Value Propositions of Privacy, Trust & Security in IoT – Webinar



Christian: Greetings and welcome to today's
webinar; Capturing the New Value Propositions of Privacy, Trust and Security in IOT. I'm
Christian Simko, Marketing Manager for Identity Management solutions at GlobalSign. Before
we get started, I just want to let everyone know that we are recording today's webinar,
and we will email a link to the recording after this webinar is complete. Our presenters
today are Lancen Lachance, Vice President of Products Development at GlobalSign and
Madeline Smith, Vice President and Director of Strategic Initiatives at the Online Trust
Alliance or the OTA. While the phones are on mute, we do encourage questions, and we'll
answer your questions after today's presentation. To ask a question, please use the question
field in the GoToWebinar toolbar, and we will answer any questions after today's presentation.
During today's webinar, Madeline will share with you the work the OTA, and it's members
have been doing on the Internet of Things Trust Framework that addresses global consumer
concerns. The framework provides guidance for device manufacturers and developers to
enhance the security, privacy and sustainability of connected home devices, wearable fitness
and health technologies and the data they collect. Lancen will talk about best practices
and implementation strategies for securing the IoT devices. He will also hightlight key
technology and discuss an IoT developer program that can help you get started today.
Before I turn the presentation over to Madeline, I wanted to highlight a few IoT facts and
challenges that will set the stage for today's webinar. While everyone knows that the IoT
market is exploding and more devices are being connected, what you may not be fully aware
of is the privacy and security concerns that IoT presents. One of the great challenges
is when and where to address those security concerns. The OTAs IoT trust framework is
a great place to start, and Madeline Smith from the OTA is here with us today and we'll
talk about that trust framework. Welcome, Madeline.
Madeline: Great. Thank you very much, Christian. I'm Madeline Smith, and I'm from the Online
Trust Alliance. I'm going to take a few minutes here to introduce people to OTA and what we
try to achieve and then I'll move into the framework. Going to the next slide; who is
OTA? In case anyone doesn't already know who we are, we are the Online Trust Alliance and
our mission is to enhance online trust and empower users while promoting innovation and
vitality of the internet. So important goals with that are to educate businesses, also
policy makers, stake holders and do this in a way that allows us to develop best practices
and tools to enhance protection of user security privacy and identity.
One of the most important parts of the OTA is that we are a collaborative public, private
partnership. We're going to get into a logo slide in a minute and you'll see what I mean
by that in terms of collaboration. Another important facet of who we are is that we are
in fact a 501c3 tax exempt charitable organization. The reason that is important is because as
much as we work with and have a great deal of respect for industry trade organizations
and other types of collaborative work, we think it makes OTA unique that we are speaking
out separate from perhaps professional obligations of our membership and we are supported in
that detachment and in that ability to be independent. We are global and bring in both
membership, but also feedback worldwide, and we're supported by over a hundred organizations
that include all facets. Particularly important in our IOT work, facets
including retailers, commercial websites, interactive marketers, product manufacturers,
consumer advocacy organizations and people who are every piece the ecosystem both on
a technology side and a consumer communication side. So I'd mentioned collaboration, this
slide is just to give you an idea of the types of other organizations. Many of these governmental
or non profit or business associations that we work very closely with, not to imply that
every one of these is a supporting member directly of OTA. In fact, many of them are
our colleagues in the non profit space as well, but we work with organizations who also
have similar or crossover areas of interest for us. Part of the purpose of this slide
is to see breadth and particularly some of these international organizations that we
can see listed here. The next slide is our actual supporting members.
