06/25/2015

Microsoft Setting Precedents in Data Sovereignty and Residency

MSFT_logo_pngMicrosoft recently announced that the company will open two datacenters in Canada, to provide its Azure cloud service to the Canadian Government and businesses operating in that country. Kevin Turner, Microsoft’s chief operating officer, said “this substantial investment in a Canadian cloud demonstrates how committed we are to bringing even more opportunity to Canadian businesses and government organizations, helping them fully realize the cost savings and flexibility of the cloud.” (To read the full press release from Microsoft, see here.) In an article in Toronto’s Globe and Mail newspaper about the announcement, Janet Kennedy, president of Microsoft Canada, said, “there is no technical reason to do it.” The main reasons are data sovereignty and residency.

Data residency deals with where data is physically located and where it should not go without agreement from its owner. Data sovereignty focuses more on why and how a government should protect the data located within its jurisdiction, regardless of its ownership, from foreign government agencies.

These data issues have been hot topics both on personal and business levels, especially after the Edward Snowden incident. Since then, foreign government agencies and companies have tried to mitigate the risk of leaking their information. For example, the German Government terminated its contract with Verizon for Deutsche Telekom, shortly after the NSA’s reports regarding the agency’s spy acts were disclosed by Snowden. In the Canadian Government’s case, the government was not willing to store its sensitive information in the United States where it might be subject to investigation by the U.S. Government. Microsoft responded to the Canadian Government’s concern by proposing the new datacenter plan. (In 2014, Microsoft had launched a cloud service called Azure Government, dedicated to servicing the U.S. federal government via a datacenter isolated from the rest of the Azure network.) Although Microsoft is not the first or only cloud provider dealing with data sovereignty and residency issues, it has been thrust into the center of the debate.

With emergence of the cloud industry, physical borders between countries become porous, and in several instances governments have tried to subpoena data physically located in another country. One notable example is a U.S. Government court order for Microsoft to provide a customer’s emails and other data stored in Microsoft’s datacenter in Dublin, Ireland. The government’s argument is that there is no need for an American citizen to step on Irish territory to retrieve the data; a couple of keystrokes is all it would take. Microsoft, on the other hand, believes that electronic access to the datacenter should be considered as entering Irish territory, since the actual data is located in Dublin. The company has yet to provide the data and is appealing the court’s decision.

Brad Smith, Microsoft’s General Counsel and Executive Vice President of Legal and Corporate Affairs, has been addressing the conflict in the Microsoft on the Issues blog. Smith argues that Microsoft will not ignore the opinions of the 96 percent of the global population outside the United States.

More than 20 tech companies such as Apple and Cisco, as well as various interested organizations, have provided amicus briefs in support of Microsoft’s position in the case. The Irish Government also expressed its support towards Microsoft; it insists that it would cooperate with the United States to facilitate the process, but the United States should not be bypassing regulations that are currently in place.

Trying to avoid potential disputes and to protect data, some countries have established regulations preventing data from not only being subpoenaed, but also being accessed and distributed to another country without consent. The European Union is in the process of finalizing its General Data Protection Regulation which, among other things, will limit exporting of personal data and ask every global organization based in Europe to appoint a data protection officer. (Countries outside the European Union with data residency restrictions include Argentina, Australia, China, Mexico, New Zealand, and Russia.)

Recently, Microsoft started providing statistics on law enforcement requests, thanks to the USA Freedom Act, just enacted on June 2, 2015. In a report to be published every six months, Microsoft informs readers of its “principles in responding to government legal demands for customer data”:

  • “[Microsoft] require[s] a valid subpoena or legal equivalent before [it] consider[s] releasing a customer’s non-content data to law enforcement;”
  • “[Microsoft] require[s] a court order or warrant before [it] consider[s] releasing a customer’s content data;”
  • “In each instance, [it] carefully examine[s] the requests [it] receive[s] for a customer’s information to make sure they are in accord with the laws, rules and procedures that apply.”

In the second half of 2014, data from 52,997 accounts were requested by law enforcement agencies around the globe in a total of 31,002 requests. Only 7.55% of the requests were rejected outright by Microsoft, and the company disclosed the data contents of 3.36% of the accounts requested. (In the majority of requests, Microsoft only disclosed subscriber or transaction information, not account contents. See the full report from Microsoft here.)

