By Nancy Zayed and Sam Shawki
In 2000, Professor Neil Gershenfeld director of MIT labs published a book called “When things start to think” and while it was more about artificial intelligence, it really had a lot to say about wearables and their ability to sense, respond and communicate with their environment.
We are not yet at a stage where your coffee pot can recognize your mug, then serve a hot beverage to your preferred temperature like the book predicted, but we are getting close and as usual with a little bit of a twist.
Today it’s not just the upcoming Apple Watch that represent these smart devices, but larger objects weighing several tons and moving at 60 miles an hour, like our cars, will need to communicate with all kinds of other objects large and small, stationary or moving at high speed. Moreover, the line will continue to blur between enterprise and consumer and across countries and borders.
“Recent research by Earl Perkins at Gartner indicates that, by year-end 2017, more than 20% of enterprises will have digital security services devoted to protecting business initiatives using devices and services in the Internet of Things”
While many are addressing the security aspects of the Internet of Things (IoT) most are focused on the same old concerns from when the internet became a commercial entity. These concerns are usually the typical enterprise concern list : Perimeter security using Firewalls, VPN, Denial of Service prevention policies and procedures, CTO/CISO, budget and focus, employee training, review and update of network architecture etc.
While these are all good practices, they are really reactive to things we learned from an earlier era. The problem is that in internet time this was enough a million years ago.
From digital commerce to Internet of Things
Several industries lead the way when it comes to securing transactions, validating identities, and orchestrating authentication and trust. One that we know all too well is the digital commerce industry. Recent advances in hardware rooted security, tokenization, Host Card Emulation (HCE), and the more promising advances in software rooted security are promising to be extremely useful for IoT. Think about Apple Pay for a second, it uses some of these new advances and enables your finger to be scanned by your phone which then talks to the cashiers point of sales system, which in turn starts a quick conversation with both your bank and the merchant’s bank. Through the channels of Visa Amex or Master Card, in milliseconds identities are verified, devices are authenticated, accounts are checked, limits are analyzed, rates are set, fees are deducted and finally a digital transaction is concluded. This is an Internet of Things scenario that will be followed by many where cars, TVs, pots and pans and maybe even shoes can be party to a secure digital conversation.
A new connectivity paradigm, a new security paradigm
For all these devices coming out of different industries to converse, new protocols and standards have to be developed, a new vocabulary needs to be created, or at least, new extensions to an existing set needs to be in place. Expect to see many players trying to position themselves for this new paradigm. Many in digital commerce are actually well positioned to do so.
It is all about freedom of ownership, which means it is all about software
The security part however may need to come from outside those players. Given the diversity of the objects or “things” that construct the Internet of Things, most use cases are going to be harder to implement than Apple Pay, where security is somewhat hardware bound and owned by one party: Apple.
For IoT security to work it has to have ubiquity, transportability across devices and operating systems, as well as freedom of ownership, where freedom of ownership is a crucial part. Just think of a case where your iPhone needs to talk to a GE medical device, do a Google search, then relay a message to your brand new Jaguar which needs to double check with your wife’s BMW before connecting with a certain doctor’s Galaxy tablet so that you can be at the hospital in time for your grandchild’s birth. More complex and unexpected scenarios will be possible Check Libelium’s smart world infographic in higher resolution here
For this to work neither Apple, Google, GE, Ford, BMW, Samsung, nor Jaguar can hold a secure solution hostage based on owning a chip, a device, or a phone. In other words the Internet of Things security has to be mostly in software that is common across devices or at least has a standard set of common APIs across such devices.
So who has the key?
Who is great at orchestrating secure transactions among many devices made by many manufacturers across countries and borders? Very few players, mostly the credit card networks and their layers of security and technology suppliers, especially the up and coming software security players that may become the next big thing of the internet of things.
Sam Shawki, CEO, and Nancy Zayed, CTO, are founders of MagicCube, a digital commerce security start-up based in Sunnyvale, CA. Nancy is an expert in mobile devices, having spent the last decade working on the OS group at Apple. Sam has led several payment companies throughout his career, and most recently he lead the Global Remote Payments area at Visa Inc. You can find both on twitter @sshawki and @zayena.