Security for the Internet of Things (IoT) can be a huge hurdle for those trying to develop embedded devices. Instead of just having to worry about the software, developers have to worry about the software, the data, the device, the application and the back end. To help improve IoT security, the Online Trust Alliance (OTA) has released its Internet of Things Trust Framework.
“The industry needs this. Developers need this prescriptive guidance,” said Craig Spiezle, executive director and president of the OTA. “Retailers need this guidance on what to be looking for, and consumers need this guidance on what criteria they should look at in the products they buy.”
(Related: IBM launches IoT community)
The framework is designed to help IoT manufacturers, developers, and retailers reduce the attack surface area and vulnerabilities of IoT devices while promoting best practices.
“We know that there will be software vulnerabilities in the future,” said Spiezle. “I think that is a reality of software development. The best efforts you make today as a feature, tomorrow can be a threat. Recognizing that is the first step. The second thing is to ask, if that is going to happen, how are we going to update this? How are we going to notify the consumer of the device that may have a malfunction or vulnerability?”
Some best practices the framework recommended includes making privacy policies readable and available; encrypting all personally identifiable data; disclosing data collection policies prior to purchase; and disclosing whether or not the user has the ability to remove his or her personal data or make it anonymous.
In addition to the best practices, the OTA will be providing tools and methodologies to help developers as well as creating a code of conduct and certification program.
The organization will be taking feedback on the framework until Sept. 14.
“There are things that we clearly have missed, but we are trying to be very pragmatic in what can be implemented in the short term,” said Spiezle. “Developers should look at this as a framework to work from, but at the same time we certainly welcome their input on what else they think we should be considering.”