Microsoft is trying its best to protect itself and the cloud industry by setting a precedent with the Dublin case. Nevertheless, even if multiple countries are focusing efforts on preventing their own businesses from suffering data-related controversies, cloud service users and providers should not disregard these issues. As the cloud industry and the IoT grow, the data generation rate is going to increase exponentially. All businesses using cloud services now must consider data residency and sovereignty, in addition to data privacy and security.

This blog post was researched and written by Se Jin Park, VDC Research Assistant (with Steve Hoffenberg)

06/19/2015

Privacy and Security Trends in IoT – Parsing the FTC’s Guidance

Privacy and security are both huge concerns for consumers and businesses alike in the evolving IoT landscape. Privacy is the unauthorized use of data by an entity that has been granted access to a dataset. Thus it is generally privacy that forms the relationship between companies and customers, and any breach of this contract is a privacy concern. Security, on the other hand, is the unauthorized use and or/access of data by an entity that has not been granted access to some dataset; e.g. hacking and external security breaches. Both privacy and security goals will be hard to reconcile with the main aim of IoT development: monitoring, collecting, analyzing, and using massive amounts of data.

Whose job is it to protect sensitive data in these rapidly-growing IoT industries? Responsibilities for data privacy and security vary by industry and by country. In the US, when companies are not regulated by another agency (e.g. the Department of Health and Human Services for HIPAA rules on medical patient data), this responsibility usually falls under the jurisdiction of the Federal Trade Commission (FTC).

 

Ftcbanner

 

The FTC has conflicting interests to balance. The Commission was created in 1914 in order to break up the increasingly-powerful corporations that controlled the oil, steel, and tobacco industries with the end goal of protecting consumers from “unfair or competitive practices”. Conversely, the FTC must avoid “unduly burdening legitimate business activity.” The FTC walks a fine line between social and moral conservatism, and economic progress.

As with the majority of emerging and semi-defined technologies, the US government has been largely content to let the market shape the course of the IoT Services market development. Yet the steadily-growing stream of privacy concerns (Snapchat, NSA, Google, Facebook, etc.) and security concerns (Anthem, Blue Cross, Target, Adobe, LastPass, the Office of Personnel of the US Government) has made it clear that the FTC will need to make its presence felt in the IoT Services market sooner rather than later. It is quite apparent that many entities simply do not have the proper incentive to thoroughly self-regulate with regards to privacy and security. Data regulation is in its infancy and it will undoubtedly be a daunting task.

 

Privacysecuritygraphic

The FTC published corporate guidance on privacy and security practices earlier this year. Let us parse this document to see if we can elucidate any key findings and conclusions. It is important to keep in mind that none of these recommendations carry the weight of law; the report simply “summarizes the workshop and provides staff’s recommendations in this [IoT] area.”

 

Security

The FTC makes six main security recommendations in order to prevent unauthorized breaches of data. Companies should:

  1. Plan by building security into devices “at the outset, rather than as an afterthought”
  2. Train “all employees about good security, and ensure that security issues are addressed at the appropriate level of responsibility within the organization”
  3. Hire only service providers that can maintain “reasonable security and provide reasonable oversight for these service providers”
  4. Layer by implementing “security measures at several levels”
  5. Protect by “implementing reasonable access control measures to limit the ability of an unauthorized person to access a consumer’s device, data, or even the consumer’s network”
  6. Monitor and fix, patching known vulnerabilities throughout the product lifecycle “to the extent feasible.”

This is the full extent of the security recommendations. These are all common practice in industry, and the vague nature of the language adds little value to the discussion of how the FTC specifically might regulate data in the IoT market.

 

Data Collection & Privacy

In the privacy section of the FTC report, the agency recommends that companies minimize the amount of data they collect, but the recommendation is quite flexible, giving companies the option to collect potentially useful data with consumer consent. But how does a company obtain consent when the device or service has no interface, as will be the case with many embedded devices employed in the IoT market?

According to the FTC, as long as the use of the data is “expected” and “consistent with the context of the interaction” a company need not explicitly obtain consent to collect data. This language does not set any standards; rather it is remedial language that can be applied to different situations post-incident. The FTC couples this expected use language with industry-specific legislation, such as the Fair Credit Reporting Act, which restricts the usage of credit data in certain circumstances. In summary, under these recommendations the company has nearly full discretion in the collection and usage of data as long as it can prove that it is using the data in an “expected” manner relative to the nature and context of its relation with its patron (barring any industry-specific legislation).

