Passwords are passé, so what can stop privacy disasters in the IoT age?


How does an application know that users are actually whom they say they are?

The answer in many cases is still: with a password. But the Internet of Things is exposing new problems with this already inadequate method, as the recent Dyn DDoS hacks demonstrated when they took down large swaths of the Internet for many people last October.

Eve Maler, vice president of innovation and emerging technology at ForgeRock Inc., a platform for securing digital identities, thinks some big changes to security architectures and authentication techniques will be needed to avoid data privacy disasters in coming years. She spoke about what’s coming next with Jeff Frick, co-host of theCUBE, SiliconANGLE Media’s mobile live streaming studio.

TheCUBE interviewed Maler and other privacy and security experts at a Data Privacy Day event held by the National Cyber Security Alliance at the San Francisco headquarters of Twitter Inc., a sponsor of the event. Data Privacy Day is an annual celebration to recognize the Jan. 28, 1981, signing of Convention 108, the first legally binding international treaty concerning privacy and data protection.

Maler identified the OAuth open standard authentication software — a way for Internet users to allow websites or applications to access their information on other websites without having to give them the passwords — as a promising path forward. Maler said that it’s not so much passwords that are the problem, but the way they are punted around the Internet. OAuth skirts that problem by whittling down the points of access.

Twitter and other high-profile companies use OAuth now, and ForgeRock would like to see this point-to-point, data sharing model spread. “We want to allow every application in the world to be able to do that, not just Google Docs, Google Sheets and so on,” she said.

IoT crackdown

Maler said that IoT is an area crying out for more capable identification technology. She argued that the recent Dyn DDoS hacks were made possible by poorly authenticated devices.

She said that, thankfully, government agencies are finally cracking down on these fault lines in IoT device security, but businesses ultimately need to take charge. “We need to authenticate our devices better, and that’s something manufacturers have to take responsibility for,” she said.

Makers of highly personal devices developing in the Internet of Things need to make sure they keep personal data close to the person. Maler said that in the healthcare field, the people who work on patient security adhere to a principle summed up in the phrase, “No data about me without me.”

She added that this needs be adopted as the creed in IoT data sharing — and not just for blanket permission. Users increasingly want to know more than who has access to their data, but exactly what data and for what purpose. “It’s got to be not just more transparent, but ‘What is it you’re sharing about me?'” she said.

The work to be done now is in binding and unbinding an individual’s identity to a device on one end and a cloud account on another. “So now we are back to having an identity-centric architecture for security and privacy,” she said. She gave the example of a single smart police vehicle that would collect data on different officers through the binding and unbinding of their digital identities to the car.

Maler said that smarter identification could lead to much greater flexibility of security controls. For instance, she said an owner could give someone permission to deliver a package to their car’s trunk but not to drive a car. She said that Airbnb hosts could give guests limited permission to use smart devices in the home while they are away.

Maler also said that companies need to understand that customers asking for more control are not simply shooing them away. “They want share buttons. We saw that with the initial introduction of Care Kit with Apple,” she said, adding that the transparent, person-to-person sharing is what app designers should be aiming for.

Data D-day looming

Maler said companies that do not get more transparent about data-sharing risk big losses in the near future. Regulations such as the General Data Protection Regulation in the EU, she said, are “bearing down on pretty much every multinational, every global enterprise that monitors or sells to EU citizens.”

The new legislation will not let companies get away with keeping their data collection policies buried in long documents in file cabinets far from consumers’ eyes. It will demand, she said, “that individuals get some measure of the ability to withdraw consent in a convenient fashion.”

Here’s the complete video interview with Maler. You can watch the rest of theCUBE’s coverage of the event here.

Photo by SiliconANGLE