Microsoft recently announced that the company will open two datacenters in Canada, to provide its Azure cloud service to the Canadian Government and businesses operating in that country. Kevin Turner, Microsoft’s chief operating officer, said “this substantial investment in a Canadian cloud demonstrates how committed we are to bringing even more opportunity to Canadian businesses and government organizations, helping them fully realize the cost savings and flexibility of the cloud.” (To read the full press release from Microsoft, see here.) In an article in Toronto’s Globe and Mail newspaper about the announcement, Janet Kennedy, president of Microsoft Canada, said, “there is no technical reason to do it.” The main reasons are data sovereignty and residency.
Data residency deals with where data is physically located and where it should not go without agreement from its owner. Data sovereignty focuses more on why and how a government should protect the data located within its jurisdiction, regardless of its ownership, from foreign government agencies.
These data issues have been hot topics both on personal and business levels, especially after the Edward Snowden incident. Since then, foreign government agencies and companies have tried to mitigate the risk of leaking their information. For example, the German Government terminated its contract with Verizon for Deutsche Telekom, shortly after the NSA’s reports regarding the agency’s spy acts were disclosed by Snowden. In the Canadian Government’s case, the government was not willing to store its sensitive information in the United States where it might be subject to investigation by the U.S. Government. Microsoft responded to the Canadian Government’s concern by proposing the new datacenter plan. (In 2014, Microsoft had launched a cloud service called Azure Government, dedicated to servicing the U.S. federal government via a datacenter isolated from the rest of the Azure network.) Although Microsoft is not the first or only cloud provider dealing with data sovereignty and residency issues, it has been thrust into the center of the debate.
With emergence of the cloud industry, physical borders between countries become porous, and in several instances governments have tried to subpoena data physically located in another country. One notable example is a U.S. Government court order for Microsoft to provide a customer’s emails and other data stored in Microsoft’s datacenter in Dublin, Ireland. The government’s argument is that there is no need for an American citizen to step on Irish territory to retrieve the data; a couple of keystrokes is all it would take. Microsoft, on the other hand, believes that electronic access to the datacenter should be considered as entering Irish territory, since the actual data is located in Dublin. The company has yet to provide the data and is appealing the court’s decision.
Brad Smith, Microsoft’s General Counsel and Executive Vice President of Legal and Corporate Affairs, has been addressing the conflict in the Microsoft on the Issues blog. Smith argues that Microsoft will not ignore the opinions of the 96 percent of the global population outside the United States.
More than 20 tech companies such as Apple and Cisco, as well as various interested organizations, have provided amicus briefs in support of Microsoft’s position in the case. The Irish Government also expressed its support towards Microsoft; it insists that it would cooperate with the United States to facilitate the process, but the United States should not be bypassing regulations that are currently in place.
Trying to avoid potential disputes and to protect data, some countries have established regulations preventing data from not only being subpoenaed, but also being accessed and distributed to another country without consent. The European Union is in the process of finalizing its General Data Protection Regulation which, among other things, will limit exporting of personal data and ask every global organization based in Europe to appoint a data protection officer. (Countries outside the European Union with data residency restrictions include Argentina, Australia, China, Mexico, New Zealand, and Russia.)
Recently, Microsoft started providing statistics on law enforcement requests, thanks to the USA Freedom Act, just enacted on June 2, 2015. In a report to be published every six months, Microsoft informs readers of its “principles in responding to government legal demands for customer data”:
In the second half of 2014, data from 52,997 accounts were requested by law enforcement agencies around the globe in a total of 31,002 requests. Only 7.55% of the requests were rejected outright by Microsoft, and the company disclosed the data contents of 3.36% of the accounts requested. (In the majority of requests, Microsoft only disclosed subscriber or transaction information, not account contents. See the full report from Microsoft here.)
Microsoft is trying its best to protect itself and the cloud industry by setting a precedent with the Dublin case. Nevertheless, even if multiple countries are focusing efforts on preventing their own businesses from suffering data-related controversies, cloud service users and providers should not disregard these issues. As the cloud industry and the IoT grow, the data generation rate is going to increase exponentially. All businesses using cloud services now must consider data residency and sovereignty, in addition to data privacy and security.
This blog post was researched and written by Se Jin Park, VDC Research Assistant (with Steve Hoffenberg)
Privacy and security are both huge concerns for consumers and businesses alike in the evolving IoT landscape. Privacy is the unauthorized use of data by an entity that has been granted access to a dataset. Thus it is generally privacy that forms the relationship between companies and customers, and any breach of this contract is a privacy concern. Security, on the other hand, is the unauthorized use and or/access of data by an entity that has not been granted access to some dataset; e.g. hacking and external security breaches. Both privacy and security goals will be hard to reconcile with the main aim of IoT development: monitoring, collecting, analyzing, and using massive amounts of data.
Whose job is it to protect sensitive data in these rapidly-growing IoT industries? Responsibilities for data privacy and security vary by industry and by country. In the US, when companies are not regulated by another agency (e.g. the Department of Health and Human Services for HIPAA rules on medical patient data), this responsibility usually falls under the jurisdiction of the Federal Trade Commission (FTC).
The FTC has conflicting interests to balance. The Commission was created in 1914 in order to break up the increasingly-powerful corporations that controlled the oil, steel, and tobacco industries with the end goal of protecting consumers from “unfair or competitive practices”. Conversely, the FTC must avoid “unduly burdening legitimate business activity.” The FTC walks a fine line between social and moral conservatism, and economic progress.
As with the majority of emerging and semi-defined technologies, the US government has been largely content to let the market shape the course of the IoT Services market development. Yet the steadily-growing stream of privacy concerns (Snapchat, NSA, Google, Facebook, etc.) and security concerns (Anthem, Blue Cross, Target, Adobe, LastPass, the Office of Personnel of the US Government) has made it clear that the FTC will need to make its presence felt in the IoT Services market sooner rather than later. It is quite apparent that many entities simply do not have the proper incentive to thoroughly self-regulate with regards to privacy and security. Data regulation is in its infancy and it will undoubtedly be a daunting task.
The FTC published corporate guidance on privacy and security practices earlier this year. Let us parse this document to see if we can elucidate any key findings and conclusions. It is important to keep in mind that none of these recommendations carry the weight of law; the report simply “summarizes the workshop and provides staff’s recommendations in this [IoT] area.”
The FTC makes six main security recommendations in order to prevent unauthorized breaches of data. Companies should:
This is the full extent of the security recommendations. These are all common practice in industry, and the vague nature of the language adds little value to the discussion of how the FTC specifically might regulate data in the IoT market.
In the privacy section of the FTC report, the agency recommends that companies minimize the amount of data they collect, but the recommendation is quite flexible, giving companies the option to collect potentially useful data with consumer consent. But how does a company obtain consent when the device or service has no interface, as will be the case with many embedded devices employed in the IoT market?
According to the FTC, as long as the use of the data is “expected” and “consistent with the context of the interaction” a company need not explicitly obtain consent to collect data. This language does not set any standards; rather it is remedial language that can be applied to different situations post-incident. The FTC couples this expected use language with industry-specific legislation, such as the Fair Credit Reporting Act, which restricts the usage of credit data in certain circumstances. In summary, under these recommendations the company has nearly full discretion in the collection and usage of data as long as it can prove that it is using the data in an “expected” manner relative to the nature and context of its relation with its patron (barring any industry-specific legislation).
The report notes an interesting idea proposed by MIT Professor Hal Abelson. He suggests that data be “tagged” upon collection with appropriate uses so that another software could identify and flag and inappropriate uses, providing a layer of protection and forcing the company to think about how to use the data before collecting it. We expressed a similar view in a recent VDC View document entitled “Beyond ‘Who Owns the Data?’,” suggesting that IoT vendors develop and implement data structures to permit highly flexible assignments of data access right and usage permissions. Tagging would certainly be one way to segregate usage rights and protect different streams of data.
The FTC states that any legislation concerning the IoT would be premature at this point. However, staff recommends that Congress should enact “general data security legislation” and “basic privacy protections” which it cannot mandate itself. Basically, the FTC needs a new legislative base from which to launch lawsuits. Congress created an IoT Caucus shortly after the filing of this FTC report, but it has been mostly silent since its inception.
Perhaps the most interesting part of this report comes in the form of a dissent by one of the 5 commissioners (leaders) of the FTC. Commissioner Joshua Wright notes that the FTC generally issues two types of reports: 1) an in-depth and impactful report commissioned by Congress that compels private parties to submit data to the FTC for analysis and review; or 2) a slightly less formal report that details and makes public any workshops conducted by the Commission, concluding with recommendations that are supported by substantial data and analysis.
Wright contends that this FTC report does not fit either of these categories, and goes on to shred the report to pieces. Firstly, he argues, the IoT is a nascent and far-ranging concept – a one-day workshop cannot generate a sufficient sample of ideas or range of views in order to support any policy recommendation. Secondly, he observes that the report “does not perform any actual analysis,” instead merely relying on its own assertions without qualification or economic backing. He goes as far as to say that the report merely pays “lip service” to a few obvious facts without actually performing any analysis. Thirdly, he remains unconvinced that the Fair Information Practice Principles (FIPP) is a proper concept to apply to the IoT, favoring instead “the well-established Commission view companies must maintain reasonable and appropriate security measures; that inquiry necessitates a cost-benefit analysis. The most significant drawback of the concepts of ‘security by design’ and other privacy-related catchphrases is that they do not appear to contain any meaningful analytical content.” Commissioner Wright clearly has a large bone to pick with the method by which the FTC is considering data regulation in the IoT market.
Corporations and consumers alike in the IoT market would do well to pay attention to the following conclusions that we can draw from the FTC document and Commissioner Wright’s dissent:
A preliminary market battle has been brewing over the past year between technologies to connect IoT devices via wireless wide area networks. These cellular-type networks allow very low power battery devices to transmit small amounts of data over several miles, a solution highly suitable to many types of IoT devices such weather sensors and smart meters. Entrants in this market include Sigfox, LoRa, and Neul. (In addition, standards organization IEEE is developing the 802.11ah wireless networking protocol for distances up to a kilometer.)
Sigfox announced on June 15 that Samsung’s Artik IoT platform would integrate Sigfox support. Also, noted in the press release, but given less attention, was that Samsung’s venture capital arm is investing in Sigfox. The size of the investment was not disclosed. (See Sigfox press release here.) In February of 2015, Sigfox announced that it had secured from a variety of venture capital firms an investment round totaling $115M, reportedly the largest single VC investment round ever in France, Sigfox’s home country. (See Sigfox press release here .)
Thus far, Sigfox has been the only long-range low-power wireless solution already deployed in commercial operations, with several hundred thousand devices connected. It has networks in place in France, as well as in Spain, Portugal, the Netherlands, parts of the UK, and a number of cities around the world, most recently, in the San Francisco Bay area of the US.
VDC won’t attempt here to compare the relative technical merits of these long-range low-power wireless systems, but from a market standpoint, it is clear that Sigfox is leading the pack. And it’s tempting to think that an investment by Samsung will propel Sigfox into an insurmountable lead. But we’re not yet ready to draw that conclusion. Some points for consideration:
In the meantime, Samsung’s investment positions Sigfox with a larger lead in the race for long-range low-power wireless networks. But it’s a long way to the finish line.
Few areas of technology or business can match the current levels of interest and anticipation surrounding the internet of things (IoT). Embedded engineering organizations and enterprises alike are struggling to keep pace with the expected rate of IoT change. They are rapidly modifying their business plans to pursue new service revenue opportunities enabled by the IoT. But challenges from tighter time-to-market windows and project requirements that extend far beyond existing internal skill sets is yet again recasting the traditional software build-versus-buy calculation. More organizations now recognize the need for new third-party development and management platforms to help them jumpstart IoT application creation and monetization.
VDC Research initiated coverage of this dynamic segment with the recent publication of the IoT Application Development and Deployment Platform (ADDP) market report. The executive summary is available here. We forecast revenue from IoT ADDP solutions is forecast to expand at over 40% compound annual growth rate (CAGR) through 2016. As one might expect, this pace of revenue growth in the ADDP segment and the IoT at large has drawn the attention of larger software and system solution providers.
As part of PTC’s strategy to supply “closed-loop lifecycle management” for systems engineering, the company bought two of the leading ADDP suppliers. (See more on this strategy here) PTC acquired ThingWorx in December 2013 and Axeda in August 2014. In March 2015, IBM announced plans to invest $3 billion in a new 'Internet of Things' unit over the next four years. But the Amazon acquisition of 2lemetry, also in March 2015, demonstrates that interest in entering this sector is not be limited to organizations currently competing in the ALM or PLM solutions market.
As the IoT matures, more embedded devices and back-end enterprise systems will continue to be linked together over communication networks in order to provide differentiating and lucrative services. Companies viewing the rapidly expanding ADDP opportunity as an adjacent market will come from broad range of segments including providers of operating systems, semiconductors, telecommunication networks, computing hardware/modules, enterprise back-end systems, and other software solutions. Independent providers of IoT application platforms should plan for new competitors and potential suitors from a number of domains.
Stay tuned, we expect that more companies with deep pockets and expansive sales distribution will likely follow the lead of Amazon and PTC by entering the ADDP segment via acquisition in the next few years.
For more information, we invite you inquire about our research and download the executive summary of our IoT Application Development and Deployment Platform; it is available here.
Recording of This Webinar from VDC Research and Jama Software is Now Available
New variables continue to emerge, making software development in both the embedded/systems and enterprise/IT domains more complex – and in many ways, more similar. For instance, the requirement to design software in accordance with regulatory mandates, which is increasingly common in the embedded industries, now also extends into several segments of the enterprise, such as banking. Likewise, the Cloud and IoT are becoming more of a focal point for technology and innovation in both realms. This is driving an explosion in new software-focused business plans, devices, categories, and features, which are more closely tied to high-value corporate and consumer activities. The future of connected, intelligent products – while providing new opportunities – also raises the expectations for continued content delivery and functionality evolution.
As reliance on software to deliver value and differentiation increases, the amount and range of employees involved in the management of software creation is expanding. More organizational stakeholders, including many who may lack direct software development experience, now need direct insight into the software development lifecycle in both embedded and enterprise organizations. And with this expanding pool of software development stakeholders, it’s increasingly important to ensure the proper processes and the right tooling – like a formal requirements management solution – are in place to help facilitate effective communication and collaboration through the full development lifecycle. Among other changes, it will be critical for these tools to provide socially collaborative features, to automatically link critical development data from other tools, and to present it in an easy-to-comprehend format for all development stakeholders.
With the Shift from Project- to Product-Based Software Design Approaches, IT Developers More Closely Resemble Their Embedded Peers.
The embedded – enterprise/IT convergence also includes organizational strategies for software development teams. Many IT groups are now trying to move from a project-based approach for software delivery to one that defines products and organizes teams around them. This organizational structure more closely resembles the typical configuration in embedded or systems development teams. While significant differences remain in place, we also see that decisions around tooling, programming languages, and development methodologies show similar signs of convergence between the embedded and enterprise development markets. As IT organizations continue to evolve, they will have a greater need for system lifecycle management tools focused on optimizing iterative development methodologies with capabilities such as contextual collaboration, impact analysis, and decision tracking over a traditional focus on formal reviews or approvals and change management.
To hear more about this and other pressures facing developers that raise the importance of requirements management solutions, I encourage you to listen to our recent webinar with Jama Software
At this month’s LiveWorx event put on by PTC (formerly known as Parametric Technology Corp.), the news highlight was the company’s acquisition of IoT analytics firm ColdLight. (See press release here.) ColdLight’s Neuron software for cloud or on-premise datacenters applies machine learning technology to M2M and IoT data, automating predictive analytics tasks. The ColdLight acquisition was a logical extension to PTC’s prior acquisition of ThingWorx and Axeda in the IoT space.
At the front end of the product development process, PTC has assembled software offerings for product lifecycle management (Windchill), computer-aided design (Creo), application lifecycle management and systems engineering (Integrity). Combined with service lifecycle management and the IoT pieces, PTC has essentially created a set of end-to-end solutions for IoT product development and deployment. However, VDC believes that PTC could do more to fill out the middle of its end-to-end portfolio.
Design of embedded devices generally consists of three major areas: mechanical engineering, electronic engineering, and software development. PTC has the first and last of those well covered, but it offers little in the way of electronic engineering tools, save for electronic design automation software for circuit boards, acquired with the company OHIO Design Automation back in 2004 (and since integrated into Windchill).
There are many types of electronic hardware system development tools, and it may be challenging for PTC to dip another toe into that market without diving in completely. Nevertheless, VDC believes that one particular type of electronic design tool would dovetail nicely with PTC’s software development offerings without necessarily getting the company in over its head in electronic design: virtual prototyping/simulation. Such tools enable the simulation of electronic hardware systems. Although virtual prototyping is often used by semiconductor makers to simulate the behavior of their own chips prior to fabrication, a growing market for virtual prototyping is as a tool for software developers to get a head start on their development work prior to the existence of physical prototypes of the electronic hardware.
PTC already offers mechanical/CAD simulation for Creo. An electronic hardware simulation tool could enable earlier software development for customers using PTC’s Integrity, acting as a bridge between hardware and software development.
Wherever PTC chooses to aim next, its acquisition days aren't over.
With many benefits of IoT becoming apparent, more countries are implementing smart city reforms. This year, India has been the most ambitious in its IoT plans with an allocated budget of Rs. 7060 crores ($1.6 billion USD).
Prior to his May 2014 election, Prime Minister Narendra Modi promised to transform 100 regions of India into smart cities by 2022. As India’s economy continues to rapidly increase with 60% of India’s GDP coming from urban jobs, Modi hopes that the development of new cities will accommodate for the rapid urbanization. By creating satellite cities and improving existing cities, India hopes to improve urban living and increase urban spaces. The Internet of Things will be the driving force behind these smart cities as parking, transportation, urban lighting, waste management, city maintenance, remote healthcare, safety, energy, water management, and traffic management will transform into connected systems. Companies like Alcatel-Lucent, Accenture, ABB, Cubic, Honeywell, Intel, Siemens, and Oracle will help develop these devices and bring them into the new cities.
Other countries like U.S. and Japan believe in the smart cities idea too, and they’ve officially announced their support for Modi’s Smart City Policy.
India is already in its first stage in implementing this policy, and 20 cities have been selected to undergo initial transformation. Several cities and rural towns, including Delhi, Dholera, and a region in Gujarat, have begun development. Delhi will replace its 18,500 street light poles to smart LED street lights and install solar panels in its schools. Dholera’s initiative is expected to launch this year. A financial centre called Gujarat International Finance Tec-City (GIFT) located on the previously barren banks of the Sabarmati River already has two office blocks and modern underground infrastructure, and will serve as a new financial hub of India.
Recently the Yokohama City Council of Japan offered to help convert the Indian port town of Kakinada into a smart city. Japan’s cities will help guide India towards a smooth technological transition, strengthening the two countries’ tight bonds, and encouraging India to support mutually beneficial economic policies toward Japan in the future.
If all IoT was implemented perfectly into the cities, India would have clean water, better traffic, less urban congestion, and a maximum of 45 minutes transit times across smart cities in less than ten years; that’s what India imagines its future decongested, urbanized country to look like. However, VDC is not yet assuming such optimistic conclusions. Despite all the progressive intent, India has not made much improvement in privacy and security issues, nor has it established what factors qualify a city to be considered a “Smart City.” Karuna Gopal, president of the Foundation of Futuristic Cities, stated that India just started working on its standards and protocols earlier this year and these have not yet been released, despite construction of smart cities already underway. Without any framework or guideline in place, India is creating smart cities that may ultimately lack one or more important aspects of IoT.
No other country has made such a large commitment toward reforming so many cities with IoT, and in order to execute this project smoothly, VDC recommends that India set basic guidelines, frameworks and standards to use, so all the city and regional developers and governments can work together toward a common goal: a smart country.
Whether or not India achieves Modi’s intended outcomes won’t be known until at least 2022. Stay tuned as India gradually transforms its cities with infrastructure that informs citizens and improves services for potable water, electricity, public transport, parking, health care, and education. India’s smart city transformation is likely to be a marathon process.
This post was researched and written by VDC intern Jamie Yang, with editing by Steve Hoffenberg.
At recent trade shows such as CES and Embedded World, attendees couldn’t swing a dead cat without hitting a sign reading “Internet of Things.” But at this week’s RSA Conference for the cybersecurity industry at San Francisco’s Moscone Center, the focus was squarely on security for conventional IT and cloud computing systems, with IoT-centric offerings sparse. That’s not to say IoT was missing, but rather that it’s presence was relatively low key, which is perhaps a good thing after the past year’s worth of hype. Besides, many system implementations that could be considered IoT are extensions of conventional IT. And increasingly, the IoT is becoming about the Data from Things and Data about Things, rather than the things themselves. With that in mind, in this blog post we’ll highlight two companies at the show with distinct new technologies that are using data in creative ways applicable to cybersecurity and IoT.
ThetaRay is an Israeli startup founded by a group of engineers with deep roots in databases and analytics. The crux of the company’s solution is a type of big data analytics, but it’s not about the content of the data, it’s about the movement of the data. A number of security solutions from other vendors are similarly oriented, but one of the factors that sets ThetaRay apart is speed. Using its patented algorithms and techniques, company CEO Mark Gazit and VP of Marketing and Business Development Lior Moyal told VDC that ThetaRay:
If ThetaRay’s solution sounds almost too good to be true, it doesn’t come cheaply. Prices for a software license start at $150K a year. Major financial institutions are a prime target market, and General Electric is both an investor and a customer.
In another twist on data analytics, the Atlanta-based company Bastille uses radio frequency emissions from devices to enhance enterprise security. The hardware portion of the product is an RF sensor box that can detect electromagnetic emissions over a huge frequency range from 60 MHz to 6 GHz. It recognizes 120 wireless protocols, enabling it to detect the presence of Wi-Fi, cellular, Bluetooth, Zigbee, Z-Wave, etc. and distinguish both the type of device and its unique identity. Bastille founder and CEO Chris Rouland told VDC that an installation would employ at least 10 of the sensor boxes (approx. $3K each) to cover a building and use triangulation to establish the precise location and movements of each device. Combined with other data, such as employee badge swipes and time stamps, its analytics software can create profiles of the wireless devices normally carried and used by each employee. If any given device exhibits uncharacteristic behavior, for example a mobile phone suddenly transmits gigabytes of data, analytics can alert system administrators and identify the owner of the device. (That scenario could be either deliberate, i.e. due to a disgruntled employee stealing data, or inadvertent due to malware.) In facilities with restricted areas, geo-fencing could alert if wireless devices enter forbidden zones. Rouland foresees markets in everything from military and financial institutions, to retail stores where managers don’t want employees checking Facebook on their phones while on the job.
Unlike most IoT applications, Bastille’s technology leverages incidental data rather than intentional data. In public spaces, that might evoke shades of Big Brother, but we can envision many commercial and industrial applications for which there is no other comparable solution able to use Data about Things to help secure other Things.
IBM has announced it is establishing a new Internet of Things business unit with more than 2,000 consultants, researchers, and developers, and will invest $3 billion in it over the next four years. Three business areas are being highlighted:
(We won’t rehash all the details of the announcement, which you can read here.)
VDC finds this IBM initiative particularly noteworthy, for several reasons:
To look at it another way: as IoT becomes further integrated into day-to-day business IT and operations, what would have been IBM’s risk if it didn’t invest big money in IoT?