The report notes an interesting idea proposed by MIT Professor Hal Abelson. He suggests that data be “tagged” upon collection with appropriate uses so that another software could identify and flag and inappropriate uses, providing a layer of protection and forcing the company to think about how to use the data before collecting it. We expressed a similar view in a recent VDC View document entitled “Beyond ‘Who Owns the Data?’,” suggesting that IoT vendors develop and implement data structures to permit highly flexible assignments of data access right and usage permissions. Tagging would certainly be one way to segregate usage rights and protect different streams of data.

 

Legislation

The FTC states that any legislation concerning the IoT would be premature at this point. However, staff recommends that Congress should enact “general data security legislation” and “basic privacy protections” which it cannot mandate itself. Basically, the FTC needs a new legislative base from which to launch lawsuits. Congress created an IoT Caucus shortly after the filing of this FTC report, but it has been mostly silent since its inception.

 

Dissent

Commissioner-wright-hires
FTC Commissioner Joshua Wright

Perhaps the most interesting part of this report comes in the form of a dissent by one of the 5 commissioners (leaders) of the FTC. Commissioner Joshua Wright notes that the FTC generally issues two types of reports: 1) an in-depth and impactful report commissioned by Congress that compels private parties to submit data to the FTC for analysis and review; or 2) a slightly less formal report that details and makes public any workshops conducted by the Commission, concluding with recommendations that are supported by substantial data and analysis.

Wright contends that this FTC report does not fit either of these categories, and goes on to shred the report to pieces. Firstly, he argues, the IoT is a nascent and far-ranging concept – a one-day workshop cannot generate a sufficient sample of ideas or range of views in order to support any policy recommendation. Secondly, he observes that the report “does not perform any actual analysis,” instead merely relying on its own assertions without qualification or economic backing. He goes as far as to say that the report merely pays “lip service” to a few obvious facts without actually performing any analysis. Thirdly, he remains unconvinced that the Fair Information Practice Principles (FIPP) is a proper concept to apply to the IoT, favoring instead “the well-established Commission view companies must maintain reasonable and appropriate security measures; that inquiry necessitates a cost-benefit analysis. The most significant drawback of the concepts of ‘security by design’ and other privacy-related catchphrases is that they do not appear to contain any meaningful analytical content.” Commissioner Wright clearly has a large bone to pick with the method by which the FTC is considering data regulation in the IoT market.

 

Conclusion

Corporations and consumers alike in the IoT market would do well to pay attention to the following conclusions that we can draw from the FTC document and Commissioner Wright’s dissent:

  1. Congress has not yet created a legislative base upon which the FTC can clearly pursue judicial remedies for breaches of privacy specific to the IoT market (barring specific acts such as the Fair Credit Reporting Act).
  2. Even if the legislation were in place, the FTC has not performed a proper cost-benefit analysis of the potential impact of privacy and security breaches within the IoT market, thus it cannot recommend clear, data-backed, corporate guidance at this time.
  3. The FTC clearly recognizes the “profound impact” that the IoT will have on consumers, and is looking into regulation, but is internally conflicted about how to move forward.
  4. The report does not introduce any new incentives for companies to better safeguard customer data or to implement less-intrusive privacy contracts, so we can expect to see continued growth in data collection in the IoT market in line with VDC’s forecasts.
  5. Consumer-facing companies that wish to differentiate themselves from competitors would do well to safeguard their data; we may very well see security breaches as the norm in the near future, so a company with a clean history will have an advantage in the market. See VDC’s series of reports on Security and the IoT for deeper analysis of security issues.

06/15/2015

Samsung Invests in Sigfox. Is the Race Over for Long-Range Low-Power Wireless Competitors?

A preliminary market battle has been brewing over the past year between technologies to connect IoT devices via wireless wide area networks. These cellular-type networks allow very low power battery devices to transmit small amounts of data over several miles, a solution highly suitable to many types of IoT devices such weather sensors and smart meters. Entrants in this market include Sigfox, LoRa, and Neul. (In addition, standards organization IEEE is developing the 802.11ah wireless networking protocol for distances up to a kilometer.)