This is just a snapshot of the type of companies that joins OTA. When we say join, what we
mean is providing donation support because we are?as I said a 5013c charity. We rely
completely on membership contribution, and right in the middle of the slide, I hope you'll
notice the GlobalSign logo because we love our friendly GlobalSign. This is a cross
section of the kinds of companies who support OTAs work. When we talk about the consumer
internet of things?I want to start from OTAs perspective, obviously, the whole point of
the concept of Internet of Everything or Internet of Things is that it's everything, but OTA
as a starting place, felt that from a resource perspective we couldn't literally focus on
everything. So we kind of brought it down to for our purposes and for the purposes of
what I'm going to be talking about, a consumer facing picture so it's less of the industrial
systems that are interconnected and more things like consumer wearables while products one
might have in their home. Then broadening out to the connected home,
so just as a scope, I want everyone to kind of see that that's really where we're starting
from. Certainly, it's expanded. One key consumer product that is not part of our current work,
but obviously it's something we're watching very closely for the future is connected cars
because there seem to be other organizations that are highly technical and focused on the
challenges of connected cars so I will not be covering that here. And another consumer
facing device that gets into a slightly different industry is actual medical devices; those
things like insulin pumps. It's not actually an area that OTAs framework focuses on right
today. But our perspective is the kinds of things
that you're starting to see in this picture of the mobile apps, the fitness bands, entertainment
devices that are interconnected into your home; connected home, home security, garage
door openers, smart TVs, things like that. So the important thing about the ecosystem
is that it is highly personal, dynamic and it is a persistent collector of data and in
some cases, transferring data and we'll get back to that. It is relying on a combination
of devices apps, platforms and cloud services all of which of course, are coming from a
different starting place. But at the moment, we're all faced with the challenge of how
to make them integrate and how to do so safelier or what OTA would call safely which is security,
privacy and sustainability. They all have multiple data flows. All of that needs to
be checked and monitored and we all have to understand how that works together.
Of course, multiple touchpoints and in these touchpoints and different pieces, you have
different companies and therefore different disclosures or different consumer decision
making points throughout that which becomes incredibly complicated. We're using the word
sustainability here to mean lifecycle or the viability of the product over time and
I'll get back to that topic in a second also. Currently, the world is facing a lack of defined
standards because this is all new. It's not surprising that there are a few standards
at the moment. And their lack of non-traditional market players especially in some of these
very small home devices. You know, you might have invented the connected toaster, but if
your company is primarily a toaster company and not primarily a digital company, those
new players may not have thought of all of the security, privacy and sustainability concerns
that other corporations already embed in their work. So we're trying to get the message out about
the importance of thinking these things through before you jump onto a connected device. As
I said, multi-dimensional issues; I just want to blow out these spots a tiny bit more. Data
security; there are more than just the dots that are shown here. In many cases, working
with cloud service or certainly some kind of connected place where data and technology
is being sorted and surfed, typically, it's a mobile application situation. The devices
themselves are connected and connected to each other, not just connected for this one
specific use. The various platforms and the various service providers so that the actual
channels that are keeping everything connected, those platforms themselves are part of the
ecosystem we talked about. The issue of data security privacy and I mentioned sustainability when
OTA says sustainability and we really struggle with the right word there.
We're not so much talking about ecology or keeping our planet green, we're talking about
the lifecycle issues of these products and services and the ability to report them, the
ability to update them, the ability to fix and remediate breach challenges, things like
that, in the way that a website could be fixed, patched very quickly. It may not be such an
easy thing to be able to do that when you have a series of connected apps and sites
and devices all being run or housed by different entities, so that idea of being able to do
that is a really serious consideration, as something goes forward over time. Then the deep questions
of data retention and ownership; these devices, as I said they're constantly collecting data
for very, very good reasons and for consumer useful reasons, but data stewardship becomes
increasingly vivid in this. We are concerned about these privacy, sustainability, security
and the data in use and also in transit or transmission and in storage and rest.
So what have we done about this? Well, in January of 2015, this year, OTA launched a
cross-industry working group with some specific goals. Our working group is drawn from those
companies that you see as our membership. We have some other ways to get involved. We've
reached out to academia and to international organizations, but the working group was put
together to try to discuss and think about these challenges. So our goals were originally
to provide guidance to manufacturers and developers with the point being to reduce the attack
surface, to reduce vulnerabilities and make people aware. We are committed to best practices
and embracing privacy and security by design as opposed to bulk-on at the end. I think that's the
phrase you're going to hear again in this conversation because I think everyone taking
this very seriously realizes that that's so crucial.
OTA has always been about providing affirmations and recognition to companies and products
and retailers who embrace these and do these things. I don't know if everyone on this call
is familiar with one of OTAs big well known initiatives every year is our annual trust
audit, and we release the annual honor roll, and that's what we mean by that. What we try
to do is set a set of standards or a set of expectations, a set of best practices, then
we go out and try to see who's doing those things and try to shine a light on them. But
that is always our point of view is to be optimistic and to be recognizing great people
doing great things; great companies doing great things, and that continues to be the
goal here. It's not about finding out who's falling short. It's about finding out who's
doing best. We want to provide retailers and commerce
sites with information that can help them with their products, merchandizing and promotion
decisions, not something we've already had discussed. I'll get to that in a second also.
