The Internet of Things: Privacy and Security...
Transcript of The Internet of Things: Privacy and Security...
![Page 1: The Internet of Things: Privacy and Security Issuesdocbox.etsi.org/Workshop/2014/201407_IOTWORKSHOP/ENISA... · 2014-07-04 · Securing Europe’s Information Society Operational](https://reader034.fdocuments.in/reader034/viewer/2022042302/5ecdb169eeacee57fb65b8f1/html5/thumbnails/1.jpg)
The Internet of Things: Privacy and Security IssuesSecurity IssuesStefan SchiffnerNIS expert, ENISA
European Union Agency for Network and Information Security www.enisa.europa.eu
![Page 2: The Internet of Things: Privacy and Security Issuesdocbox.etsi.org/Workshop/2014/201407_IOTWORKSHOP/ENISA... · 2014-07-04 · Securing Europe’s Information Society Operational](https://reader034.fdocuments.in/reader034/viewer/2022042302/5ecdb169eeacee57fb65b8f1/html5/thumbnails/2.jpg)
ENISA’ Mi iENISA’s Mission
European Union Agency for Network and Information Security www.enisa.europa.eu
![Page 3: The Internet of Things: Privacy and Security Issuesdocbox.etsi.org/Workshop/2014/201407_IOTWORKSHOP/ENISA... · 2014-07-04 · Securing Europe’s Information Society Operational](https://reader034.fdocuments.in/reader034/viewer/2022042302/5ecdb169eeacee57fb65b8f1/html5/thumbnails/3.jpg)
Securing Europe’s Information Society
Operational Office in Athens
European Union Agency for Network and Information Security www.enisa.europa.eu
Seat in Heraklion
![Page 4: The Internet of Things: Privacy and Security Issuesdocbox.etsi.org/Workshop/2014/201407_IOTWORKSHOP/ENISA... · 2014-07-04 · Securing Europe’s Information Society Operational](https://reader034.fdocuments.in/reader034/viewer/2022042302/5ecdb169eeacee57fb65b8f1/html5/thumbnails/4.jpg)
ENISA activities
Policy ImplementationRecommendations
MobilisingCommunities
Hands on
European Union Agency for Network and Information Security www.enisa.europa.eu
![Page 5: The Internet of Things: Privacy and Security Issuesdocbox.etsi.org/Workshop/2014/201407_IOTWORKSHOP/ENISA... · 2014-07-04 · Securing Europe’s Information Society Operational](https://reader034.fdocuments.in/reader034/viewer/2022042302/5ecdb169eeacee57fb65b8f1/html5/thumbnails/5.jpg)
Privacy in the internet of thingsthings
European Union Agency for Network and Information Security www.enisa.europa.eu
![Page 6: The Internet of Things: Privacy and Security Issuesdocbox.etsi.org/Workshop/2014/201407_IOTWORKSHOP/ENISA... · 2014-07-04 · Securing Europe’s Information Society Operational](https://reader034.fdocuments.in/reader034/viewer/2022042302/5ecdb169eeacee57fb65b8f1/html5/thumbnails/6.jpg)
What is the internet of things?
