-
IoT Knowledge Base
Learn the key concepts you need to know. Without the technical jargon.
-
IoT Reports & Guides
In-depth research, white-papers and guides from Pelion.
-
Blog Articles & News
The latest insights on industry trends, best practices, and Pelion announcements.
-
Events & Webinars
Upcoming events, online sessions, and expert-led webinars
-
About Us
Our mission, values, team, and the solutions we offer in the IoT space.
-
The Team
Meet our team behind Pelion's effortless connectivity.
-
Careers
Job opportunities, company culture, and the benefits of joining our team.
-
Sustainability
Our commitment to environmentally responsible practices.
-
Contact Us
- Blog Articles & News
- Keeping data safe
Keeping data safe
January 08, 2024 — 9 min read
The Internet of Things (IoT) has revolutionised the way we interact with technology and the world around us. It is a vast network of interconnected devices, objects, and sensors that communicate and exchange data over the internet. From smart homes and wearable gadgets to industrial automation and healthcare systems, IoT’s seamless integration empowers us with unprecedented efficiency, convenience, and insight. By enabling devices to collect, analyse, and act upon real-time data, IoT enhances everyday life, propels businesses forward, and fosters sustainable solutions. As this transformative technology continues to evolve, its potential to reshape industries and enhance connectivity remains boundless.
The data generated from all the devices we manage, is really where the value of IoT lies. It is this data that, when organised and presented in logical ways, allows us to make intelligent decisions about our business operations. It helps us save time and costs.
Operating in a Regulated Landscape
Collection of Data from people and devices is an increasingly regulated activity. In a continually evolving regulatory landscape, it’s important to consider the impact of General Data Protection Regulation (GDPR), ePrivacy and numerous National variations on data protection when building and deploying connected solutions that collect, process and store data. The challenges in the legal and technical landscapes across these factors coupled with the physical security of devices must all be considered when designing your solution and when selecting the correct partners.
Understanding the Regulations
General Data Protection Regulation (GDPR)
Introduced in 2018, GDPR imposes strict requirements on data processing, consent, data minimization, and protection. Non-compliance can result in hefty fines. The focus of GDPR is ensuring that the information held is relevant, current and appropriate.
ePrivacy Regulation
Works in conjunction with GDPR to protect the confidentiality of electronic communications. It covers areas such as cookie usage, unsolicited marketing, and metadata.
National Variations
Different EU member states and international jurisdictions might have slight variations or additional requirements to those imposed by GDPR in their national data protection laws. It’s important to research this thoroughly to ensure you understand the landscape you’re planning on working in.
Challenges of keeping Device Data Secure
It’s essential to carefully consider security when processing and transmitting sensitive data.
Data Transmission Challenges
From where and to where does the data travel and how does it travel?
Understanding data flows and the path which data takes from device to service is vital when implementing a solution which must protect this data.
Challenges in Secure Data Transmission
Interception: Data can be intercepted during transmission by unauthorized entities.
Data Corruption: Data may get corrupted during transmission due to various reasons, such as network issues or malicious attacks.
Regulatory Compliance: Adhering to various data protection laws and regulations, like GDPR or HIPAA, which mandate secure data transmission.
Strategies for Secure Data Transmission
Encryption: Employing encryption algorithms to secure data during transmission.
Secure Channels: Utilizing secure communication channels, such as VPNs or Transport Layer Security (TLS) for data transmission.
Authentication: Implementing robust authentication mechanisms to validate the entities involved in data transmission.
Pelion’s Data Transmission Approach
Understanding that protection of data during transmission, while also accounting for device capabilities and service requirements, allows Pelion to provide transmission solutions aligned to your deployment; solutions which mitigate many concerns about the unknown path data could take, especially when transiting from devices to services over the internet.
By enabling partners to connect to their services from Pelion’s network via IPsec VPN data is encrypted on public networks by default, providing a layer of data protection from devices which would otherwise not be capable of securing data locally for transmission.
Find out more about Security solutions such as VPNs and IPSEC
Data Storage Considerations
Where does the data live and for how long?
Understanding at which points data can be stored and how this data is then protected is equally important. In line with data classification that help us define how each data type should be protected a definition of storage time is also required.
Significance of Secure Data Storage
Secure data storage is pivotal in safeguarding data from unauthorized access, leaks, and breaches. For regulated data, ensuring that storage solutions comply with relevant laws and regulations is imperative.
Key Considerations for Data Storage
Physical Security: Ensuring that data centers and servers are physically secure to prevent unauthorised access.
Data Encryption: Encrypting data at rest to protect it from being accessed or stolen.
Backup and Recovery: Implementing robust backup and recovery solutions to safeguard data against loss or corruption.
Regulatory Compliance in Data Storage
Data Localisation: Adhering to regulations that require data to be stored within specific geographical locations.
Data Retention Policies: Ensuring compliance with data retention policies stipulated by regulatory bodies.