Logo-sigfoxSigfox announced on June 15 that Samsung’s Artik IoT platform would integrate Sigfox support. Also, noted in the press release, but given less attention, was that Samsung’s venture capital arm is investing in Sigfox. The size of the investment was not disclosed. (See Sigfox press release here.) In February of 2015, Sigfox announced that it had secured from a variety of venture capital firms an investment round totaling $115M, reportedly the largest single VC investment round ever in France, Sigfox’s home country. (See Sigfox press release here .)

Thus far, Sigfox has been the only long-range low-power wireless solution already deployed in commercial operations, with several hundred thousand devices connected. It has networks in place in France, as well as in Spain, Portugal, the Netherlands, parts of the UK, and a number of cities around the world, most recently, in the San Francisco Bay area of the US.

Lora logoLoRa—developed by Semtech—has the backing of IBM, Cisco, and Microchip among the members of the LoRa Alliance, and its initial deployments are imminent.

Neul-logoUK-based Neul is still in its demonstration phase, but the company was acquired for 15M British Pounds in September 2014 by Chinese telecommunications equipment giant Huawei.

VDC won’t attempt here to compare the relative technical merits of these long-range low-power wireless systems, but from a market standpoint, it is clear that Sigfox is leading the pack. And it’s tempting to think that an investment by Samsung will propel Sigfox into an insurmountable lead. But we’re not yet ready to draw that conclusion. Some points for consideration:

  • Although the Samsung name will undoubtedly give a significant shot in the arm to Sigfox’s marketing efforts, without knowing the size of Samsung’s investment, we can’t assess the extent of its impact on the ability of Sigfox to get its networks deployed more broadly.
  • Long-range wireless solutions face the chicken-and-egg problem of needing the network infrastructure (antennas and backhaul) in place to persuade manufacturers to develop products using the technology, while needing products coming to market to warrant investment in the infrastructure.
  • As one of the world’s largest makers of electronic products, Samsung has the potential to dramatically increase availability of Sigfox-compatible devices if it so chooses. Thus far, however, Samsung hasn’t committed to using Sigfox in anything other than its Artik IoT platform.
  • Samsung also makes cellular networking equipment, although that represents a relatively small part of its overall business. (Samsung does not publicly disclose revenue for the segment.) By contrast, two-thirds of Huawei’s entire business ($31B out of $46B in 2014) is derived from cellular networking equipment, mostly sold in China and the EMEA region. While either company could conceivably foster widespread installation of long-range low-power networks through technological investment and pricing strategies, it’s unclear which would have greater motivation to do so.
  • LoRa has some heavyweight backers as members of its Alliance, but such membership has not yet yielded investment that will produce meaningful numbers of either chickens or eggs. [Note: the day after this blog was posted, the competition has ramped up, as LoRa startup Actility announced that it had received a $25M round of VC funding led by Ginko Ventures, with participants including telcos KPN, Orange, and Swisscom, as well as Foxconn, the world's largest contract manufacturer. See Actility press release here.]

In the meantime, Samsung’s investment positions Sigfox with a larger lead in the race for long-range low-power wireless networks. But it’s a long way to the finish line.

05/18/2015

IoT Application Platforms – What Company Will Take the Next Bite?

Few areas of technology or business can match the current levels of interest and anticipation surrounding the internet of things (IoT). Embedded engineering organizations and enterprises alike are struggling to keep pace with the expected rate of IoT change. They are rapidly modifying their business plans to pursue new service revenue opportunities enabled by the IoT. But challenges from tighter time-to-market windows and project requirements that extend far beyond existing internal skill sets is yet again recasting the traditional software build-versus-buy calculation. More organizations now recognize the need for new third-party development and management platforms to help them jumpstart IoT application creation and monetization.

VDC Research initiated coverage of this dynamic segment with the recent publication of the IoT Application Development and Deployment Platform (ADDP) market report. The executive summary is available here. We forecast revenue from IoT ADDP solutions is forecast to expand at over 40% compound annual growth rate (CAGR) through 2016. As one might expect, this pace of revenue growth in the ADDP segment and the IoT at large has drawn the attention of larger software and system solution providers.

As part of PTC’s strategy to supply “closed-loop lifecycle management” for systems engineering, the company bought two of the leading ADDP suppliers. (See more on this strategy here) PTC acquired ThingWorx in December 2013 and Axeda in August 2014. In March 2015, IBM announced plans to invest $3 billion in a new 'Internet of Things' unit over the next four years. But the Amazon acquisition of 2lemetry, also in March 2015, demonstrates that interest in entering this sector is not be limited to organizations currently competing in the ALM or PLM solutions market.

