Security was top of mind on IoT Day in Boston last week. Industry experts and over 75 guests debated the value around IoT protocols, security, and theory in the upcoming IoT economy. Moderated by Andy Thurai of IBM, panelists included Michael Campbell of MachineShop, Joe Biron of ThingWorx / PTC, Sean Lorenz of Xively / LogMeIn, and Michael Murray of GM. As Boston people like to say, it was a "wicked good" use of a Thursday evening.
So how safe is this brave new world of IoT going to be for everyone?
We've already seen Smart Homes being hacked, drones spying on people's private property, and postulated about implications as life-threatening as hacking someone's intelligent pacemaker. These fears are not completely unfounded, they are a reasonable response to technology that is not governed, not curated, and not fully accepted yet by society.
Technology is only as safe as we make it, with heavy emphasis on "we make it." As panelist Q&A flowed around topics of authority, responsibility, and ownership over IoT data, the conversation naturally circled around how monetization plays a role in both adoption of new technology and governance. At one point, Thurai asked the panel:
Biron quickly answered, in summary "...IoT is expensive to get in to right now, so it isn't really cheap, but there's room to make business models around that...", to which Campbell followed with the question:
Cheap data itself does not equate to a business model, even ones revolving around data collection. As we have seen with APIs, intelligent combinations of data are key to a great user experience. "Cheap algorithms" as Campbell refers to aren't just simple, but more like underdeveloped mashups. If anything, being cheap or careless about any choices in IoT is a sure way to lose investor and consumer confidence, much like security breaches tend to do.
How can we avoid treating security as an afterthought in IoT?
Security must be fundamental to all levels of data creation and collection in order to evoke industry and consumer confidence. You can't rightly expect that iPhone security means keeping your phone in an iron safe. Similarly, the transmission and storage of sensitive data must ensure levels of safety just as much as where the information goes after being collected. Protocols in IoT cannot afford to be insensitive to the topic of security, but at the same time need to maintain flexibility to stay innovative and have a short time-to-delivery.
From the beginning of the session, APIs were clearly a favored topic, though many past and present data exchange protocols were discussed. At one point, Campbell clarified with the point about APIs, specifically due to talk about MQTT, that "protocols and formats are two different things".
APIs have a lot to teach IoT
This applies equally to the IoT space as it does to APIs, in that the transmission as well as the content both need to implement security at their own levels; one layer cannot stand in for another layer's lack of security, at least it can't for very long.+
The final thought from Biron summarized the attitude and openness of the evening's participation well:
That we will, in Boston, in Boulder, in Dubai, and around the globe. But to do so, especially in safe and innovative ways, takes conscious effort in both consumers and technology providers, like meetups such as this and a diversity of inputs to the conversation. So where do you see the role of security in IoT? What conversations are you having on it today?