1

IoT betyr nye krav til sikkerhet og personvern

Hva må gjøres?Dr Arnor Solberg

COO, Tellu IoT AS

2

Outline

• Tellu• Security and Privacy in IoT are main concerns for us

• IoT Security and Privacy; state of affairs and what requirements to expect• What to do?

• What we do• How we approach GDPR

Survey by Mobile Ecosystem Forum , published in Computer business review april 2016

3

TelluCloud – An IoT Integration Platform

• IoT platform supporting set of verticals• Solution as a service model (SaaS) Pay as you

Go model

• Cover the IoT, Edge and Cloud space• IoT application innovation and development • library of integrated sensor devices and

gateways

• Integration with new devices and legacy systems (e.g., EPJ)

• White labeling

4

Helsefaglig personale

Responssenterløsning

Hjemmetjenesten

Fagsystem - EPJ

ShepherdIntegrasjonsplattform

Brukeren

Utstyr ute hos bruker:Trygghetsalarm m/sensorerTrygghetsalarm m/GPSMedisindispensereDigitalt tilsynMedisinske sensorerElektroniske låser

Utrykningstjenesten

Responssenter

PårørendeTryggi

AdministrasjonsverktøyKonfigurasjon og testHeartbeat-overvåkingStyring av sensorer

Internett / GSM

Example product: Telenor TelluCloud Solution on welfare Sikkerhet ogPersonvern er et være eller ikke

være

5

The Gartner Hype Cycle

6

Current IoT characteristics• Connectivity• Sensor innovations

• Exponential amount of sensors deployed

• IoT platforms (more than 400)• Register & manage IoT devices• Monitoring• Storing and processing data in the cloud

• Most services are closed vertical silos• A lot of IoT “Gadgets”

6

2017

7

State of affairs in terms of IoT Security

• Attack surface is about to explode• Vertical silos are easier to protect• Current IoT systems security is

mostly about protecting sensitive information and assets

• Severe DDoS attacks such as Miraibotnet

“Gold rush state, where every vendor is hastily seeking to dish out the next innovative connected gadget before competitors do. --> Functionality becomes the main focus and security takes a back seat.”

8

Characteristics of The Emerging IoTDriven by the envisioned digitalized society

• Break the silos, • Open, integrated and massively distributed systems across the IoT, Edge

and Cloud space• Resource sharing

• to be sustainable need to avoid parallel infrastructures

• Fog computing/edge computing • Actuation• …

IoT based systems are becoming a critical backbone of the society impacting the everyday life of the citizens

9

Security and privacy demands in future IoT Systems

• Laws and regulations -> punishment• E.g., GDPR

• Strict requirements from customers• Security and privacy by design• Certification,

• E.g., ISO 27001, ISO 13485

• New security mechanisms and models • Resources constraints

• can not run the most computing/resource demanding security mechanisms

• Need to be usable in the IoT context• Monitoring and Forensics

Our very lives and health can become the target of IoT hack attacks

“Gold Rush” approach will simply not be accepted

10

What can we do?

• Prepare for upcoming requirements

• Implement standards• Provide GDPR functionality• Security and privacy by design• Monitoring and forensics

• Still keep• Short time to market• Agile• Rapid innovation

• Understand opportunities• DevOps• Microservices• Edge computing• Blockchain - IOTA

11

DevOps cycle for Trustworthy IoT systems (H2020 ENACT)

12

ENACT Toolkits – Automation is keyhttp://www.enact-project.eu/

13

Evolving to new standards and models

• Web session based Authentication• Authenticating towards authentication service

• Public services in Norway use IDPorten• Return with access token with limited longevity

• Works OK for web session based user interaction, but what about things?

• How are sensors connected to users in the real world?

14

Data authenticity when things talk

Authenticate Access token

Access tokenHealth data

Authenticate Access token

Access tokenHealth data

Access token

Things without internet Things with Internet Gateway

15

Session Longevity

• Time out • Physically connected sensor

• Attach the sensor physically to the person

• Informed if sensor is removed

16

“Offpad” for securing devices

16

• User managed root-keys

• Offline execution environment

• API access from any client platforms

• Secure user input-output channels

TEE

17

v2

Software based Diversification17

… …

???

MIRAI

18

Two slides about Tellus approach to GDPR

19

LeadSuspectProspect

Customer

Lost ProspectPrevious

Customer

Privacy Data Lifecycle - Rights Managementà Functionality built into TelluCloud

Right to consent

Right to data protection

Right to view data

Right to correct data

Right to get notified

Right to data portability

Right to be forgotten

20

Organisatoriske tiltak

• Privacy by design prosess• E.g.,trussel og Risikovurdering, konsekvensanalyse,

minimalisering• DevOps • Sørg for å ha en klar forståelse for hvilke

persondata som håndteres og begrunnelse for å lagere disse (formål)

• Rutiner• E.g., ved brudd. 72 timers regelen,

• hvem skal varsles (person, personvernombudet, Datatilsynet)

• Samtykkehåndtering• Et samtykke per formal (selv i samme applikasjon)

• Dokumentasjon• Åpenhet• Kontakt/rådgiving med datatilsynet• ISO 27001.

21

Thank You

22