Where possible, we're always looking to apply existing standards. OTA is not a standard
organization. We certainly don't have the resources to be technical standard organizations.
What we're trying to do is gather together best practices and promote and communicate
those as a benefit and a resource for organizations to be smart and to do great things. So we
are trying to pull existing standards wherever possible every place we can find them and
pull them together. We are all about collaboration and sharing. We are, right this minute on
this project, our working group goal was to lead toward what are the considerations and
road blocks and challenges really creating a true certification or seal program.
I think you've perhaps heard in the press already that there is some momentum behind
the idea of having ways to certify and seal trust in the internet of things, and there
are a couple of different organizations who come out publicly and say yes, we're trying
to do that. OTA definitely believes our framework is a foundation of that. One of the things
that makes our framework different on that is our approach which we consider a three
pillar approach, so rather than just certifying for security, we're just certifying for privacy.
We want to build a framework that allows the basis for a seal program or a certification
across all three; privacy, security, and sustainability. But what do I mean by those three things?
Well, on the next slide, we have a couple of examples to give you an idea of how we
broke it out. In security, that's a relatively clear cut thing for most people. We have just basic issues like passwords,
encryption, making sure that vulnerabilities can be remediated that updates and really
all pieces are signed and verified. Again, it's the best practices that people already
recognize around best security. Privacy is an area that crosses over with security. At
least from OTAs perspective, we believe that those two are intertwined as hand and glove.
You really can't have security if you are not also keeping an eye on data privacy because
breaches in data privacy lead to breaches in security. So when we talk about privacy,
we're talking about first of all, disclosure to consumers and consumer consent. These are
really key issues for OTA and they permeate almost everything we do, but for the consumer
to know what information is being collected, we're required to consent to it or to be able
to opt out of it or to know that if they opt out, then they lose the following features
so perhaps that's not the fit for them. All of those pieces of understanding consumer's
rights to their data or the right to understand what is being done with their data and disclosing
what that is. Also, the data sharing issues?again, we may have a company that has perfectly reputable,
fantastic data stewardship rules of its own, but if there are third parties or interconnectedness
as the whole internet of things is connected, if the next vendor and the next vendor and
the third parties that do not have those things, then it opens up to risk and breach. We just
want to make sure that that [0:16:33] that all of the players understand and it isn't
just this company is great, but now I'm handing out to another company that isn't. Sustainability,
I already mentioned, but one of the key important thing there is to understand what happens
if something changes?and this is super important in connected homes.
So for example, if I have a connected home and it's my security system and my gate and
my garage door opener, what happens if my internet goes out? Can I no longer open my
garage? Obviously, that would be a problem, so just raising some of these issues, I don't
think manufacturers intends to have these problems, but some of these are just unintended
consequences or not realizing ahead of time what needs to be thought through. So just
the ability for something that is connected to continue to function or if it doesn't function,
to disclose that it will stop functioning to understand that what would happen probably
over time and it's not just a point in time. But further, the idea of platforms evolving
and changing and all of those items that are on the security side of this slide will evolve
and change over time, so being able to address them what if there is a new protocol that's
even better? How will we address that over time especially
for some of these long term implementations of IoT like connected at home where it may
be years, it's not just a second you get a new one. The second piece here for sustainability
is disclosing what a user could change particularly if there were a handoff, so again, this may
be most relevant for connected home, but supposing I sell my house? Now what happens to my data?
How will I disable all of the embedded technology and turn it over to the user and reset it
or can I take any of it with me or how do I do that; just the whole entire question
of transferring things over, over time. Then finally, some kind of mechanism well, really
a very similar thought; some kind of mechanism if I transfer ownership of my device or as
noted in the previous bullet point, if I lose it or something breaks, how do I handle my
data stewardship over time? That's what sustainability is.
In the next three slides, I'm going to give you a very quick picture of what the framework
physically looks like. I'm not going to read through each one of these. If you would like
to see the framework, I will point you to where you can find it and you see the actual
framework. But the framework is currently made up of 35 line item criteria. This first
page gives you a screen shot of the section called security. We broke it into it seems
like we should be doing it security, privacy and sustainability, but it turns out that
the line items actually make more sense if you think about what their purpose is. So
the first one is security and you can see as you read through it, it has data security,
PII security, site security, server security, email security; all of the different pieces
that the working group called out and being critical.