• Network of interconnected objectsfor data processingfor data processing– Cyber physical– Self configurationSelf configuration
• Specialized & Embedded– Seamless integration – Reduced HCI
• Multiple stake holders– For common or individual goals
• Integrated in legacy systemsO i i d d t i f t t
European Union Agency for Network and Information Security www.enisa.europa.eu 6
• Or in independent infrastructure
![Page 7: The Internet of Things: Privacy and Security Issuesdocbox.etsi.org/Workshop/2014/201407_IOTWORKSHOP/ENISA... · 2014-07-04 · Securing Europe’s Information Society Operational](https://reader034.fdocuments.in/reader034/viewer/2022042302/5ecdb169eeacee57fb65b8f1/html5/thumbnails/7.jpg)
Privacy concerns
• An object can reveal information about the individual
• IoT introduces new ways of collecting and processingIoT introduces new ways of collecting and processing such information from objects:– collection of data from different sources– correlation and association– > abuse potentialS i i d h
European Union Agency for Network and Information Security www.enisa.europa.eu 7
• Storing is easy and cheap
![Page 8: The Internet of Things: Privacy and Security Issuesdocbox.etsi.org/Workshop/2014/201407_IOTWORKSHOP/ENISA... · 2014-07-04 · Securing Europe’s Information Society Operational](https://reader034.fdocuments.in/reader034/viewer/2022042302/5ecdb169eeacee57fb65b8f1/html5/thumbnails/8.jpg)
Security concerns
• Objects are small and everywhere– Prone to environmental influences– Unprotected places (unnoticed manipulation)Weak calculation power (limited crypto)– Weak calculation power (limited crypto)
• Autonomous– Acting without user awareness
European Union Agency for Network and Information Security www.enisa.europa.eu 8
Acting without user awareness
![Page 9: The Internet of Things: Privacy and Security Issuesdocbox.etsi.org/Workshop/2014/201407_IOTWORKSHOP/ENISA... · 2014-07-04 · Securing Europe’s Information Society Operational](https://reader034.fdocuments.in/reader034/viewer/2022042302/5ecdb169eeacee57fb65b8f1/html5/thumbnails/9.jpg)
The data protection challenge and requirements and requirements
European Union Agency for Network and Information Security www.enisa.europa.eu
![Page 10: The Internet of Things: Privacy and Security Issuesdocbox.etsi.org/Workshop/2014/201407_IOTWORKSHOP/ENISA... · 2014-07-04 · Securing Europe’s Information Society Operational](https://reader034.fdocuments.in/reader034/viewer/2022042302/5ecdb169eeacee57fb65b8f1/html5/thumbnails/10.jpg)
Trust assumption for crypto
tr stedtrustedenvironment
trustedenvironment
protected communication
adversairialenvironment
European Union Agency for Network and Information Security www.enisa.europa.eu 10
![Page 11: The Internet of Things: Privacy and Security Issuesdocbox.etsi.org/Workshop/2014/201407_IOTWORKSHOP/ENISA... · 2014-07-04 · Securing Europe’s Information Society Operational](https://reader034.fdocuments.in/reader034/viewer/2022042302/5ecdb169eeacee57fb65b8f1/html5/thumbnails/11.jpg)
Security silos
• The world is divided in In and Out group• They might be nested and intersecting• complex structures• Rather static• Administrative overhead• Administrative overhead• Fragile
European Union Agency for Network and Information Security www.enisa.europa.eu 11
![Page 12: The Internet of Things: Privacy and Security Issuesdocbox.etsi.org/Workshop/2014/201407_IOTWORKSHOP/ENISA... · 2014-07-04 · Securing Europe’s Information Society Operational](https://reader034.fdocuments.in/reader034/viewer/2022042302/5ecdb169eeacee57fb65b8f1/html5/thumbnails/12.jpg)
To avoid new silos we need:
• Reduction of management burden wrt security and i li iprivacy policies
• Dynamic Automatic negotiation of policies• Resilience• Resilience• Leads to new (priority) of requirements
European Union Agency for Network and Information Security www.enisa.europa.eu 12
![Page 13: The Internet of Things: Privacy and Security Issuesdocbox.etsi.org/Workshop/2014/201407_IOTWORKSHOP/ENISA... · 2014-07-04 · Securing Europe’s Information Society Operational](https://reader034.fdocuments.in/reader034/viewer/2022042302/5ecdb169eeacee57fb65b8f1/html5/thumbnails/13.jpg)
Control
• How to obtain informed consent?– How can information be presented? – How can individuals have overall control over their data?
European Union Agency for Network and Information Security www.enisa.europa.eu 13
data?