  TakeOver1 sharks jpeg

As the IoT matures, more embedded devices and back-end enterprise systems will continue to be linked together over communication networks in order to provide differentiating and lucrative services. Companies viewing the rapidly expanding ADDP opportunity as an adjacent market will come from broad range of segments including providers of operating systems, semiconductors, telecommunication networks, computing hardware/modules, enterprise back-end systems, and other software solutions. Independent providers of IoT application platforms should plan for new competitors and potential suitors from a number of domains.

Stay tuned, we expect that more companies with deep pockets and expansive sales distribution will likely follow the lead of Amazon and PTC by entering the ADDP segment via acquisition in the next few years.

 

For more information, we invite you inquire about our research and download the executive summary of our IoT Application Development and Deployment Platform; it is available here.

05/15/2015

Under Pressure: Your Embedded System Needs to Modernize Requirements Management (RM)

Recording of This Webinar from VDC Research and Jama Software is Now Available

 New variables continue to emerge, making software development in both the embedded/systems and enterprise/IT domains more complex – and in many ways, more similar. For instance, the requirement to design software in accordance with regulatory mandates, which is increasingly common in the embedded industries, now also extends into several segments of the enterprise, such as banking. Likewise, the Cloud and IoT are becoming more of a focal point for technology and innovation in both realms. This is driving an explosion in new software-focused business plans, devices, categories, and features, which are more closely tied to high-value corporate and consumer activities. The future of connected, intelligent products – while providing new opportunities – also raises the expectations for continued content delivery and functionality evolution.

As reliance on software to deliver value and differentiation increases, the amount and range of employees involved in the management of software creation is expanding. More organizational stakeholders, including many who may lack direct software development experience, now need direct insight into the software development lifecycle in both embedded and enterprise organizations. And with this expanding pool of software development stakeholders, it’s increasingly important to ensure the proper  processes and the right tooling – like a formal requirements management solution – are in place to help facilitate effective communication and collaboration through the full development lifecycle. Among other changes, it will be critical for these tools to provide socially collaborative features, to automatically link critical development data from other tools, and to present it in an easy-to-comprehend format for all development stakeholders.

With the Shift from Project- to Product-Based Software Design Approaches, IT Developers More Closely Resemble Their Embedded Peers.

New Picture

The embedded – enterprise/IT convergence also includes organizational strategies for software development teams. Many IT groups are now trying to move from a project-based approach for software delivery to one that defines products and organizes teams around them. This organizational structure more closely resembles the typical configuration in embedded or systems development teams. While significant differences remain in place, we also see that decisions around tooling, programming languages, and development methodologies show similar signs of convergence between the embedded and enterprise development markets. As IT organizations continue to evolve, they will have a greater need for system lifecycle management tools focused on optimizing iterative development methodologies with capabilities such as contextual collaboration, impact analysis, and decision tracking over a traditional focus on formal reviews or approvals and change management.

 

To hear more about this and other pressures facing developers that raise the importance of requirements management solutions, I encourage you to listen to our recent webinar with Jama Software

Click here to for the webinar recording. To learn more about the research and products offered by VDC Research’s IoT and Embedded Software Development practice, click here.

05/08/2015

Where To Next For PTC After ColdLight Analytics Acquisition?

PTC logoAt this month’s LiveWorx event put on by PTC (formerly known as Parametric Technology Corp.), the news highlight was the company’s acquisition of IoT analytics firm ColdLight. (See press release here.) ColdLight’s Neuron software for cloud or on-premise datacenters applies machine learning technology to M2M and IoT data, automating predictive analytics tasks. The ColdLight acquisition was a logical extension to PTC’s prior acquisition of ThingWorx and Axeda in the IoT space.

At the front end of the product development process, PTC has assembled software offerings for product lifecycle management (Windchill), computer-aided design (Creo), application lifecycle management and systems engineering (Integrity). Combined with service lifecycle management and the IoT pieces, PTC has essentially created a set of end-to-end solutions for IoT product development and deployment. However, VDC believes that PTC could do more to fill out the middle of its end-to-end portfolio.

Design of embedded devices generally consists of three major areas: mechanical engineering, electronic engineering, and software development. PTC has the first and last of those well covered, but it offers little in the way of electronic engineering tools, save for electronic design automation software for circuit boards, acquired with the company OHIO Design Automation back in 2004 (and since integrated into Windchill).

