Service Level Management in Emerging Environments. Nader Mbarek
The iCore project also puts forth recommendations to be respected in different practical use cases in the IoT. Thus, the report (Menore 2012) emphasizes the idea of providing mechanisms to protect information infrastructure against DoS threats and to implement the mechanisms required to support the recovery of service after a failure.
The research described in Nagara et al. (2017) specifies a portable DoS testing tool that is based on a software for IoT devices. This DoS test must be carried out at the design and development stage of the product. The tool consists of an attacking entity and a monitor. The attacker carries out a DoS attack on the target device (that is, the IoT object) and transmits information on the traffic to the monitor. In this context, the “Mirai” attack was used and targeted the devices using Linux to transform them into “bots” that could be remotely controlled and used for a large-scale network attack. The tool effectively verifies whether the IoT devices are resistant or vulnerable to DoS-type attacks.
1.4.3. Privacy protection and trust in the IoT
1.4.3.1. Privacy
Protecting privacy in the IoT requires specific considerations to protect information related to a person’s privacy from being shared in this kind of environment. Data transmitted by a single object may not generate confidentiality problems that could compromise an individual’s privacy. However, when fragmented data originating from several different objects is re-assembled, compiled and analyzed, it may generate sensitive information that requires appropriate protection.
As already seen in section 1.3.2, the IoT operates in different fields of application through which personal data of the users is collected. In fact, IoT service consumers risk divulging private information, little by little, without realizing it as they are unaware of the nature of the data collected and how it is used in this kind of environment. Current approaches to data protection in IoT are based chiefly on encryption or on access control to the collected data. Nonetheless, threats to privacy in the IoT may not be covered by the mechanisms that these solutions offer. For example, data processing may be outsourced, creating the risk of data being sold for marketing or other purposes to third parties (Sicari et al. 2015).
1.4.3.2. Trust
Trust is a complex concept influenced by many measurable and unmeasurable properties. Trust is closely related to the security of systems and users and is a necessary condition. However, trust is related not only to security but to several other factors, such as the QoS provided by the system, its reliability, its availability and, therefore, the services offered by the system and so on. Another important concept related to trust is the protection of privacy. A trust system must protect the privacy of its users so as to gain their trust. Trust, security and privacy protection are crucial issues in the emerging domain of information technologies such as the IoT (Yan et al. 2014).
Trust is managed through several processes from data collection to the provision of customer service. Trust management in the IoT thus provides an efficient means of evaluating trust relations between IoT entities and helps them in taking decisions about communicating and collaborating with each other. To guarantee this trust, data detection and collection must be reliable in the IoT. Special attention must, therefore, be paid to properties of trust in this kind of environment. These properties include the sensitivity, accuracy, security, reliability, and persistence of the object, as well as the effectiveness of data collection. This collection generates an enormous volume of data that must be carefully processed and analyzed, maintaining trust in terms of reliability, protection of privacy and accuracy. Further, the data must be securely transmitted and communicated in an IoT environment. An important challenge to face in meeting this objective is managing encryption keys in the IoT, as data confidentiality is common to security services, privacy protection and trust management. Moreover, the measures needed to act against attacks that could impact all levels of the IoT environment must be taken into consideration and we must ensure that the system is robust against all types of attacks in order for users to be able to sufficiently trust their IoT environment. Finally, users expect scalable and efficient identity management. Identity management concerns all layers of the IoT architecture, starting from the object all the way up to the user of services hosted in the Cloud. Identity management must respect the confidentiality of the service user’s identity in order to respect their privacy. The context of the IoT service is likely to influence identity management strategies. For example, a critical IoT service in the field of e-health requires finer and more specific identity management (Yan et al. 2014).
1.4.3.3. Regulations
European States and the European Union have put forth various regulations for the protection of privacy. One of the most important of these is Directive 95/46/EC of the European Parliament, which emphasizes the protection of individuals with respect to the processing of personal data and the free circulation of such data (Official Journal L 281 1995). There is also the General Data Protection Regulation (GDPR), which is the European Union regulation that serves as the reference text with respect to the protection of private data. It came into effect on May 25, 2018 and brought about a significant change in the processing of user data. This regulation must be respected when offering services in the IoT and includes various requirements (Official Journal of the European Union 2016):
– process personal data equitably, lawfully and transparently;
– only collect and preserve personal data that are truly necessary and destroy these data after use;
– ensure that the data held are accurate and updated;
– ensure that you are ready to manage the increased rights of individuals;
– designate a data protection officer;
– develop and maintain a register of processing activities;
– share personal data responsibly.
1.4.3.4. Research projects
Several research projects have been carried out on trust and privacy in the IoT. For example, there is the report from the AIOTI (Alliance of Internet of Things Innovation) Workshop on Security and Privacy in IoT, which outlines the key security and privacy requirements for different application fields of the IoT. These requirements can be summarized as the user being able to monitor the data, the transparency and control of the user interface, default encryption, data insulation, continuous monitoring, etc. Further, this report highlights the importance of applying additional mechanisms such as minimizing data collection and the need for accountability in the misuse of collected personal data (AIOTI 2017).
There is also TCG (Trusted Computing Group 2018), which is a group formed by AMD, Hewlett-Packard, IBM, Intel and Microsoft, which aims to implement the concepts of “Trusted Computing” in personal computers. In this context and through the report (Hanna 2015), the TCG’s IoT subgroup defined a trust system as a system designed to be predictable even under stress. This same report specifies that to build a trusted IoT system, it is necessary to set up a hardware Root of Trust (RoT), use encryption during storage, add automation of security and protect legacy systems. The RoT can generate random numbers, store and use long-term keys and verify the integrity of the system in order to reduce risks and provide the system with strong protection. In this context, the Trusted Platform Module (TPM) is an open and interoperable ISO/IEC standard (2015b) that can specify a hardware RoT. The technical specification of this standard has been written by the TCG group. TPM provides security features such as authentication, encryption and attestation (guaranteeing the security of software or hardware to a third party). At present, TPM is integrated into billions of connected objects. Hardware Storage Encryption is a component that provides the encryption service. Hardware Storage Encryption uses Self-Encrypting Drive to provide continuous encryption with no impact on system performance. This component makes it possible to protect against physical attacks, loss or theft by instantly erasing data and cipher suites. Security automation makes it possible