![Page 14: The Internet of Things: Privacy and Security Issuesdocbox.etsi.org/Workshop/2014/201407_IOTWORKSHOP/ENISA... · 2014-07-04 · Securing Europe’s Information Society Operational](https://reader034.fdocuments.in/reader034/viewer/2022042302/5ecdb169eeacee57fb65b8f1/html5/thumbnails/14.jpg)
Liability and enforcement
• Who is responsiblep• How can rights be exercised
– access, deletion• How can data be safeguarded
– Detection of attacks and damages
European Union Agency for Network and Information Security www.enisa.europa.eu 14
![Page 15: The Internet of Things: Privacy and Security Issuesdocbox.etsi.org/Workshop/2014/201407_IOTWORKSHOP/ENISA... · 2014-07-04 · Securing Europe’s Information Society Operational](https://reader034.fdocuments.in/reader034/viewer/2022042302/5ecdb169eeacee57fb65b8f1/html5/thumbnails/15.jpg)
Data Protection requirements
• Privacy & security by design• Purpose limitation
– no use beyond predefined purposes• Data minimization:
collect & process only necessary data– collect & process only necessary data– anonymize or delete data after use
• Distributed protection modelsDistributed protection models– move away from walled gardens– multi layer security– Resilience
• Automated decisions
European Union Agency for Network and Information Security www.enisa.europa.eu 15
![Page 16: The Internet of Things: Privacy and Security Issuesdocbox.etsi.org/Workshop/2014/201407_IOTWORKSHOP/ENISA... · 2014-07-04 · Securing Europe’s Information Society Operational](https://reader034.fdocuments.in/reader034/viewer/2022042302/5ecdb169eeacee57fb65b8f1/html5/thumbnails/16.jpg)
The role and needs for standards
• Privacy – as part of the IoT ontologies and semantics
• New protection protocols• As an integral control mechanism for the development
and implementation of M2M architecturesand implementation of M2M architectures
European Union Agency for Network and Information Security www.enisa.europa.eu 16
![Page 17: The Internet of Things: Privacy and Security Issuesdocbox.etsi.org/Workshop/2014/201407_IOTWORKSHOP/ENISA... · 2014-07-04 · Securing Europe’s Information Society Operational](https://reader034.fdocuments.in/reader034/viewer/2022042302/5ecdb169eeacee57fb65b8f1/html5/thumbnails/17.jpg)
ENISA’s work on IoT & data protectionprotection
European Union Agency for Network and Information Security www.enisa.europa.eu
![Page 18: The Internet of Things: Privacy and Security Issuesdocbox.etsi.org/Workshop/2014/201407_IOTWORKSHOP/ENISA... · 2014-07-04 · Securing Europe’s Information Society Operational](https://reader034.fdocuments.in/reader034/viewer/2022042302/5ecdb169eeacee57fb65b8f1/html5/thumbnails/18.jpg)
ENISA activities
Policy ImplementationRecommendations
MobilisingCommunities
Hands on
European Union Agency for Network and Information Security www.enisa.europa.eu
![Page 19: The Internet of Things: Privacy and Security Issuesdocbox.etsi.org/Workshop/2014/201407_IOTWORKSHOP/ENISA... · 2014-07-04 · Securing Europe’s Information Society Operational](https://reader034.fdocuments.in/reader034/viewer/2022042302/5ecdb169eeacee57fb65b8f1/html5/thumbnails/19.jpg)
Current activities
• Support all involved stakeholders in the translation of legal requirements to technical solutions:requirements to technical solutions:
• Privacy by design and by default– Technical tools and mechanisms for information and control
– Privacy Principles A i ti d d i ti t h i– Anonymisation and pseudonymisation techniques
• Technical protection measures– Cryptographic algorithms parameters key sizesCryptographic algorithms, parameters, key sizes
European Union Agency for Network and Information Security www.enisa.europa.eu 19