There are many types of electronic hardware system development tools, and it may be challenging for PTC to dip another toe into that market without diving in completely. Nevertheless, VDC believes that one particular type of electronic design tool would dovetail nicely with PTC’s software development offerings without necessarily getting the company in over its head in electronic design:  virtual prototyping/simulation. Such tools enable the simulation of electronic hardware systems. Although virtual prototyping is often used by semiconductor makers to simulate the behavior of their own chips prior to fabrication, a growing market for virtual prototyping is as a tool for software developers to get a head start on their development work prior to the existence of physical prototypes of the electronic hardware.

PTC already offers mechanical/CAD simulation for Creo. An electronic hardware simulation tool could enable earlier software development for customers using PTC’s Integrity, acting as a bridge between hardware and software development.

Wherever PTC chooses to aim next, its acquisition days aren't over.

04/27/2015

India Takes Giant Steps Toward Smart Cities

With many benefits of IoT becoming apparent, more countries are implementing smart city reforms. This year, India has been the most ambitious in its IoT plans with an allocated budget of Rs. 7060 crores ($1.6 billion USD).

Prior to his May 2014 election, Prime Minister Narendra Modi promised to transform 100 regions of India into smart cities by 2022. As India’s economy continues to rapidly increase with 60% of India’s GDP coming from urban jobs, Modi hopes that the development of new cities will accommodate for the rapid urbanization. By creating satellite cities and improving existing cities, India hopes to improve urban living and increase urban spaces. The Internet of Things will be the driving force behind these smart cities as parking, transportation, urban lighting, waste management, city maintenance, remote healthcare, safety, energy, water management, and traffic management will transform into connected systems. Companies like Alcatel-Lucent, Accenture, ABB, Cubic, Honeywell, Intel, Siemens, and Oracle will help develop these devices and bring them into the new cities.

Other countries like U.S. and Japan believe in the smart cities idea too, and they’ve officially announced their support for Modi’s Smart City Policy.

India is already in its first stage in implementing this policy, and 20 cities have been selected to undergo initial transformation. Several cities and rural towns, including Delhi, Dholera, and a region in Gujarat, have begun development. Delhi will replace its 18,500 street light poles to smart LED street lights and install solar panels in its schools. Dholera’s initiative is expected to launch this year. A financial centre called Gujarat International Finance Tec-City (GIFT) located on the previously barren banks of the Sabarmati River already has two office blocks and modern underground infrastructure, and will serve as a new financial hub of India.

Recently the Yokohama City Council of Japan offered to help convert the Indian port town of Kakinada into a smart city. Japan’s cities will help guide India towards a smooth technological transition, strengthening the two countries’ tight bonds, and encouraging India to support mutually beneficial economic policies toward Japan in the future.

If all IoT was implemented perfectly into the cities, India would have clean water, better traffic, less urban congestion, and a maximum of 45 minutes transit times across smart cities in less than ten years; that’s what India imagines its future decongested, urbanized country to look like. However, VDC is not yet assuming such optimistic conclusions. Despite all the progressive intent, India has not made much improvement in privacy and security issues, nor has it established what factors qualify a city to be considered a “Smart City.” Karuna Gopal, president of the Foundation of Futuristic Cities, stated that India just started working on its standards and protocols earlier this year and these have not yet been released, despite construction of smart cities already underway. Without any framework or guideline in place, India is creating smart cities that may ultimately lack one or more important aspects of IoT.

No other country has made such a large commitment toward reforming so many cities with IoT, and in order to execute this project smoothly, VDC recommends that India set basic guidelines, frameworks and standards to use, so all the city and regional developers and governments can work together toward a common goal: a smart country.

Whether or not India achieves Modi’s intended outcomes won’t be known until at least 2022. Stay tuned as India gradually transforms its cities with infrastructure that informs citizens and improves services for potable water, electricity, public transport, parking, health care, and education. India’s smart city transformation is likely to be a marathon process.

This post was researched and written by VDC intern Jamie Yang, with editing by Steve Hoffenberg.

