Approaches to Security and Privacy when developing new Internet of Things (IoT) and Big Data Analytics products presented at WaveFront Summits, Ottawa, 2015

1. THE INTERNET OF THINGS
SECURITY AT SCALE
WAVEFRONT SUMMITS 2015
Winston Morton

2. Nuviser Inc
Nuviser provides Cloud Advisory Services including Assessment, Strategy,
Program Management and New Product Introduction to Enterprise Clients and
Service Providers. All engagements are led by cloud industry leaders and follow
our cloud acceleration framework.
About Me
BSc. Electrical Engineering, UNB
Large Scale Cloud Infrastructures
Security and Privacy Strategy
IoT/Wireless Architectures
Telecommunications
WINSTON MORTON
CEO, Nuviser Inc
Winston.Morton@Nuviser.com
Twitter: @WinstonMorton

3. Won’t be
Cheap
FAST
To Market
CHEAP
To Produce
SECURE
Infrastructure
Won’t be
Fast
Won’t be
Secure
GOOD, FAST,
OR CHEAP.
PICK TWO.
The delicate balance of speed to
market and the appropriate level
of security.
70% of the time
we’ll always get it right

4. The MECHANISMS to
protect data assets
Security
The nature of the DATA and
how it relates to a person or
business.
Privacy
SECURITY
AND
PRIVACY
ARE VERY
DIFFERENT
(ALTHOUGH SOMETIMES
LINKED)
Examples of Private Data:
 Health Records
 Phone Records
 Bank Records
 Home Address
 Private Communications
and Files
Example Mechanisms:
 Corporate Security Policies
 Encrypted Communications
 Intrusion Prevention Systems
 Virtual Private Networks
 Firewalls

5. What is Private Data
 Canadian privacy laws apply to any data that can uniquely
identify an individual. This can be via direct or indirect means.
 Requires explicit consent specifically for intended use
 Just because people have become accustom to giving away
private data doesn’t mean corporations don’t have a legal
obligation to protect it.
 Companies have a obligation to extend private data protection
to include 3rd parties.

6. WHAT MARKET DO WE SERVE.
• Do we serve the business or consumer market
• Do we REALLY need the data we are collecting
WHAT DATA DO WE COLLECT.
 Location Information
 Personal Details
WHAT DATA DO WE CREATE.
• Are we correlating difference sources of data
• Are we mining the data for personal features
WHERE DO WE COLLECT AND STORE DATA.
• Where and how are we acquiring the data
• Where and how is the data stored
• Do we share the data with anyone else
• How long are we keeping the data
BIG DATA PRIVACY
Defining the Privacy Profile

7. SECURITY AND PRIVACY IN IoT
DEVELOPMENT PROGRAMS

8. Most IoT innovation from Startups
 Most “Next Generation” IoT frameworks
are open-source and undergoing rapid
development themselves
 Large players investing heavily in IoT
and Wireless Innovation
 Consolidation on horizon
 Some excellent proven development
frameworks
 Sometimes developers miss the
“Plumbing”

9. Design/ Build Measure
.
Code
Deploy Code
Data
Measure results and test
hypothesis.
Ideas
Customer Discover
THE LEAN STARTUP MOVEMENT
The Lean Startup allows for rapid iteration of corporate alignment with
product and market fit. This experimental approach creates a nimble,
customer driven process but can have drastic changes in product
function or target markets.
THE “PIVOT” CHALLENGE
Security /Privacy are Contextual
and take into account product
and the respective market.
Learn
Customer Validation
- Do we create Different Data?
- Do we serve a Different Market?
- Is the data in a Different Location?
Pivot

10. Wireless Network
• 802.11 Client or Access Point Mode
• Full Security Stack (WPA2, EAP, TLS,etc)
• Hardware Based Encryption
• Full TCP/IP Stack
• 802.11 B/G/N
Rapid Development
• More Than 500 Open Source IP Projects and GROWING
• Full Tool Chain Dev Environment
• Arduino Project Compatible
• Node.js Real Time Application Services
• MTQQ Message Client
Embedded Processor
• Integrated low power 32-bit CPU
• Standby power consumption of less than 1.0mW
• Integrated Temperature Sensor
• Up to 16 Digital I/O ports
Game Changers
Ultra-Low Cost Wireless SOC Platforms
• Wi-Fi position system beacons
• Wi-Fi location-aware devices
• Industrial wireless control
• Smart power plugs
• Home automation
• Mesh network
• Baby monitors
• IP Cameras
• Sensor networks
• Wearable electronics
• Security ID tags
$3
ESP 8266 Wi-Fi SOC

11. INTERNET FACING API’s
0
2,000
4,000
6,000
8,000
10,000
12,000
14,000
2007 2008 2009 2010 2011 2012 2013 2014
API Calls are the
new “Web Hits” of
high tech growthMachine to Machine connections are exploding. These API’s are
generally open to Internet based communication and many have
not been thoroughly tested for protocol security
Whole new marketplace for API brokers
Development environments with “Pre-Built”
API’s such as IBM BlueMix, Microsoft Azure IoT
Suite
Value Added API Abstraction Services
IFTTT.Com “IF my car comes within 1Km of
home THEN open garage door”
Emergence of IoT
and API Aggregators
Source:www.programmableweb.com

12. TOP 10 IoT SECURITY CHALLENGES
1. Insecure Web Interface
2. Insufficient Authentication/Authorization
3. Insecure Network Services
4. Lack of Transport Encryption
5. Privacy Concerns
6. Insecure Cloud Interface
7. Insecure Mobile Interface
8. Insufficient Security Configurability
9. Insecure Software/Firmware
10. Poor Physical Security
IoT Security
The OWASP Internet of Things (IoT)
Top 10 is a project designed to help
vendors who are interested in making
common appliances and gadgets
network/Internet accessible.
https://www.owasp.org/index.php/OWASP_Internet_of_Things_Top_Ten_Project

13. Hackers are also
extremely Innovative
Security is increasingly challenging as we expose
more data, more interfaces, more mobile devices
that can be compromised.
MONETIZED ACTIVITY ESTABLISHED INDUSTRY
• $400B+ Market
• High returns with low risk
• High value targets
• International cyber programs
• Open source hacking tools
• Hacker groups collaborate at
amazing speed.
Source: PWC-The Global State of Information Security® Survey 2015
Security Incident Growth
Source: Symantec 2015 Internet
Security Threat Report

14. LEVERAGE TECHNOLOGY
Security tools are getting
much better. Security best
practices are well defined.
2
KNOW YOUR CUSTOMER
The nature of the
customer creates Context
for your security program.
1
KNOW YOUR DATA
Data is most likely your
primary advantage. Learn
to protect it.
3
Balanced Approach
to IoT Security
Privacy and Secure are
fundamental components of your
product design

15. THANK YOU!
Winston.Morton@Nuviser.com
https://ca.linkedin.com/in/winstonmorton
@WinstonMorton