Protocols, Security, and The IoT

Written by Paul Bruce

Security was top of mind on IoT Day in Boston last week. Industry experts and over 75 guests debated the value around IoT protocols, security, and theory in the upcoming IoT economy. Moderated by Andy Thurai of IBM, panelists included Michael Campbell of MachineShop, Joe Biron of ThingWorx / PTC, Sean Lorenz of Xively / LogMeIn, and Michael Murray of GM. As Boston people like to say, it was a “wicked good” use of a Thursday evening.

Panel 2: #IoT + #API@SmartBear A3: "We can't oversimplify some of this hard stuff" "APIs are a powerful way through" http://t.co/Up29CB8eGs

— Wicked Smaht ˁ˚ᴥ˚ˀ (@paulsbruce) April 10, 2015

So how safe is this brave new world of IoT going to be for everyone?

We’ve already seen Smart Homes being hacked, drones spying on people’s private property, and postulated about implications as life-threatening as hacking someone’s intelligent pacemaker. These fears are not completely unfounded, they are a reasonable response to technology that is not governed, not curated, and not fully accepted yet by society.

Panel 2: #IoT + #API@SmartBear A4: With any transport / protocol, you have to have appropriate levels of governance http://t.co/Up29CB8eGs

— Wicked Smaht ˁ˚ᴥ˚ˀ (@paulsbruce) April 10, 2015

Technology is only as safe as we make it, with heavy emphasis on “we make it.” As panelist Q&A flowed around topics of authority, responsibility, and ownership over IoT data, the conversation naturally circled around how monetization plays a role in both adoption of new technology and governance. At one point, Thurai asked the panel:

Panel 2: #IoT + #API@SmartBear Q3: Is IoT only about cheap data collection? http://t.co/Up29CB8eGs

— Wicked Smaht ˁ˚ᴥ˚ˀ (@paulsbruce) April 10, 2015

Biron quickly answered, in summary “…IoT is expensive to get in to right now, so it isn’t really cheap, but there’s room to make business models around that…”, to which Campbell followed with the question:

Panel 2: #IoT + #API@SmartBear A1: so then does cheap data collection mean cheap algorithms in the cloud? http://t.co/Up29CB8eGs

— Wicked Smaht ˁ˚ᴥ˚ˀ (@paulsbruce) April 10, 2015

Cheap data itself does not equate to a business model, even ones revolving around data collection. As we have seen with APIs, intelligent combinations of data are key to a great user experience. “Cheap algorithms” as Campbell refers to aren’t just simple, but more like underdeveloped mashups. If anything, being cheap or careless about any choices in IoT is a sure way to lose investor and consumer confidence, much like security breaches tend to do.

How can we avoid treating security as an afterthought in IoT?

Security must be fundamental to all levels of data creation and collection in order to evoke industry and consumer confidence. You can’t rightly expect that iPhone security means keeping your phone in an iron safe. Similarly, the transmission and storage of sensitive data must ensure levels of safety just as much as where the information goes after being collected. Protocols in IoT cannot afford to be insensitive to the topic of security, but at the same time need to maintain flexibility to stay innovative and have a short time-to-delivery.

Panel 2: #IoT + #API@SmartBear A2: a multi-layered approach local, mesh, and cloud is much more versatile... http://t.co/Up29CB8eGs

— Wicked Smaht ˁ˚ᴥ˚ˀ (@paulsbruce) April 10, 2015

From the beginning of the session, APIs were clearly a favored topic, though many past and present data exchange protocols were discussed. At one point, Campbell clarified with the point about APIs, specifically due to talk about MQTT, that “protocols and formats are two different things”.

Panel 2: #IoT + #API@SmartBear A2: Let's not mix up protocols w/ formats. APIs can teach IoT things about standards http://t.co/Up29CB8eGs

— Wicked Smaht ˁ˚ᴥ˚ˀ (@paulsbruce) April 10, 2015

APIs have a lot to teach IoT

This applies equally to the IoT space as it does to APIs, in that the transmission as well as the content both need to implement security at their own levels; one layer cannot stand in for another layer’s lack of security, at least it can’t for very long.+

The final thought from Biron summarized the attitude and openness of the evening’s participation well:

Panel 2: #IoT + #API@SmartBear A2: Let's not mix up protocols w/ formats. APIs can teach IoT things about standards http://t.co/Up29CB8eGs

— Wicked Smaht ˁ˚ᴥ˚ˀ (@paulsbruce) April 10, 2015

That we will, in Boston, in Boulder, in Dubai, and around the globe. But to do so, especially in safe and innovative ways, takes conscious effort in both consumers and technology providers, like meetups such as this and a diversity of inputs to the conversation. So where do you see the role of security in IoT? What conversations are you having on it today?