04/23/2015

RSA Security Conference 2015: Data from Things, and Data about Things

At recent trade shows such as CES and Embedded World, attendees couldn’t swing a dead cat without hitting a sign reading “Internet of Things.” But at this week’s RSA Conference for the cybersecurity industry at San Francisco’s Moscone Center, the focus was squarely on security for conventional IT and cloud computing systems, with IoT-centric offerings sparse. That’s not to say IoT was missing, but rather that it’s presence was relatively low key, which is perhaps a good thing after the past year’s worth of hype. Besides, many system implementations that could be considered IoT are extensions of conventional IT. And increasingly, the IoT is becoming about the Data from Things and Data about Things, rather than the things themselves. With that in mind, in this blog post we’ll highlight two companies at the show with distinct new technologies that are using data in creative ways applicable to cybersecurity and IoT.

ThetaRay is an Israeli startup founded by a group of engineers with deep roots in databases and analytics. The crux of the company’s solution is a type of big data analytics, but it’s not about the content of the data, it’s about the movement of the data. A number of security solutions from other vendors are similarly oriented, but one of the factors that sets ThetaRay apart is speed. Using its patented algorithms and techniques, company CEO Mark Gazit and VP of Marketing and Business Development Lior Moyal told VDC that ThetaRay:

  • can detect abnormal data operations in just milliseconds without knowing anything about what’s in the data
  • runs on essentially off-the-shelf server hardware (Intel i7, 32GB RAM, and a GPU)
  • can not only uncover zero day malware activities, it can also discover security problems not related to malware (In one case, they say it detected money laundering in a bank’s system.)
  • can improve operational efficiencies in SCADA and industrial automation systems. (In another case, it detected the manufacture of a faulty high end lithium-ion battery system—before the battery itself was tested—by uncovering anomalies in the flow of data from the factory’s production equipment.)
  • only generates 1/25th as many false positives as other anomaly-detection solutions.

If ThetaRay’s solution sounds almost too good to be true, it doesn’t come cheaply. Prices for a software license start at $150K a year. Major financial institutions are a prime target market, and General Electric is both an investor and a customer.

In another twist on data analytics, the Atlanta-based company Bastille uses radio frequency emissions from devices to enhance enterprise security. The hardware portion of the product is an RF sensor box that can detect electromagnetic emissions over a huge frequency range from 60 MHz to 6 GHz. It recognizes 120 wireless protocols, enabling it to detect the presence of Wi-Fi, cellular, Bluetooth, Zigbee, Z-Wave, etc. and distinguish both the type of device and its unique identity. Bastille founder and CEO Chris Rouland told VDC that an installation would employ at least 10 of the sensor boxes (approx. $3K each) to cover a building and use triangulation to establish the precise location and movements of each device. Combined with other data, such as employee badge swipes and time stamps, its analytics software can create profiles of the wireless devices normally carried and used by each employee. If any given device exhibits uncharacteristic behavior, for example a mobile phone suddenly transmits gigabytes of data, analytics can alert system administrators and identify the owner of the device. (That scenario could be either deliberate, i.e. due to a disgruntled employee stealing data, or inadvertent due to malware.) In facilities with restricted areas, geo-fencing could alert if wireless devices enter forbidden zones. Rouland foresees markets in everything from military and financial institutions, to retail stores where managers don’t want employees checking Facebook on their phones while on the job.

Unlike most IoT applications, Bastille’s technology leverages incidental data rather than intentional data. In public spaces, that might evoke shades of Big Brother, but we can envision many commercial and industrial applications for which there is no other comparable solution able to use Data about Things to help secure other Things.

03/31/2015

IBM’s $3 Billion Stake into IoT: A Low-Risk Gamble

IBM has announced it is establishing a new Internet of Things business unit with more than 2,000 consultants, researchers, and developers, and will invest $3 billion in it over the next four years. Three business areas are being highlighted:

  • IoT Open Cloud Platform for Industries – vertical market oriented big data analytics services
  • Bluemix IoT Zone – expansion of IBM’s platform-as-a-service to improve development and deployment of IoT apps
  • IoT Ecosystem – additional partners for secure integration of IoT data and services (existing partners include AT&T and ARM)

(We won’t rehash all the details of the announcement, which you can read here.) Ibm_logo

VDC finds this IBM initiative particularly noteworthy, for several reasons:

