IoT security and privacy best practices
In a report on the Internet of Things (IoT), the staff of the Federal Trade Commission recommend a series of concrete steps that businesses can take to enhance and protect consumers’ privacy and security, as Americans start to reap the benefits from a growing world of Internet-connected devices.
The IoT is already impacting the daily lives of millions of Americans through the adoption of health and fitness monitors, home security devices, connected cars and household appliances, among other applications. Such devices offer the potential for improved health-monitoring, safer highways, and more efficient home energy use, among other potential benefits. However, the FTC report also notes that connected devices raise numerous privacy and security concerns that could undermine consumer confidence.
The IoT universe is expanding quickly, and there are now over 25 billion connected devices in use worldwide, with that number set to rise significantly as consumer goods companies, auto manufacturers, healthcare providers, and other businesses continue to invest in connected devices, according to data cited in the report.
Security was one of the main topics addressed at the workshop and in the comments, particularly due to the highly networked nature of the devices. The report includes the following recommendations for companies developing Internet of Things devices:
- build security into devices at the outset, rather than as an afterthought in the design process
- train employees about the importance of security, and ensure that security is managed at an appropriate level in the organization
- ensure that when outside service providers are hired, that those providers are capable of maintaining reasonable security, and provide reasonable oversight of the providers
- when a security risk is identified, consider a “defense-in-depth” strategy whereby multiple layers of security may be used to defend against a particular risk
- consider measures to keep unauthorized users from accessing a consumer’s device, data, or personal information stored on the network
- monitor connected devices throughout their expected life cycle, and where feasible, provide security patches to cover known risks.
Commission staff also recommend that companies consider data minimization – that is, limiting the collection of consumer data, and retaining that information only for a set period of time, and not indefinitely. The report notes that data minimization addresses two key privacy risks: first, the risk that a company with a large store of consumer data will become a more enticing target for data thieves or hackers, and second, that consumer data will be used in ways contrary to consumers’ expectations.
The report takes a flexible approach to data minimization. Under the recommendations, companies can choose to collect no data, data limited to the categories required to provide the service offered by the device, less sensitive data; or choose to de-identify the data collected.
Eve Maler, VP Innovation & Emerging Technology at ForgeRock, comments: “The problem with focusing primarily on security by design is that the overarching fear of IoT security has only a little bit to do with hacking and the physical nature of hacking constrained devices. The bigger fear has more to do with feeling like there is very little power, from an end-user perspective, to control what information is sharable. It’s as though companies are automatically granted access to consumers’ personal data by virtue of their privileged position, vs. consumers controlling the information that is sharable.”
“The rise of distributed services and devices with cloud components only increase consumers’ agitation for more transparency, choice and control. Therefore, the designers of IoT-enabled devices must recognize the solid business value of privacy-respecting features. The most practical way to build in privacy is to use consistent, well-vetted open standards and platforms that enable secure, user-consented connections between devices, services and applications. Once consumers feel that they have control over their information, we will truly see the full potential of connected devices, services and applications,” Maler added.