As you go down over to the right, you'll see an identification of whether they are most
relevant for connected home or wearable tech. On another page, you'll see where some of
that changes. As you'll see that some of them are dark circles and some of them are open
circles. The open circle portion of this is what the working group put in the recommended
side. The dark circle is the mandatory side, the minimum required to have. You go to the
next slide; the next category is actually about accessing credentialing. So this is
a whole series of line items that are relevant to things like if it's a user, for instance,
a personal password, but if it's a machine to machine sort of a thing, it might be whatever
the protocol for recognizing credentialing. But there needs to be a series of best practices
of how to do that safely. Again, it's connected home and wearable tech. Then finally, the
last category is the one that's about data stewardship. This one is privacy transparency
and disclosure. One of the keys here is that word disclosure
or the word also transparency because one of the things that is a concern to OTA is
that consumers may not realize when they're buying a connected device, what data uses
and data collections and features of that product are married to the connectedness of
it. So it's not about oh, you should never collect data or oh, you should always collect
data or any kind of restriction about that. It's about disclosing what that is so that
consumers understand when they're buying it. If I buy this TV instead of that TV, am I
signing up for something with this TV that involves turning over a bunch of data or involves
some aspect of voice recognition or some aspect of connectivity to an app or something else.
And I need to know that before I buy it. So a great deal of the privacy transparency
and disclosure section has to do with that transparency and disclosure, then good, smart
data hygiene and data practices. You'll see, here's an example of one where that number
22, disclosing the function of fail to function may not be relevant for the wearable side.
It's really more for the smart home. That's the idea of what would happen to my
garage door if the connectivity goes out; maybe less important for my fitness tracker. So
that's the way our framework is set up. The next question that people ask us is so what
are you doing next? Again, I mentioned that we started the working group in January. We've
been working very hard on this framework. We've done a couple of rounds of it, actually.
We published originally in August. We did a series of public commentaries. We received
an enormous amount of commentary. We've reconsolidated the framework based on
the commentary and the feedback that we've got. And what you are seeing now and if you
go to our website is what we're calling the last call version, so there is still possibles
have been put on it. We're taking this version, this last call version that we're
seriously working on, we're taking it to Washington DC in a couple of weeks. So on November 18th,
we're going to be holding an IoT Trust Summit in Washington DC at the end of my part of
the presentation, you'll see that there's a link. If you would like to join us, we'd
love to have you, but we're bringing that on November 18th. It's a Wednesday so it's
exactly two weeks from today, and we will be presenting and releasing this version of
the framework which we consider to be a last call and we'll be doing it in kind of a working
group environment and discussing it. One of the things that we'll be doing in that
meeting is further validation that it applies to most recent global issues. Everyone on
this call is aware of the recent concerns and swirling of information around Safe Harbor,
so we just need to be sure that we're not in conflict with anything or that we're addressing
things as best as we can, and ultimately, trying to pursue first a voluntary code of
conduct. We think that's the first step and as I said, we're always trying to do public,
private partnership and we're trying to move always to support innovations. So our first
step is always voluntary code of conduct rather than going directly to trying to pressure
legislators or anything like that. But what we want to do is make a very practical
framework that companies and individuals can use as a checklist to really be smart about
privacy, security and sustainability as they develop Internet of Things solutions. We would
like that to evolve to some ability to enforce it or at least to measure and identify it.
So in that idea of honor roll, to be able to say these people are doing it, these people
are not. Then ultimately, have some kind of a seal program with that, so that's where
we are headed. We're constantly trying to collaborate with other organizations. As I
said, if you would like to give us feedback, we would love to have that. So on the next
slide, you will see some links. I realize you're watching it on your screen so you can't
click the links, but this information?these are the locations of different places that
you can get to us. The first one is everyone is welcomed to see
the framework. The framework is not private to OTA members. It's on our website. It's
at the location, the OTAlliance.org. You can actually download the framework, but the
other thing and the important thing on the top on there is that you can submit these
things back to us, so there is a place where there is a form and you can send us anything
you think about any other like time that you'd like to speak to. The next thing you can do
is you can actually join the OTAs IoTs working group and that is somewhat separate from you
can also join OTA as a supporting member, so those are kind of two separate things.
