Vincent van der Leest, Director Product Marketing |
Even if you’d never heard of the General Data Protection Regulation, you likely saw it in action. That visible evidence came last year as the end of May approached and you started noticing your inbox was full of emails informing you that new privacy policies were in effect at almost every website you’ve ever visited. And for safe measure, a lot of websites you visited displayed pop-up windows – and still do – asking you to acknowledge their privacy policies. The GDPR celebrated its first birthday a couple weeks ago so it seems a good time to look back at its impact on security.
What GDPR Does and Why Companies Care
The GDPR is a legal framework that recognizes and codifies Europeans’ fundamental right to protection of their personal data. These new policies and procedures are intended to deliver transparency and trust for corporate use of our personal data. Strictly speaking it applies only when the person whose data is handled – “subject” in the regulation’s parlance – or the entity collecting or processing that data is in the European Union.
But the reality is that non-EU companies operating commercial websites have an interest in maintaining relationships with customers in Europe, and the possibility remains that non-EU countries may adopt GDPR-like regulations in the future. So, as a practical matter, companies around the world have worked to comply.
The risk of non-compliance is notable, as the GDPR raised the stakes of data breaches. Fines are significant: either 4 percent of annual revenue or €20 million, whichever is greater. The greatest and possibly best known penalty imposed for lack of GDPR compliance is the €50 million fine Google received from the French authorities. Another well-known example is the servers that host user credentials for websites, applications, and even customer data of physical shops. Most of the breaches reported under the GDPR are related to these kinds of databases, but some of the biggest leaks known to date still require punitive action from the authorities overseeing the GDPR.
Also, companies such as Facebook are under constant scrutiny of GDPR authorities, but up to now they have not received a GDPR-related fine. The financial liability for bad security implementations should encourage businesses to invest in security-by-design and privacy-by-design methodologies.
To help companies with large user databases comply with the GDPR, Authentico Technologies recently launched its product CIPHRA, which uses Intrinsic ID’s product to safeguard customer data. CIPHRA guarantees organizations that their password database is secure even if the database gets hacked or stolen in a data breach, regardless of the password strength and the computing resources the attacker has access to. In other words, the database is useless for any offline password recovery attacks.
GDPR’s Implications for Embedded IoT Security
Besides rules and regulations on how companies are supposed to handle privacy-sensitive data in their possession, some aspects of the GDPR also have implications for embedded IoT security. The legislation stipulates that all connected products – such as those on the Internet of Things – be designed to “resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data.” This broad scope includes “preventing unauthorized access to electronic communications networks and malicious code distribution.” The importance of this directive for IoT devices was loud and clear when an Austrian CCTV camera company was fined recently by the GDPR, a first for mishandling video data. So, the GDPR not only mandates new policies for handling personal data, but also raises the bar for overall network security.
This leaves unaddressed the not-so-small technical problem of how to actually establish trust in embedded IoT devices. The foundation of trust towards the outside world can be established with a robust device identity by way of cryptographic keys, allowing a device to authenticate itself to other devices, for example in the case of an IoT device connecting to the Amazon cloud.
A recent initiative from the well-respected Trusted Computer Group (TCG) for enhancing IoT security is Device Identification Composition Engine (DICE). DICE defines methods to use device-unique keys to provide a secure attestation mechanism. It enables external verification of a chip’s identity together with its current software state. Knowing that you are communicating with the correct device and that it is running the expected software is a fundamental baseline for trust in a device.
GDPR Compliance’s Best Friend: Unclonable Device Identities
One of the most secure ways of establishing this device identity, and thereby create trust in an IoT device, is to use inherent differences in the physical characteristics of each chip. Since these variations are uncontrollable, the physical properties cannot be copied or cloned. It turns out that every SRAM cell has its own preferred state every time it is powered, which can be used to create an SRAM PUF, or Physical Unclonable Function. With the SRAM PUF, keys are never stored, but only regenerated when they are needed. When the SRAM is not powered there is no key present on the chip, making the solution very secure from reverse engineering and key extraction. This way an unclonable identity can be created for any IoT device.
The keys and identity of the device are used for the cryptographic mechanisms required to handle sensitive data, like encryption and signing. With encryption, data is protected from eavesdropping by malicious entities. Data signing is used to prove the source of data and prevent an attacker from altering the data, hence protecting the data integrity. The keys are also used to validate the origin an integrity of all software running on a device, to make sure only approved code is running on the device. The keys, and therefore the identity of the device, need to be invisible and immutable for attackers, to make sure that the cryptographic mechanism cannot be broken or reverse-engineered, which would compromise the sensitive data. The cryptographic processes and software validation together are the so-called Root of Trust, which is anchored to the IoT by the device identity and the keys to create the highest level of trust possible for IoT devices.
The significance of this level of data security is paramount in the era of GDPR and privacy by design. Just one year after GDPR’s launch and the ensuing ramifications for companies worldwide, it’s clear that all organizations must ensure that they are proactively protecting privacy. A device Root of Trust is critical when handling privacy-sensitive data on IoT devices. With GDPR and the similar regulations likely to follow, trust must start at the device level and build from there.
Vincent van der Leest is Director Product Marketing at Intrinsic ID. In his 9 years at Intrinsic ID, Vincent’s roles within the organization have included business development and managing the company’s portfolio of European-funded projects. Vincent is author or co-author of a number of scientific papers on Intrinsic ID’s core technology, as well as several of the company’s patents. He holds a master’s degree in Electrical Engineering from Eindhoven University of Technology and worked for ASML and Philips before joining Intrinsic ID.