Archive for January 2014
The IoT’s IOU: Robust Security

By Antoine Rizk, VP of Vertical Markets, Axway

One security issue that’s often missed when we talk about the Internet of Things (IoT) is the fact that many IoT applications do not embrace the concept of time. They don’t have embedded clocks, access to time services, or a mechanism for synchronizing time across the entire “thingfrastructure.”

This is a genuine security issue. Most authentication protocols use number-of-retries limits to safeguard against brute force methods of gaining access; they limit the number of retries to a given time window, in the same way desktops and email accounts do.

But security is not only about preventing or allowing access. It’s about monitoring who accessed what and — more specifically — when. Without time services, security architects must resort to sub-optimal mechanisms for identifying events.

Why do security gaps appear more often within the IoT and less often within the internet?

The answer is simple.

The Internet of Things replaces humans with objects. We know how to secure human-based directories such as LDAP, human-triggered password resets, and — most importantly — human/client-initiated connectivity via http request/response protocols.

But the things in the Internet of Things can’t do any of this. Humans have to invent workarounds, new protocols, and new mechanisms to avoid security failures with dramatic consequences. Your life probably wouldn’t change if your connected refrigerator failed to connect, but think about what would happen if an entire supply chain foundered because of a failure in connected tracking devices. Or if a health program froze because of a failure in mHealth equipment. Or if a traffic regulation program crashed because of a failure in vehicle connectivity.

As this article rightly says, Nest and Google are interested in how people behave inside their houses. This is a data privacy issue, and we may want to accept it in the same way we accept giving Google access to our private emails. But beyond privacy, we are entitled to the full range of security measures, some of which we must not compromise on.

*

To learn more about security for the Internet of Things, click here to download our joint white paper with Gunnar Peterson of Arctec Group.

 

SuperStream your enterprise — Is your firm ready for the Australian government’s roll-out of its 2014 superannuation initiative?

As most of you probably know, SuperStream is a ground-breaking Australian federal government program designed to improve the efficiency and reduce the cost of superannuation processing by up to A$1 billion per year. Starting July 1, 2014, Australian employers in the initial induction group will electronically send — in the government-mandated standard — their super contributions to their employees’ nominated funds.

But do the new regulations demand a one-size-fits-all approach for big companies, and what will be the impact of the newly mandated standards?

As legislated under subsection 34K(3) of the Superannuation Industry (Supervision) Act 1993 (SISA 1993), those using XBRL (i.e., trustees of superannuation entities and employers) must use the government-mandated communications standard (i.e., ebMS v3 with AS4 profiles) and standardized document structures when submitting rollover transactions and superannuation contributions. To review the details, click here.

Why did the government decide on ebMS v3 and AS4 profiles? If you’re new to communication protocols and the related standards, these acronyms may be as useful as hieroglyphics. In any event, “ebMS” stands for “electronic business Message Specification,” a component of the ebXML suite of standards promoting e-business over the internet. ebMS is now an ISO standard (ISO15000-2), and was developed jointly by OASIS and UN/CEFACT. It features reliable messaging, digital signatures, and message-level encryption for confidentiality (the second version of the standard, ebMS v2, is already in widespread use). ebMS Version 3 (ebMS v3), with advanced features endorsed in 2011, additionally provides multi-hop capability; splitting and re-joining for very large messages; and “pull” features which are important for small, “not-always-on” organizations. It also utilizes WS-Security for message security and compression.

Of particular importance for SuperStream is the introduction of simplified interoperability profiles which allow organizations to implement only those features they require from the standard. For example, gateways and large organizations may implement a “high-end” profile which supports “pushing” and “pulling” for both sending and receiving. But a small organization may only need to implement a light client profile that receives by “pulling” and sends messages by “pushing,” since they don’t need a fancy “always-on” IT infrastructure for it to work.

Whether you’re an employer, a fund administrator, a payroll provider, or a government agency, the need to do something to comply with SuperStream seems unavoidable.

If you have the time, perhaps you could join our guest speaker, Ian Gibson, CIO with SuperChoice — a leading provider of superannuation clearing and online contribution processing systems in the Australian market – and myself in a webinar on February 5th at 2:30 p.m. AEST. We’ll examine the essence of SuperStream, the phased induction program recommended by the Australian Tax Office, and your company’s options for compliance. Ian will also explain how SuperChoice selected and implemented — in an effort to comply with the federal government’s superannuation requirements — their clearance and payment gateway.

We’ll also share our understanding of:

  • Exactly what SuperStream is, and the rollout timetable
  • The planning for the first induction group, where selected participants may submit contribution transactions between July and September 2014
  • Your options for complying with SuperStream
  • The IT implications of the mandated document messaging standards (i.e., ebMS v3 with AS4 profiles) for superannuation contributions, and how this standard may support electronic information exchange with your business partners
  • The opportunity that implementing a consolidated B2B hub gives you (if you choose to upgrade your IT infrastructure) to streamline not only your superannuation transactions but also your enterprise’s entire ecosystem

 

About the blogger: Peter Stokes is Regional Director at Axway in the APAC region. He has more than 25 years experience in Asia and ANZ, driving groundbreaking, multi-disciplined trade facilitation and e-logistics projects.