The companies that are supporting members of ours, you're welcome to join any working
group, but if you have a specific unique interest in the IOT working group work individually,
we have a possibility of you being able to apply for that alone; that for you or your
organization. So there's a link to that and we have an application
for that. We would love for you to come to Washington DC on November 18th and we have
a registration link for that in our upcoming event section. Then finally, if there's anything
I forgot to say or that you'd like to know more about OTA and IoT, please contact us
or send me an email. Christian: Well, great. Thank you, Madeline.
We're now going to introduce Lancen Lachance from GlobalSign to talk about best practices
and implementation based on a lot of the things Madeline just talked about with the framework
that's being developed. Lancen: Great, thank you, Christian and Madeline.
I'd like to kind of segue here into acknowledging some of the trends we see in the marketplace
in that privacy and security more and more are becoming real distinguishing factors in
differentiating a product in a very crowded IoT space right now. Leveraging that is going
to be critical for organizations to remain competitive as well as reduce their risks,
so we'll take that as an assumption here going forward and look into the next step of actually
how you can approach meeting some of these guidelines and frameworks like what the OTA
is presenting here. So what we'll outline is some general approaches here covering security
by design, standing on the shoulders of giants and consuming existing success stories within
the internet. Then looking at how the Internet of Everything
or the Internet of Things is really evolving some of the approaches as well. Leading off
the first topic is a concept of security by design, and really the concept of security
by design is driven by the notion that changes are much cheaper to implement and enforce
earlier in the design cycle. Proper information security is rarely ever bolt on, so really
you're benefiting your organization and your strategy by doing this upfront in the design
lifecycle so that your cost and risks and competitive advantage is maintained once that
product is taken to market. The real question, though is how do you do this and really what
do you mean by security by design? So the how is definitely going to be different depending
on the participants in the equation here, but really what you start to do is you look
at the value components of your products and ecosystem. You try to identify where the assets are whether
it's a physical asset or a data asset or a financial asset in the ecosystem. Then you
put on kind of your black hat and think like a hacker; think about what the value of that
data is, how it might be compromised, what it might be used for? Then look through the
vectors that are potentially at risk so that that asset may be compromised. And with of
the assets or potential threat vectors, when you do assess of probability of the compromise
as well as the magnitude how impactful of a compromise was actually executed. Then once
you have that profile completed, you have a pretty good idea of where the key components
you need to secure in your product and ecosystem. Then you have the opportunity to evaluate
what technological components, choices, protocols, standards or components in the text stack
you're going to choose and select, implement, security and privacy in each of those areas.
The next level of choosing the right approach that we're recommending and talking about
here is what I call standing on the shoulder of giants. And really what I'm getting at
here is that well, the internet of things is new and there's different components that
will change your approach here. Really, this is still based around the internet, so what
this means is the internet as well as information security principles that are used within it
have really matured over the past decade. If you go through some of the details and
the framework that Madeline has proposed, you'll see a lot of common themes and best
practices embedded in there. So I think the OTA has really executed this well and taken
a lot of successes in the past and applied it to these new standards. The other component
of remembering that this is the internet is that the things and the devices and these
new things are really just one component. We still have the users and the services that
they're connected to in the organizations, and all of that has really matured along with
the internet over the past 10 years or so. To apply and capitalize on a lot of its success,
there are solutions and standards existing today providing distributed trust and privacy
and security. While there may be some lack in standards in these specific use cases,
there's a lot of applicable standards we can look to apply and model into these new internet
of things ecosystems. One of the solutions I'm going to dive into here is PKI. And PKI,
for those who might not be familiar is public key infrastructure. It's based upon distribution
of public and private keys and securely signing certificates and identities within a model.
It's implemented in a range of different protocols. One of the most prevalent is TLS. It embodies
and enables a whole range of information security principles.
Then in these principles as we'll see are directly related to our core of line items
within the OTAs framework. So the first one we'l look at is authentication and lining
with the traditional security information security principles, authentication in a sense
of authenticating devices to services, services back to devices, users to services and the
whole range and even device to device. These are all areas where PKIs are really strong
solution, and as Gartner and other industry analyst like the IEEE have noted PKI has been
used to authenticate billions or hundreds of thousands to billions of things in the
current internet infrastructure right now. So its really a strong proof point towards
interoperability as well as scale, and there's a lot of ways you can apply and leverage this
towards the internet of things. The next role PKI and provide in the information security
realm is encryption, and given the types of devices we see coming online, and a lot of
the concerns that the OTA is addressing, privacy is undoubtedly a major concern. So encrypting
the communications of data in transit as well as data a rest is really essential, and by
applying PKI, you're going to enable some of these capabilities out of the box in how
you achieve privacy in your solution. So as Jonathan and Tyson from McAfee identified
here, privacy really needs to be built in as a functional requirement from the beginning
and it's not really possible to do it adequately as a bolt on after the fact.
