Securing Apps on The Internet of Things
Ishay Tentser came from the renowned IDF "Mamram" unit (center of computing and information systems), where he served as a team leader on a large communications project. Since 2010, he has been running Initech, a software development company that focuses on the planning, design and implementation of products related to "the internet of things". In this article, he reveals the difficulty programmers are facing to apply security standards in their products, and explains why these challenges are never technical only. Share
Please tell us about yourself and your company background.
I have been an entrepreneur ever since my release from the military. My most renowned startup was called “Your Story”, a unique solution that allowed participants to exchange ideas, plan and brainstorm collaborative writing processes for business and private applications.
Unfortunately, we had to close down in 2010 after realizing google was developing a similar product. Competing with google didn’t seem like a good idea at the time. I decided to take a different path and founded Initech, an innovative software company that develops digital products, offering a variety of services including UX characterization, product support, chat bots, performance optimization and information security by design for startups and online businesses within the “internet of things” arena.
Many people are concerned that the internet of things is dangerous to personal privacy. Do you agree?
Yes. What the market is really lacking these days is a stronger connection between international privacy regulations, and a technology that enables online businesses to apply these laws. In addition, there’s a need to minimize the gap between the EU privacy regulations, which are very strict, and the US online surveillance policy, which is on the other side of the scales. We have seen the safe harbor agreement being canceled this year, and despite the international efforts to find common grounds, from the developer’s perspective it’s very difficult to address those differences.
When diving into the details, one of the problems you see is that there are an awful lot of devices which are transmitting sensitive data virtually all the time: They know what we’re doing and can intentionally or unintentionally record sensitive or personal data. Most users aren’t really aware of what their devices are capable of.
The majority of manufacturers only focus on one part of information security, which is encrypting the data while it transfers from one end to another. That’s hardly enough, because there are many unsecured endpoints which enable to copy data via Bluetooth, simply by passing next to a device.
So we have a new ecosystem which manufacturers have not yet managed to map out; what we need is to look at the entire map, identify Achilles heels and secure them just like we secure websites, while taking into account all the unexpected places where data can be stolen from.
What does Initech do to secure the apps it develops?
We offer a number of security levels. First and foremost, we work with a lawyer that specializes in information security, so if a client is unaware of the issue, we raise it and sit down to think what is the sensitive data that exists in the system, how exactly is that data going to be extracted, where is it going to be stored and how the whole thing is going to operate from the security perspective.
For example, one very important aspect is making sure that EU citizens’ information is never stored on a US server. This is something that many US startups are not aware of, and by doing so they are breaking EU law. So whenever a new customer approaches us, we raise these issues and assist them in making the necessary changes in how they work so they can comply with the law.
Some companies gather more information than they actually need, so we make sure to only collect what’s necessary for the core functioning of the app / device. Information is power, and it can be taken to all sorts of directions. The data collected by the apps we develop will always be stored on secure servers.
There’s a concept called “the right to be forgotten” which we hold closely in our day to day work. Let’s say someone wore a smart bracelet for a training session, which collected data such as what he ate and how many calories he burnt. That’s the kind of info that should be forgotten once that person had taken off his smart bracelet. But let’s say that one day, that person decides to approach the company that developed this device or application, and ask to erase all his data. While companies are obliged to follow, erasing data isn’t always as straight forward when you have backups upon backups of stored data.
At Initech, we have the technology to support privacy by design, which allow us to translate the legal limitations into technological solutions, taking all legality risks into account.
From your experience, what makes the internet of things so vulnerable?
The weak link on the “internet of things”, is on the device level. We ask the manufacturer to encrypt all data. On a smartphone, the info will go straight to a secured server and immediately delete from the device itself. We make sure it never stays on the device unless it is absolutely crucial for the immediate performance of the app. If info is stored on a secured cloud server, insights are much better, but in some cases, you don’t want the info to go online at all, so you need a security protocol on the hardware level; for example, a biometric sensor that can sense who you are, and make sure that no one else but you can use the device.
We work in collaboration with lawyer Alon Saposhnik, privacy expert. We take the law’s demands and apply them in technology, so although we don’t develop the hardware ourselves, we guide manufacturers to stay within the standards framework.
To sum things up, the industry is lacking awareness, and since the internet of things is a relatively new concept, the market barriers are very few. Hardware is relatively cheap, so people are busy thinking about how to pull off the next best thing, and tend to think of privacy issues as something technical, which it isn’t.
If we had a unified standard for information security, things would be much simpler; certainly, technology is not the problem here, but awareness.
Before we start to protect anything, we need to understand what exactly we are aiming to guard, what is the sensitive data and how crucial is it to collect it.
For example, medical devices collect info such as your pulse, but that data doesn’t have to be saved on the device. Linking between the data and the person it belongs to is only possible on a secured server, so whoever breaks into the system will only get raw info that cannot be related to a specific person.
There are many examples of such models where sensitive data is not saved, or saved by a third party which knows how to manage such sensitive data.
One of those examples are credit cards: Nowadays, it is rare to see a website that saves it’s customers’ payment data; instead, they use secure payment gateways, as no website wants the risk of being hacked. The payment gateway in this example is the one responsible for securing that data. The same applies for user identification services. On the internet of things, identity is digital, so you need to have someone who’s authorized to identify users.
What makes Initech unique?
Our uniqueness is by making the connection between the legal side and the technological side of things, in addition to a large array of services: from planning, characterizing, visualizing and development. It is often the case that one body is responsible for the planning while another body does the design and a third body does the actual development; Such cases can cause serious budget problems, and the burden falls on the customer.
At Initech, we have different professionals to cater for your needs on each stage of development, all working together under the same roof, so the input our clients get is far more accurate, right from the first meeting and all the way to launching the product, which as a result, saves the client a great deal of problems and thus better managing their budget.
How do you go about securing your websites and apps from Cyber attacks?
The most obvious example is when working with companies that both with US and EU clients. From the technical aspect, there is absolutely no reason to maintain separate infrastructure, but privacy regulations demand that EU data should not be stored in the US.
This created a situation where startups have broken the law because they weren’t aware of the regulatory side of things. After combining the legal perspective, we ended up rebuilding the infrastructure so that databases remain separate.
On one example, a company did not enable its clients to delete their own data, because it was too complex, so we focused on making the interface simple while enabling actions to be performed by the user.
Professionals in key positions should never look at security as a technicality only, as the complete view of things includes legal, social and political aspects too. Only the combination of all of those together can give you a complete view. Up until a few years ago, privacy by design as a concept didn’t even exist, but there’s a great future in it as a field of expertise that combines the technical elements along with the human element of right and wrong, taking into account the ethical side of things.