The Internet of Things: Privacy and Security...

The Internet of Things: Privacy and Security IssuesSecurity IssuesStefan SchiffnerNIS expert, ENISA

European Union Agency for Network and Information Security www.enisa.europa.eu

ENISA’ Mi iENISA’s Mission


Securing Europe’s Information Society

Operational Office in Athens


Seat in Heraklion

ENISA activities

Policy ImplementationRecommendations

MobilisingCommunities

Hands on


Privacy in the internet of thingsthings


What is the internet of things?

• Network of interconnected objectsfor data processingfor data processing– Cyber physical– Self configurationSelf configuration

• Specialized & Embedded– Seamless integration – Reduced HCI

• Multiple stake holders– For common or individual goals

• Integrated in legacy systemsO i i d d t i f t t

European Union Agency for Network and Information Security www.enisa.europa.eu 6

• Or in independent infrastructure

Privacy concerns

• An object can reveal information about the individual

• IoT introduces new ways of collecting and processingIoT introduces new ways of collecting and processing such information from objects:– collection of data from different sources– correlation and association– > abuse potentialS i i d h


• Storing is easy and cheap

Security concerns

• Objects are small and everywhere– Prone to environmental influences– Unprotected places (unnoticed manipulation)Weak calculation power (limited crypto)– Weak calculation power (limited crypto)

• Autonomous– Acting without user awareness


Acting without user awareness

The data protection challenge and requirements and requirements


Trust assumption for crypto

tr stedtrustedenvironment

trustedenvironment

protected communication

adversairialenvironment


Security silos

• The world is divided in In and Out group• They might be nested and intersecting• complex structures• Rather static• Administrative overhead• Administrative overhead• Fragile


To avoid new silos we need:

• Reduction of management burden wrt security and i li iprivacy policies

• Dynamic Automatic negotiation of policies• Resilience• Resilience• Leads to new (priority) of requirements


Control

• How to obtain informed consent?– How can information be presented? – How can individuals have overall control over their data?


data?

Liability and enforcement

• Who is responsiblep• How can rights be exercised

– access, deletion• How can data be safeguarded

– Detection of attacks and damages


Data Protection requirements

• Privacy & security by design• Purpose limitation

– no use beyond predefined purposes• Data minimization:

collect & process only necessary data– collect & process only necessary data– anonymize or delete data after use

• Distributed protection modelsDistributed protection models– move away from walled gardens– multi layer security– Resilience

• Automated decisions


The role and needs for standards

• Privacy – as part of the IoT ontologies and semantics

• New protection protocols• As an integral control mechanism for the development

and implementation of M2M architecturesand implementation of M2M architectures


ENISA’s work on IoT & data protectionprotection


ENISA activities

Policy ImplementationRecommendations

MobilisingCommunities

Hands on


Current activities

• Support all involved stakeholders in the translation of legal requirements to technical solutions:requirements to technical solutions:

• Privacy by design and by default– Technical tools and mechanisms for information and control

– Privacy Principles A i ti d d i ti t h i– Anonymisation and pseudonymisation techniques

• Technical protection measures– Cryptographic algorithms parameters key sizesCryptographic algorithms, parameters, key sizes


Published Reports– Survey of accountability, trust, consent, tracking, security and privacy mechanisms in online environments (2011)

http://www.enisa.europa.eu/activities/identity‐and‐trust/library/deliverables/survey‐pat

– Privacy, Accountability and Trust – Challenges and Opportunities (2011) http://www.enisa.europa.eu/activities/identity‐and‐trust/privacy‐and‐trust/pat/activities‐initiated‐in‐2010

– Bittersweet cookies. Some security and privacy considerations (2011)http://www enisa europa eu/activities/identity‐and‐trust/library/pp/cookieshttp://www.enisa.europa.eu/activities/identity and trust/library/pp/cookies

– Study on the use of cryptographic techniques in Europe (2011)http://www.enisa.europa.eu/activities/identity‐and‐trust/library/the‐use‐of‐cryptographic‐techniques‐in‐europe

– Report on trust and reputation models (2011)http://www.enisa.europa.eu/activities/identity‐and‐trust/library/trust‐and‐reputation‐models

– Study on monetising privacy. An economic model for pricing personal information (2012)h // i / i i i /id i d /lib /d li bl / i i ihttp://www.enisa.europa.eu/activities/identity‐and‐trust/library/deliverables/monetising‐privacy

– Study on data collection and storage in the EU (2012)http://www.enisa.europa.eu/activities/identity‐and‐trust/library/deliverables/data‐collection

– Privacy considerations of online behavioural tracking (2012)http://www.enisa.europa.eu/activities/identity‐and‐trust/library/deliverables/privacy‐considerations‐of‐online‐behavioural‐tracking

– The right to be forgotten – between expectations and practice (2012)The right to be forgotten between expectations and practice (2012)http://www.enisa.europa.eu/activities/identity‐and‐trust/library/deliverables/the‐right‐to‐be‐forgotten

– Security certification practice in the EU ‐ Information Security Management Systems ‐ A case study (November,2013)http://www.enisa.europa.eu/activities/identity‐and‐trust/library/deliverables/security‐certification‐practice‐in‐the‐eu‐information‐security‐management‐systems‐a‐case‐study

– Algorithms, Key Sizes and Parameters Report. 2013 Recommendations (October 2013)http://www.enisa.europa.eu/activities/identity‐and‐trust/library/deliverables/algorithms‐key‐sizes‐and‐parameters‐report

– Recommended cryptographic measures ‐ Securing personal data (November 2013)http://www.enisa.europa.eu/activities/identity‐and‐trust/library/deliverables/recommended‐cryptographic‐measures‐securing‐personal‐data

– Securing personal data in the context of data retention. Analysis and recommendations (December 2013)http://www.enisa.europa.eu/activities/identity‐and‐trust/library/deliverables/securing‐personal‐data‐in‐the‐context‐of‐data‐retention

– On the security, privacy and usability of online seals. An overview . (December 2013)http://www enisa europa eu/activities/identity and trust/library/deliverables/on the security privacy and usability of online seals


http://www.enisa.europa.eu/activities/identity‐and‐trust/library/deliverables/on‐the‐security‐privacy‐and‐usability‐of‐online‐seals

Thank you very much for your attention

Follow ENISA:

www.enisa.europa.euEuropean Union Agency for Network and Information Security

The Internet of Things: Privacy and Security...

Documents

Transcript of The Internet of Things: Privacy and Security...