The third role we look to PKI to provide is data integrity, so one scenario we might look
at might not be directly related to OTAs framework currently, but along the lines of an insulin
pump where it's relying on some censor data from within the body to guide it's behavior
and how it controls the release of insulin into the bloodstream. When we look and think
into that scenario, it really highlights the importance of data integrity. Another area
that we might look into there is the home scenario where you really want to be sure
that your garage door opener is relying on a trusted source of data that it's not going
to open for a spoof data packet or anything along those lines. The other area where data
integrity is really important is another component that the OTA framework has highlighted is
the integrity of software updates that are being pushed to devices. And you can leverage technologies like code
signing to enforce and enable secured updates and devices to be sure and certain that any
code that they run and execute is a trusted entity. So those are some of the core traditional
information security principles that PKI can can afford within your ecosystem. Let's look
at some of the new considerations that the Internet of Things or the Internet of Everything
is driving and how this addresses here. The first and foremost that I think that a lot
of organizations and individuals mind is the size, scale and scope that the internet of
things brings to the internet, that now we're talking about billions of devices by 2020,
depending on the number. You know, those numbers are definitely mind boggling by current standards,
and really, you need to look at technology's choices that are going to allow you to scale
to those magnitudes. The other component that definitely drives
and differentiates the internet of things is the diversity of devices and processing
power that they may or may not have as they're connecting to the internet. So this is a constraint
that's going to guide some of the technical choices your inter-operability within these
devices is going to be a really core analytical point as you make your solutions. Then leveraging
off of both of those, we see much more complex trust models in relationships within internet
of things ecosystems where the diversity of devices is huge, the number of users are increasing,
and the number of potential services you're integrating is really complicated as well.
It's important to think about how you're going to bootstrap trust and manage the trusted
relationship between all those entities and things and services within your ecosystem.
Then we have to notion of time and lifecycle across all of these devices and cloud services.
Thinking about how you're going to provision devices, manage them once they're in operation
and then transition them to new owner or depreciate them from service. And those are all very
nuance components that are going to be very specific to your business case and your product
usage, but also will drive your technical choices in how you apply a solution like PKI
into your environment. So in this thing, GlobalSign is really keen to leverage a really proven
technology like PKI into the internet of things, so in this light, we're investing we have
a new product portfolio in our high volume PKI infrastructure. This is a new service
and platform that's really design with scale and flexibility in mind that can meet the
high volumes needs of internet of everything. So when we look at some of the attributes
of the Internet of Things, the first and foremost two here are the volume and velocity of identities
that need to be verified, so this is potentially billions of certificates or identities or
relying parties per ecosystem which is orders of magnitude of traditional internet scale.
Then we look at the variety of devices as well as the usage and lifecycle, so to handle
this, we recognize that there are flexible certificate needs, different trust models
to support these different use cases. So being able to provide all of this at a very cost
effective and scalable business sense and growing from a proof of concept to a small
deployment to really billions of things and identities, Internet of Things scale is really
important. This next example here kind of breaks down a heretical scenario with a cloud
provider and an ecosystem of services and users and you'll see some very close similarities
to this diagram and one that Madeline showed prior in the presentation. But we'll start
with the cloud provider who has a number of web services exposed whether they're APIs
or web portals. And we'll start with the things connected
to the web services and likely an API service standpoint and the things connecting to the
web services to either consumed data, send data or received command in control signals.
Then we definitely have the consumers in this scenario that are potentially accessing that
web portal via a web browser or a potentially interfacing with the things directly or with
the things via a mobile device. Then we have the business users who are accessing the administrative
portal to administer the cloud services for the business. Then on a lot of scenarios,
we will see partners or vendors or other third parties accessing either a web interface or
integrating their business systems into the cloud provider web services. Then there are
potentially other third party applications that are either consuming the web services
for additional data analytics or allowing the consumer to use that data in a third party
application for some additional features or functionalities.