![Page 20: The Internet of Things: Privacy and Security Issuesdocbox.etsi.org/Workshop/2014/201407_IOTWORKSHOP/ENISA... · 2014-07-04 · Securing Europe’s Information Society Operational](https://reader034.fdocuments.in/reader034/viewer/2022042302/5ecdb169eeacee57fb65b8f1/html5/thumbnails/20.jpg)
Published Reports– Survey of accountability, trust, consent, tracking, security and privacy mechanisms in online environments (2011)
http://www.enisa.europa.eu/activities/identity‐and‐trust/library/deliverables/survey‐pat
– Privacy, Accountability and Trust – Challenges and Opportunities (2011) http://www.enisa.europa.eu/activities/identity‐and‐trust/privacy‐and‐trust/pat/activities‐initiated‐in‐2010
– Bittersweet cookies. Some security and privacy considerations (2011)http://www enisa europa eu/activities/identity‐and‐trust/library/pp/cookieshttp://www.enisa.europa.eu/activities/identity and trust/library/pp/cookies
– Study on the use of cryptographic techniques in Europe (2011)http://www.enisa.europa.eu/activities/identity‐and‐trust/library/the‐use‐of‐cryptographic‐techniques‐in‐europe
– Report on trust and reputation models (2011)http://www.enisa.europa.eu/activities/identity‐and‐trust/library/trust‐and‐reputation‐models
– Study on monetising privacy. An economic model for pricing personal information (2012)h // i / i i i /id i d /lib /d li bl / i i ihttp://www.enisa.europa.eu/activities/identity‐and‐trust/library/deliverables/monetising‐privacy
– Study on data collection and storage in the EU (2012)http://www.enisa.europa.eu/activities/identity‐and‐trust/library/deliverables/data‐collection
– Privacy considerations of online behavioural tracking (2012)http://www.enisa.europa.eu/activities/identity‐and‐trust/library/deliverables/privacy‐considerations‐of‐online‐behavioural‐tracking
– The right to be forgotten – between expectations and practice (2012)The right to be forgotten between expectations and practice (2012)http://www.enisa.europa.eu/activities/identity‐and‐trust/library/deliverables/the‐right‐to‐be‐forgotten
– Security certification practice in the EU ‐ Information Security Management Systems ‐ A case study (November,2013)http://www.enisa.europa.eu/activities/identity‐and‐trust/library/deliverables/security‐certification‐practice‐in‐the‐eu‐information‐security‐management‐systems‐a‐case‐study
– Algorithms, Key Sizes and Parameters Report. 2013 Recommendations (October 2013)http://www.enisa.europa.eu/activities/identity‐and‐trust/library/deliverables/algorithms‐key‐sizes‐and‐parameters‐report
– Recommended cryptographic measures ‐ Securing personal data (November 2013)http://www.enisa.europa.eu/activities/identity‐and‐trust/library/deliverables/recommended‐cryptographic‐measures‐securing‐personal‐data
– Securing personal data in the context of data retention. Analysis and recommendations (December 2013)http://www.enisa.europa.eu/activities/identity‐and‐trust/library/deliverables/securing‐personal‐data‐in‐the‐context‐of‐data‐retention
– On the security, privacy and usability of online seals. An overview . (December 2013)http://www enisa europa eu/activities/identity and trust/library/deliverables/on the security privacy and usability of online seals
European Union Agency for Network and Information Security www.enisa.europa.eu 20
http://www.enisa.europa.eu/activities/identity‐and‐trust/library/deliverables/on‐the‐security‐privacy‐and‐usability‐of‐online‐seals
![Page 21: The Internet of Things: Privacy and Security Issuesdocbox.etsi.org/Workshop/2014/201407_IOTWORKSHOP/ENISA... · 2014-07-04 · Securing Europe’s Information Society Operational](https://reader034.fdocuments.in/reader034/viewer/2022042302/5ecdb169eeacee57fb65b8f1/html5/thumbnails/21.jpg)
Thank you very much for your attention
Follow ENISA:
www.enisa.europa.euEuropean Union Agency for Network and Information Security