IoT security and privacy must be built in, says OTA

Online Trust Alliance reveals draft of Internet of Things Trust Framework
IoT security and privacy must be built in, Says OTA


Security and privacy of the Internet of Things must be addressed proactively, and not just as an afterthought, according to industry body the Online Trust Alliance (OTA).

The OTA, which counts ADT, AVG Technologies, Microsoft, Symantec, Target, TRUSTe, Verisign and nearly 100 other subject matter experts among its members, has warned that security and privacy must been approached holistically by vendors and services providers, and that consumers need long term protection.

The alliance has published the first draft of its Internet of Things Trust Framework, which aims to give end users trust and safety in use of IoT devices, particularly with regard to smart homes and consumer health and fitness wearables. The framework will outline vendor- and technology-neutral best practices, and will evolve over time to reflect the latest best practices, security standards, regulatory requirements and the changing threat landscape.

"The rapid growth of the Internet of Things has accelerated the release of connected products, yet important capability gaps in privacy and security design remain as these devices become more and more a part of everyday life," said Craig Spiezle, executive director and President of OTA. "For example with a fitness tracker does the user know who may be collecting and sharing their data? When you purchase a smart home what is the long-term support strategy of patching devices after the warranty has expired? How do manufactures protect against intrusions into smart TV's and theft of data collected from device cameras and microphones? What is the collective impact on the smart grid or our first respondents should large numbers of these devices be compromised at once?"

Among the key points of the draft framework is that privacy policies must be readily available for review prior to product purchase, download or activation; personally identifiable data, both at rest and in motion, must be encrypted; data collection policies of a device should be disclosed prior to purchase, and it should be clear to consumers how the device's key features will work if they choose not to share data; and users should be told if they can remove or make anonymous their data if they stop using the device or it reaches end-of-life.

The framework also requires that manufacturers look to a sustainable approach to privacy and security, and do not simply stop supporting devices because they have stopped making them. Requirements include publishing a time-frame for support after the device/app is discontinued or replaced by newer version; having the means to remediate vulnerabilities in a fast and reliable fashion, and should have a tested breach response and consumer safety notification plan to use in case of incidents.

In parallel with these best practices, OTA is developing specific testing tools and methodologies to formalize the IoT Trust Framework with scoring criteria, leading to a voluntary Code of Conduct and a forthcoming certification program. OTA welcomes collaboration with organizations interested in partnering to help accelerate and broaden adoption of such certification programs worldwide.

REGISTER NOW | Webinar Event | Security you can bank on – Safeguarding the Middle East’s financial sector

Presented in partnership with security and network specialist Cybereason, the second in the three part webinar series will bring together a panel of experts to discuss how banks and financial institutions are evolving their service offering while simultaneously staying one step ahead of the cyber criminals who seek to bring their operations crashing to the ground.

Editor's Choice

Emerson expands analytics platform for industrial enterprise-level wireless infrastructure management
Plantweb Insight platform adds two new Pervasive Sensing applications that manage wireless networks more efficiently with a singular interface to the enterprise
Digitalisation seen as a competitive advantage by Middle East private businesses
Nearly 80 per cent of private business leaders acknowledge that digitalisation can impact business sustainability
Etisalat introduces Multi-Access Edge Computing architecture delivering best-in-class video streaming performance for 5G networks
MEC architecture achieves performance gains of as much as 90% in video streaming, validating how ultra-low-latency applications will be delivered over 4G and 5G networks

Most popular

Don't Miss a Story