So then within each one of these, we start looking at how the communications and the
connections and the trust is maintained between those entities. That trust model is going
to be very distinct or different depending on the specifics of this use case as well
as the control or influence the cloud provider has over the entities that are connected to
it. So in the first case, we'll look at the things connecting to the web services and
in early internet of things use cases, we see that this is very much a private trust
model. And what I mean by a private trust model is that the cloud provider generally
controls enrollment and controls that realm of things out in the ecosystem. As the internet
of things does mature, we see that evolving into a more public trust model where there
might be a more open enrollment of things, but in the initial scenarios, a private trust
model is generally sufficient from what we've seen. But then, we move into the consumer space
where the consumers are connected to the web portal, and that's a much more open trust
model where the consumers are a wider range of entities authenticating and integrating
and their devices connecting are going to be a bit more diverse, so this is a public
trust model. A number of times the way you'll see this enable is through SSL which is a
very popular use case of PKI. In the administrator portal, it could be a private trust scenario,
but just as easily advocated as a public trust depending on the technology involved. Then
on the vendor side, we'll likely see a public trust model in there where the vendor ecosystem
is a much more wider range and the cloud provider isn't necessarily controlling all of that
integration there, and similar with the third party applications.
So the questions that an organization will need to look at is how are they going to manage
the entities and identities within each one of these components? How are they going to
leverage technologies like PKI? And if they are choosing PKI, how do they manage the scope
and diversity of all of these entities in here? So this is really where a provider like
GlobalSign is able to come in and help manage some of these areas for a cloud provider and
provide it as a software as a service model and be able to scale as that cloud provider
business model grows. So really, what's the answer to identity and security and privacy
in the internet of everything? I think we've seen this theme through the presentation,
but really, we're advocating to implement the security and identity concepts from the
onset so that you can have a private and secure implementations.
If you are going to choose technologies and work with service providers, make sure that
service providers are able to and capable of maintaining security and oversight. In
this sense, GlobalSign operates a web trust accredited infrastructure for our PKI services,
so it off loads a lot of that risk and cost from an entity into a third party like GlobalSign.
Really, what we see as a winning path here is to leverage established standards. The
internet of things is really still the internet so there's a lot of proven standards that
have been tested and vetted to serve at a very high scale and serving authentication
and authorization, encryption and data integrity. So your best serve to try to go with the existing
solutions and proven earlier than try to adapt something new that hasn't been proven yet.
We also recognize that each deployment has it's own needs, so that solutions that are
chosen need to be flexible and able to handle these wide range and use cases we see. In that light, I'd like to announce our GlobalSign
IoT developer program to the audience here. Really, what this is, is enabling you to build
identity management and security privacy into your IoT solution from a proof of concept
stage and be able to grow into a development and production stage within the same infrastructure.
Minimizing the capital expenditures required and shifting some of those into an operational
expense that you can match with the revenues. And being able to handle a really optimistic
and highly scaled scenario which we hope everybody that's growing an IoT product in business
can achieve here. But also being able to integrate this at a very flexible approach with modern
integration tools like rest and JSON API's style APIs. If you do have any interests,
please reach out to us after this presentation. I'd love to talk with anybody about their
proof of concepts or they're goals in the IOT space. So with that, I'll hand it over
to Christian to wrap up. Christian: Alright, great. Well, in order
to learn more about GlobalSign, you can connect with us on Twitter and LinkedIn and also visit
us on www.globalsign.com. We're now going to start taking your questions. Once again,
if you do have a question, you can use the question field within the GoToWebinar toolbar
to type in your question and we'll get to it. We do have a few questions that have come
in so far. The first one is looks like it can be guided towards both Madeline and Lancen.
Madeline, I'll have you answer this one first with Lancen chiming in on it, too. Looking
at the framework, lots of good stuff; what if I don't know how to implement things within
the framework and how can I ask for help in the implementation process?
Madeline: Thanks, Christian. That's a great question. Actually, that is something that
OTA is hoping to be helpful with in general. We are in the process of putting together
a guide?sort of a companion guide with resources and perhaps a little bit more description
that aligns with the framework, so as we move forward, that is still in development. But
as we move forward, we hope to be able to share with people further details, descriptions
and advice and best practices much more than would fit on the small line item that you
saw on the framework, and links to or directions to some of those resources that we ourselves
have used as best practices so that people have a much more step by step guidance. We're
not trying to be pro-scripted with an exact course of action. We're trying to be broad
with resources and definitions to let people know where to turn, but definitely, one of
the places to turn is the various tactical and strategic experts in different privacy
and security industries. Christian: Lancen, we can help them out on
the technology side. Lancen: Yeah, definitely. I think, you know
as Madeline eluded, we would love to engage with any proof of concept or early questions
to help sort out where the technical hurdles are that as Madeline mentioned, we're one
part of the security and privacy solution. So we're happy to work with any organization
and any collaboration, as well is really welcomed. There's a lot of expertise GlobalSign has
built over the years in deploying PKI and at scale as well as Identity and Access Management,
so helping organizations apply that into internet of things is really a great area and good
discussion point to have. Christian: Thanks, Lancen. Thanks, Madeline.
