Why IOT need different security strategy compared to other ITs？

          Enthusiastic promotion for the Internet of Things (IoT) is rising over the electronics landscape. But for  oT services, these are significantly different Privacy and security needs from other IT-related applications in traditional office or home situations.That is due to their ubiquitous and embedded characteristics that pervade everyday life. Thus, privacy concerns due to unobtrusive data collection methods are more critical for this class of applications. Therefore, it is very important to better understand usage patterns and perceptions from an end-user perspective.

        While people decide to provide personal information to IOT service or not，the most important factors in that decision are trust in the organization providing the service and personal interest in using the respective service. Perceived privacy risk and privacy concerns have significant influence, but are less important. There seems to be a tradeoff  between convenience and  concerns.  IoT services are perceived pervasive which makes it impossible to really distinguish between business and private situation. Neither protected by international law  nor using up-to-date encryption technology can resolve this problem. But as IoT technology closer to our life more ever before, we should prepare for this potential risk. Although personal interest and perceived usefulness may override privacy concerns in some instances, but the security and privacy must be considered to a great extent as well. We may tolerate with light bulb go blind, but can not calm with stolen credit card data and a burglar unlock my back door or car. Recently, this month, security vulnerabilities in BMW's ConnectedDrive had been exposed to allow unauthorised attackers to open the vehicles(http://www.heise.de/ct/artikel/Beemer-Open-Thyself-Security-vulnerabilities-in-BMW-s-ConnectedDrive-2540957.html)

      You might object, malicious people have been attacking Web sites for years. Why is the IoT different?

      Let's have a comparion with normal IT service, it  has less than 20 billion endpoints on the Internet, and each one is an intelligent device with some level of security software or security strategy. Most important, each device can has a person behind it to observe the abnormal status. To IoT, the circumstances is different, more more billion endpoints of different kinds, which extends the attack surface. Worse, these device systems will be assembled by domain experts, not security experts and more uncontrollable.

      Of course, authentication and non-repudiation, integrity, confidentiality, and availability is the same security categories. But how? which level should take over responsibility for others?

      To the upper layer, cloud data centers, which is managed by different cloud providers, such as Amazon, Google, CloudStack, Azure, and so forth. These providers will take some security enhances steps, of course, and we can not ask them to follow our specific security strategy. Maybe, some vendor will provide some customized services, but not all. Also, the converged data is in their storage pool, they need these data for analytics and Machine Learning for better convenient service, on the other hand, these data may contain some personal privacy information. It's difficult to really distinguish between business and private situation. So we can only rely on international law and the company's Career Principles, or you can choose not to use the cloud service, then no IoT service correspondingly

      Then, the middleware layer,such as some IoT platforms(Thingsfabric, Kaa, Smartthings...) or some hubs/bridges/gateways, we can consider if they using appropriate security strategy while choosing to deploy them. For example, TLS/SSL for data transmission, ACL for authoriaztion, Oauth2 for authentication...... Also, maybe some filter like iptables in hubs/bridges/gateways, further more, these middleware devices can merge into one device, smart hub, which can backs up our data and do some local analytics and security enhances instead of sending across all the data it collects to the cloud.

      Last, the bottom of the IoT hierarchy, endpoints or things or devices, the security strategy is worst. The further you move down the IoT hierarchy toward the endpoints, the more vulnerable the whole system appears. The individual sensors and actuators are too compact, inexpensive, and low-energy to support an unique identity, authentication, and encryption. Especially for simple wearable or implanted sensors/actuators, even light-weight encryption would help. Many edge nodes are run by small microcontrollers (MCUs), which can be tampered and copied, so we need a physical unclonable function identity. More, the system monitoring may focus on the behavior either than network traffic for interaction behavior, so it must do plenty of privacy work for the resource data. More steps need we to do.

     We can not denyelectricity because of shock, also we can not deny IoT or cloud because of security, as it will bring our life and work more convenient, more relaxed, also more security. But we should ready for it.

个人介绍：

周明春 Samsung Electronics VD IoT Platform高级工程师，在物联网，云计算，移动通讯，网络安全和消息传递基础构架领域拥有超过9年的专业知识和经验。拥有丰富的企业消息传递基础构架开发，物联网、云、设备联接解决方案开发，以及成熟的管理软件和解决方案，如敏捷和DevOpts的开发经验。在国内首次提出SDT(softwaredefined Things)的IOT概念，拥有2项专利。

是三星、英特尔、戴尔所成立智能家居设备标准联盟开放互联联盟(OIC)的代码贡献者(https://gerrit.iotivity.org/gerrit/p/iotivity.git)

https://www.iotivity.org/documentation/iotivity-services/protocol-plug-manager

经常参与云计算,物联网等开源社区(Openstack,Vmware,ECUG失效云计算用户组)交流讨论，关注开源社区技术动态