  • By establishing a dedicated IoT group, IBM is putting in place structures to speed both technical and business development targeting IoT. It will be interesting to see how the unit: a) navigates a complex weave of horizontal and vertical technologies and markets; and b) intersects and overlaps (and perhaps clashes or not) with IBM’s enterprise IT services.
  • By announcing the size of its investment up front, IBM is communicating the degree of its commitment to IoT. However, considering the amounts of money being spent collectively by other major companies claiming turf in the IoT (Cisco, GE, Google, Intel, etc.), significant mid-size participants (e.g. ARM, PTC), and hundreds of minor players and wannabees, $3 billion might only equate to table stakes necessary to reserve a seat at the high rollers’ table.
  • IBM’s announcement makes no mention of any external investments, i.e. acquisitions or startup funding. Since the year 2000, IBM has acquired more than 125 companies, including more than a dozen for which the price exceeded $1 billion, so we have little doubt that IoT-related acquisitions are in the offing.
  • Unlike Google’s $3.2 billion acquisition of Nest, which has modest short term but substantial long term potential, IBM’s $3 billion to scale up and expand its existing IoT capabilities can go a long way to generating real IoT revenue in the short term. While most consumers are yet to be convinced of the need for a “smart home” (unaware that their cable TV boxes and electric meters are already part of the IoT), enterprises are already seeing the benefits of the IoT on many levels, including customer satisfaction, recurring revenue, cost savings on service parts and labor, and product refinement. Considering IBM’s position in the IT industry, $3 billion seems like a low risk bet.

To look at it another way: as IoT becomes further integrated into day-to-day business IT and operations, what would have been IBM’s risk if it didn’t invest big money in IoT?

03/16/2015

With Azure IoT Suite, Microsoft Spreads Further into IoT. Is it Far Enough?

On March 16th at Microsoft’s Convergence Conference in Atlanta, the company announced its forthcoming Azure IoT Suite of cloud services. (See official Microsoft announcement here.) Microsoft has existing IoT-oriented services with Azure cloud—including Event Hubs to ingest data, and Stream Analytics (currently in preview testing) to process and analyze data. The announcement did not provide many details on the new services that would be added, but in general terms it said Azure IoT Suite “manages, analyzes and presents [data] as usable information to the people who need it to make better decision.” Specific features mentioned include remote monitoring, asset management and predictive maintenance.

Microsoft also reiterated that the forthcoming Windows 10 operating system would include a Windows 10 IoT version intended for embedded devices. (This was originally mentioned last fall by CEO Satya Nadella, and in February 2015 Microsoft said it would make the new IoT OS available at no charge for use with the Raspberry Pi 2.)

Here at VDC Research, one of our areas of keen interest for IoT is security. Microsoft hasn’t said much about security features that will be built into Windows 10 IoT specifically, but Windows 10 in general is slated for a variety of security improvements, including OS support for two-factor authentication and app-by-app access to VPN.

On the cloud side, Azure already offers numerous security features, including Microsoft’s Active Directory structure, which controls authentication and authorization. Plus, for customers with extra-high security requirements, Azure ExpressRoute can be used to connect local networks to Azure via fiber optics that are physically separated from the public Internet.

With both an embedded operating system and its own major cloud infrastructure, plus its recent acquisition of Revolution Analytics, Microsoft is in a strong position to offer IoT services. The company’s IoT ambitions perhaps could benefit even further from pieces filling in the middle:

  • a true IoT application platform, similar to what Amazon just acquired with 2lemetry; and
  • a field-deployable IoT gateway (hardware) solution, along the lines of Intel’s intelligent gateway designs. [Microsoft has demonstrated a software reference architecture called Azure Cloud Gateway Accelerator, project codename Reykjavik, which performs protocol/message translations (among other tasks), but it requires an IoT-capable device or a field gateway to get data to the cloud.]

We’re awaiting further word from Microsoft on IoT-related features coming to Windows 10 and Azure.

 

Recent Posts

Microsoft Setting Precedents in Data Sovereignty and Residency

Privacy and Security Trends in IoT – Parsing the FTC’s Guidance

Samsung Invests in Sigfox. Is the Race Over for Long-Range Low-Power Wireless Competitors?

IoT Application Platforms – What Company Will Take the Next Bite?

Under Pressure: Your Embedded System Needs to Modernize Requirements Management (RM)

Where To Next For PTC After ColdLight Analytics Acquisition?

India Takes Giant Steps Toward Smart Cities

RSA Security Conference 2015: Data from Things, and Data about Things

IBM’s $3 Billion Stake into IoT: A Low-Risk Gamble

With Azure IoT Suite, Microsoft Spreads Further into IoT. Is it Far Enough?


Related Posts Plugin for WordPress, Blogger...