Data Localisation: Some countries have data residency or data sovereignty requirements, necessitating that certain types of data be stored within national borders.
Partners look for a rich understanding of their data utilisation and the use of Pelion services but are also aware that their data should not be stored when this is not necessary. Pelion captures only metadata information to provide the data Analytics and utilisation information which is made available to partners. As the contents of data packets are not stored no additional controls are required when using Pelion as a connectivity partner.
Data Sensitivity and Classification
In most solutions it is likely that the data which is transmitted falls under various different data classifications; from required technical data or public data thought to highly sensitive or secret data. Each of these classifications mandates different considerations for the protection of the data.
Understanding Data Sensitivity
Data sensitivity refers to the level of impact that unauthorised access, modification, or loss of data could have on an organisation or individual. Regulated data often has high sensitivity due so the legal and financial implications associated with it.
Data Classification
While the name of each data classification can vary by organisation it is generally accepted that IoT data is broken down into 4 classifications:
Public: Data that can be accessed by anyone without causing harm or violating privacy.
Confidential: Data that is restricted to organizational use and is not intended for public view.
Confidential Restricted: Data that has restrictions on who can access it and typically requires authorization.
Secret: Highly sensitive data that requires stringent controls and is often subject to regulatory compliance.
The importance of Data Classification comes down to two things: 1) Enhanced Security which ensures that data is adequately protected based on its sensitivity and importance and 2) Regulatory Compliance to ensure adherence to regulatory requirements.
Cryptography challenges on constrained devices
Cryptography involves securing communication and protecting information through the use of mathematical techniques. It ensures confidentiality, integrity, and authenticity of data, which is vital for managing regulated data.
Role of Cryptography in Managing Regulated Data
Securing Communication: Cryptography secures communication channels by encrypting the data during transmission.
Protecting Information: It protects information by encrypting data at rest, ensuring it is secure even if unauthorized access occurs.
Ensuring Data Integrity: Cryptographic hashes ensure that data has not been altered during transmission or storage.
Challenges and Considerations
Key Management: Ensuring secure generation, distribution, and storage of cryptographic keys.
Algorithm Selection: Choosing robust and secure cryptographic algorithms while also considering the capabilities of your chosen devices.
Compliance: Ensuring that cryptographic solutions adhere to regulatory requirements.
For data which requires the most protection; end-to-end encryption is the ideal solution, however, devices most suited to IoT deployments often operate under strict constraints and may not be able to offer localised cryptography. When ensuring that battery life is maximised and to meet the cost requirements of large-scale deployments providing transit encryption can mitigate concerns while also allowing further flexibility in device selection.
Physical security considerations for deployments – remoteness of locations
Physical security refers to the measures taken to protect tangible assets, including infrastructure, hardware, and personnel, from physical threats. In the context of managing regulated data in communications, physical security ensures that the infrastructure housing the data remains inaccessible to unauthorized individuals and safe from environmental hazards.
Why is Physical Security Important?
Physical security offers protection from unauthorised equipment access with Physical barriers and controls prevent unauthorised individuals from accessing data centers, server rooms, and other critical infrastructure. It should also be put in place to safeguard against environmental threats from natural disasters, fires, floods, and other environmental hazards.
There is regulation to mandate specific physical security measures to ensure the safety of regulated data compliance.
Key Components of Physical Security
Access Control: Systems like biometric scanners, card readers, and security personnel control who can access specific areas.
Surveillance: CCTV cameras, motion detectors, and other surveillance tools monitor and record activities in and around the premises.
Physical Barriers: Walls, fences, and gates act as deterrents and delay unauthorized access.
Environmental Controls: Fire suppression systems, climate control, and backup power supplies ensure that data centers operate safely and efficiently.
Security Training: Training staff to recognize and respond to security threats ensures a proactive approach to physical security.
The Challenges with Implementing Physical Security
Cost: Implementing robust physical security measures can be expensive, especially for state-of-the-art systems.
Maintenance: Physical security systems require regular maintenance to remain effective.
Evolving Threats: As threats evolve, so must physical security measures, necessitating regular reviews and updates.
Human Error: Even with the best systems in place, human error can compromise physical security.
Best Practices in Physical Security
Conduct Risk Assessments: Regularly assess potential threats and vulnerabilities to determine the most effective physical security measures.
Layered Defense: Implement multiple layers of security, ensuring that if one measure fails, others remain in place.
Regular Audits: Conduct regular audits to ensure compliance with regulations and identify potential areas of improvement.
Stay Updated: Keep abreast of the latest developments in physical security technology and best practices.
Physical security plays a crucial role in data protection, especially for regulated data. While digital security measures protect against cyber threats, physical security ensures that the very infrastructure housing the data remains secure. By integrating both digital and physical security measures, organizations can provide comprehensive protection for their regulated data.
Pelion has chosen to host the infrastructure which supports your solution in world class data centre locations which adhere to the highest security standards and practices while also giving unmatched access to connectivity providers.