Looks like our next question is probably more geared towards Lancen on the technology side.
You talked about PKI, what are some alternatives to PKI for securing IoT and is PKI the best
method? Lancen: Sure, yeah. It is a good question
and obviously, as we've gone through it, its really going to depend, but there's a number
of areas where PKI excels over alternatives. And some of the alternatives you might look
at in PKI are things like symmetric keys or shared secrets or API keys to manage the identity
and authentication of devices. Some of those might be good enough in certain scenarios,
but ultimately, a lot of those start falling over when you look at scale, when you look
at more robust trust agility. Trust agility in the sense of having unique device identification
components and having the ability to share trust in a broader ecosystem. Those are where
some of the initial solutions like symmetric keys start falling over, so by building in
PKI from the beginning, you also have the ability to start leveraging some of the hardware
trends we see as being really important in the IoT like secured hardware and securing
the private keys within those hardware components and leveraging roots of trust within those
hardware components are nicely aligned with PKI as well. So for a future solution, PKI
is really well shaped up. Christian: Thanks, Lancen. Looks like we have
one more question. If you do have another question, please get it into the question
field now. Looks like we did get one more that came in also. Madeline, this one's for
you. How can I get involved with the IOT and also with the framework?
Madeline: Yeah, no that's great. Thank you for asking. We want everyone's involvement
as much as possible. That is what we're looking for. The key levels are if you would like
to simply look at the framework, it is on our website under our IOT initiative. Our
website is OTAlliance.org. Under the IoT initiative, you will find not
only the framework itself, but also you can access all the public commentary we've received,
so if you'd like to know what other people are commenting on, that's an area where you
can get that, and you can submit your comments to us. That is a way that a person can get
involved or an organization can get involved even totally aside from membership. Obviously,
we would love to have people be members of OTA. We are big believers in the work we do,
and that allows you to get involved at two different levels. You can get involved specifically
in the IOT working group and the application to do so is on that same section of our website,
under IOT. If you would like to become a supporting member
of OTA overall, some of our other initiatives have to do with email integrity. We have a
working group around that. We have a security SSO group that specializes in that. We have
a privacy group that specializes in that. I'm actually one of the co-chairs of the IoT
committee. I'm also chairing the advertising integrity if anyone has an interest in that,
so we have lot of different initiatives, but if you'd like to become a supporting member,
there is a whole section on the website about membership and who our members are and the
and the process for that. Then finally, we would love for anyone to
come to Washington DC. In our event section, there's a link for registration and all the
information about our events. We're having a membership meeting day on Tuesday, the 17th;
we're having our IoT trust summit on Wednesday, the 18th. The trust summit is open to anyone
who would like to come. Just follow the registration link.
Christian: Great. Thanks, Madeline. We did get one more question that came in. Would
the trust OTA certification for trust in IoT that Madeline spoke about be certification
for the company or for individual developers, engineers and designers?
Madeline: That is a great question. We are still in process of envisioning what such
a certification program would look like. First of all, I will definitely take back that question
as a thought because that's a great way to think of it; is it something that a person
or an individual can get certified in or is it something an organization is trusted or
even if it was something that a product itself receives a seal or a label? These are great
questions and the road ahead of exactly how a certification program would be put together
will be one of the topics of the trust summit on Wednesday, the 18th. But we are definitely
looking into all versions of how that could work so that we can move for that.
Christian: Alright, great. Well, thanks, Madeline. It looks like that was our last question.
Madeline, I would like to thank you for your participation today with us, and Lancen, the
same. Once again, if anyone has any questions, Madeline's provided her information to contact
the OTA. And also for GlobalSign, you're welcome to check us out on the websites and we will
be sending out this presentation recorded link within the next day or so that everyone
has that. Thank you for everyone attending today.

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *