by Lakshmi Randall
This article is the second in a two-part series. Read the first part here.
The first installment of this article, Bringing Context To IoT Data, underscored the importance of blending disparate IoT data, and combining it with contextual data, to reveal meaningful relationships and glean comprehensive insights to optimize decision making. It offered data virtualization as a best-fit solution to achieving these ends. This article expands on that concept and examines data privacy and security concerns in the world of connected devices, and provides a means of imparting governance to IoT solutions.
IoT Data Security and Privacy Risks
The emergence of IoT promises unparalleled benefits, albeit at a cost, for enterprises and consumers. From the consumers’ perspective, benefits include are numerous and include connected devices such as:
- medical devices that enable health care providers and their patients to work together more efficiently in monitoring and managing patients’ serious health issues
- cars that can sense and notify drivers of perilous road conditions, automatically alert first responders upon deployment of airbags, and provide vehicle diagnostics information to drivers and service facilities in real-time
- home automation systems that allow household occupants to remotely turn on heating or air conditioning units, turn on/off the burglar alarm, switch on music, view contents of the refrigerator, and warm up meals before returning home from work, etc.
However, along with these IoT benefits are the associated costs related to managing and securing the enormous volume of consumers’ sensitive personal data, habits, and location information that connected devices likely will collect, transmit, store, replicate, and share. Unauthorized access to such information, and the potential for misusing it, pose genuine confidentiality risks to consumers. Extended data retention periods compound the risks associated with large amounts and volumes of sensitive data by increasing the time that data is exposed to unauthorized user access.
Mitigating IoT Data Risks Using Data Virtualization
Data virtualization provides two avenues for mitigating IoT data privacy and security risks; data minimization and data privacy by design.
Data minimization represents a strategy for reducing the amount of data collected and/or replicated which, in turn, reduces exposure of sensitive data to unauthorized access. Companies should assess their data practices and business needs with a goal of developing flexible policies and practices that impose reasonable limits on the collection and retention of consumer data. However, this should be accomplished without sacrificing opportunities for future, beneficial uses of data with privacy protection. Depending on an organization’s business goals, it might decide against collecting any consumer data at all; collect only the data fields necessary to the product or service being offered; collect data that is less sensitive; or de-identify the data they collect. Alternatively, the organization can seek consumers’ consent for collecting additional, unexpected categories of data. Moreover, companies should pursue solutions that rely on connecting disparate data rather than replicating it.
Data virtualization offers a technological solution to support a data minimization strategy by obsoleting the necessity of consolidating and centralizing the data. Data virtualization establishes a layer of abstraction between data consumers and data sources; thereby, making it possible to leave all source data exactly where it is, stored across a myriad of heterogeneous systems, and establish a virtual view for accessing all data. This appears as a single, unified data set to users and all applications consuming the data. The abstraction layer contains no data of its own, but rather contains the metadata for accessing all the sources, and it abstracts the users from the details. Users can run queries across the enterprise data sources as if all the data were stored in a single, unified repository. And because none of the source data is replicated, organizations can avoid the associated costs, efforts, and risk.
Equally important is that organizations must consider privacy at the start of any new project, and ensure that the proper security controls and privacy policies are in place during all design and development phases. Security and privacy experts should collaborate with the functional teams (e.g., Finance, Marketing) to build the business requirements and development plans for any new initiatives to adhere to privacy and security controls.
Data virtualization facilitates privacy by design, as the data virtualization layer doesn’t require a prescribed type or that it be accessed in a certain way. New sources can easily be added to the infrastructure by connecting them to the data virtualization layer irrespective of the data source technology. Once added, they are immediately subject to the same access controls, policies, business rules and auditability within the data virtualization layer as any other participating sources.
Companies need a bird’s-eye view of all of the data including IoT data, and a way to establish security controls over the entire infrastructure from a single point. Data virtualization provides this capability, enabling companies to comply quickly and easily with data protection and privacy without investing in new hardware or re-building existing systems from the ground up.
Lakshmi Randall is the director of product marketing at Denodo.