiquitous connectedness opens up pathways for
attacks however, a siloed approach to development
and oversight creates a perception issue, how can
this best be addressed?
 Operational Security Assurance?

20. POINTS FOR DISCUSSION
 Where should concerns lie – unsecured M2M or citizen
centric facing, or interactions between these
ecosystems?
 Scale: Destructive attacks, cybercrimes, erosion of
privacy, trust
 Will the operation of the IoT in concert with e.g. critical
infrastructure necessitate new sets of international
rules that address cyber security threats and govern
cyber warfare?
 What can the security community do to address these
issues?

21. Thank you
 Rachel O’Connell
 rachel@technologist.com
 Twitter: @racheloconnell