Can Dynamic Authorization Help Resolve Manufacturers’ Security Concerns About IoT?

Gerry Gebel   ·   Monday, July 4th, 2016

The Internet of Things (IoT) has revolutionized business intelligence within manufacturing. The availability of product data means companies no longer need to rely on customers to provide them with their usage behavior or product performance data. If a product is connected, a manufacturer “simply” has to monitor the data that comes in via the connected channels, and process the information received.

With the right business intelligence tools they can identify the answers to those all-important questions, such as: How many times a day do customers actually open the fridge door? How much time does an off-road vehicle spend off-road? How long do mining drill-bits last before performance suffers? Customer feedback is no longer dependent on the customer actively providing feedback or companies actively questioning users.

This new wealth of data should benefit both customers and manufacturers. New product innovations can closely reflect user habits and behavior. Perhaps we will see a mini window in fridge doors, because nine times out of ten people reach for something on the middle shelf. Or, mining service contracts may be altered to ensure a drill bit is replaced before performance suffers.

However as we know all too well in the IAM sector, user data (at least part of it) is sensitive and has to be safeguarded. Just imagine the following scenario: a mining company is prospecting in a previously unexcavated area and the drill manufacturer is collecting and monitoring information from the drilling equipment in use. The manufacturer is now privy to highly sensitive data about the mining activities. Controls need to be in place to ensure this data is not accessible to the wrong parties, as it could have serious security implications: the mining company concerned could be about to discover rich minerals, and both the value of the land and the stocks of the company would be impacted. What is the mining company to do? If it turns off data monitoring, then equipment efficiency and performance can suffer. If data monitoring is allowed, then too much sensitive data may be shared with the equipment manufacturer – isn’t a middle ground more desirable where the customer can control data sharing via policies?

Alternatively, from a consumer perspective, there are also security implications from user data. Say that a person’s fridge is a “connected appliance” – and the data coming back suggests that they haven’t opened the fridge for three days. This person could be on vacation, leaving their home ripe for burglary. This highly sensitive personal information cannot fall into the wrong hands.

As the new custodians of sensitive product and user information, manufacturers have entered a new area of security and compliance – one that is equally as complex as IP protection and internal control/regulatory compliance – with just as a many potential pitfalls (read more on how to solve the Manufacturing Data Protection Triangle). A good case in point is the new General Data Protection Regulation (GDPR), which will be enforced in Europe in 2018. Every global manufacturer collecting data from European citizens will have to comply with this regulation, regardless of how the data is (or is not) put to use. (As a side note, if you haven’t started preparing for it, you should start now.)

The good news is that all is not lost: your enterprise does not have to lock up collected data and throw away the key to protect sensitive information. You just need a more intelligent way to allow access to the data needed for business, to deliver faster time-to-market and improved customer service, without compromising security of IP or PII. Although it may sound like a big ask, the information security part of this can be achieved if you dynamically manage authorization with fine-grained access control at API, application and data layers.

At the API and application layers dynamic authorization allows you to control the conditions under which a user can view or edit data, and at the data layer you can mask or filter the data that a user or app can access. This enables tools to mine data for business intelligence but not access and share customer critical data that should not be made available.

This is achieved through the creation and implementation of authorization policies that reflect corporate policies. Put simply, a policy might state that a user or application can access the current state of a drill bit and the rock formation being drilled, but not the location of mining equipment. With this information a manufacturer can calculate when a replacement drill bit is needed and inform the client, without knowing the location of the equipment, even if this information has been collected.

If your organization is collecting or processing sensitive information and you have any concerns about safeguarding the data, dynamic authorization could be the answer.

Read more about our solutions for manufacturers.