Internet of Things (IoT) is defined as the interconnection of highly heterogeneous network entities with networks. In IoT, the real becomes virtual. This means that each person and thing has location, address and homologous readable on the Internet. Virtual entities can produce and consume services and collaborate with the same purpose. In short, IoT are what we know as household appliances, but with computer chips which made them connect with the public Internet.
In the Internet of Things vision, each physical object has a virtual component that can produce and consume services. The goal is to connect the Internet not only to people but to everything else. This supposes the technological evolution that represents the future of electronics, computing and communications, and its development will depend on the dynamics of innovation in different fields, from sensor networks to nanotechnology. While said interconnection will bring with it a series of unprecedented comforts, which will affect the lives of many people beyond what the desktop, laptop computers, smartphones and tablets have done, new points of view are required to ensure its safe and ethical use.
There are, however, significant obstacles to complete the IoT vision; among them, safety. The speed of adoption of IoT by industry and consumers will depend on several factors: from a social perspective, concerns have already been raised regarding privacy and security; From a technological point of view, the proliferation of connected devices requires a drastic increase in the capacity to store and process data. In the IoT context, however, security should not focus only on the required security services, but also on how they are done. The security/privacy of the whole system and how the IT team and users themselves execute the embedded privacy/security features.
Privacy is one of the most sensitive aspects regarding IoT security. The explosion of data availability that has occurred in recent years, has created entities that monitor their users without their consent. IoT is anywhere, anything or any time. Its use could cause users to access an unprecedented amount of personalized services, also generating a considerable amount of data. The IoT system itself could acquire information from users in an automatic way. These considerations could cause a series of undesirable situations, such as how social networks currently affect the employability and the personal relationships of their users. With IoT, exposure to these interactions would grow exponentially, some may argue even beyond the control by anyone.
A viable solution is privacy by design, in which users have the tools with which they can manage their own data, as is currently the case. Wherever a user produces a piece of data, he can use dynamic tools of consent that allow access to certain services and many or few data according to the user’s wishes. Transparency is also essential, since users must know which entities are managing their data, how and when. Service providers must be a fundamental part of this equation and must provide new service agreements with the user. Companies will adjust their agreements based on the amount of data that the user provides.
As for the management of data, it is a great problem to decide who manages the secrets. Technically, cryptography and protocols protect data during the service life cycle, but certain entities may lack the resources to manage those mechanisms. Consequently, there should be policies on how to manage different data types, as well as policy implementation mechanisms. The development of these policies is not simple, it requires interpretation, translation, conciliation of rules, each of which can be in different languages. In addition, any policy should comply with data protection laws like the European Commission’s GDPR (General Data Protection Regulation), which may change.
Authorization is another of the main preoccupations in IoT. Authorization and authentication share problems in the nutshell, such as finding the balance between decentralized and distributed systems when answering the question of who is in charge of the definition and publication of roles. However, the delegation falls completely under the authorization.
Trust is also a fundamental to implement IoT effectively in an enterprise environment. In this context, trust is more than the mechanisms that reduce the uncertainty of the objective as they interact with each other. In IoT, these mechanisms must be able to define trust in a dynamic and collaborative environment and understand what it means to provide trust through interaction. But trust also understands how users feel at the moment of interacting in IoT. Feelings of impunity and being under unknown external control can undermine the deployment of applications and services based on IoT.
There must be support to control the state of the virtual world. Users must be able to control their own services and must have tools that accurately describe all their interactions so that they can form a mental map of their virtual “surroundings”. Governance helps strengthen trust in IoT. A common framework for security policies will help interoperability and guarantee the continuity of security. A framework for governance can help to reduce liability and simplify data protection. Someone can attribute a malicious transaction to a particular user or agent and could punish the user or owner of the agent.
Clearly, IoT will be more susceptible to attacks than laptops and desktop computers, since thousands of millions more devices will be produced and consume services from heterogenous vendors. The devices that have more limitations would be the most vulnerable and the malicious entities will try to control some devices either directly or indirectly. In this context, fault tolerance is essential to ensure the reliability of the service, but any solution must be specialized and light to take into account the limited number and ease of accessibility of the IoT devices.
To achieve tolerance to IoT failures, three schools of thought needs to be understood. The first is to make all objects safe by default. Apart from the design of secure protocols and mechanisms, researchers should strive to improve the quality of the application since a software update of thousands of devices would be unviable. The second initiative is to give all IoT objects the ability to know the state of the network and its services. In this system, it would be necessary to provide feedback to many other elements; for example, a surveillance system that acquires data as part of the provision of quantitative and qualitative security metrics. An important task would be the construction of a counting system that would help to monitor the State. Finally, objects must have the ability to defend against network failures and attacks.
All protocols must incorporate mechanisms that respond to abnormal situations and allow the object to degrade their service. The objects should be able to use intrusion detection systems and other defensive mechanisms to protect themselves from attackers. Once an attack affects your services, the IoT elements must be able to act quickly to recover from any damage that may occur. These elements must use the feedback from other IoT mechanisms and entities to assign the location of unsafe areas, where a connection may have caused service outages, and secure zones, where there have been no service interruptions. This information can be the basis for the implementation of various recovery services, such as having first access to trusted areas. The mechanisms should inform human operators in any area that could be damaged and carry out maintenance operations. This self-management of the infrastructure is a key principle for IoT.
Internet of Things is already more than a concept. Fulfilling the security requirements, people can definitely progress towards a paradigm that will improve many aspects of our daily lives. Many problems are still not solved in different areas, such as cryptographic mechanisms, network protocols, identity and data management, user privacy, self-management and reliable architectures. Future research should carefully consider the balance between governance and legal frameworks with innovation. Governance can sometimes hinder innovation, but innovation, in turn, can ignore the rights of citizens. A correct balance will ensure stable progress towards achieving and securing the Internet of Things as it is planned.