IoT Data Protection - If You're Thinking Only about IoT Security, You're Seeing Only Half the Picture

Photo credit: Spencer Cooper  CC BY 2.0
“Here’s your Internet of Things. Now you figure out who’s responsible for backing up all that data.”
Wait...what? You mean there’s data involved with the Internet of Things? And somebody needs to worry about IoT data protection?
Yes and yes.

Data protection for the Internet of Things

If you’re following IoT at all, you’ve probably seen reassuring headlines like “IoT security is RUBBISH says IoT vendor collective.” I’ll go into IoT security and other things to keep you up at night in my next post, but first I want to describe the data protection half of the IoT picture.
It’s news to most people – including to IT managers and backup admins – that IoT generates data worth protecting. Why would you want to back up the messages moving between the lights and sensors in your living room, or between a camera and a robotic arm in a factory? Who cares?
Fair enough. But Things like VoIP phones, scanners, sensors, robots and thermostats generate – and store – more data than just banal messages. That data runs the gamut from simple configuration parameters for remote management to the stuff of business transactions.

IoT is more than machines spitting out data. It’s a store of valuable business information.

Consider a robot that moves a heavy object on an assembly line. Humans teach the robot to perform a given function, like retrieving the body of a pickup truck and setting it onto a chassis, through a combination of computer programming and a wand the user operates to refine and coordinate the robot’s movement. Once programming is finished, the robot retains the information, then repeats it and monitors its own behavior over time, building up a log.
That IoT data is valuable to the company and worth protecting for several reasons:

·         It represents an investment of time and money to train the device (and replace human effort).

·         The robot is monitoring events in which it participates and creating a log that may be required during an audit.

·         The robot is tracking the number of truck bodies it moves, which is a useful double-check on production figures.

·         If the configuration or log data in the robot suddenly disappears, the company will have to reconfigure and retrain it. Much of the business value of the device will also disappear.

Smart devices aren’t smart when you first take them out of the box or install them in your factory. They become smart as you use them because they learn your preferences and behavior. That intelligence acquires business value over time.
But it’s volatile and the technology is still young, which are good reasons to protect the data.

Apply decades of normal caution to IoT

If that argument is too subtle, think about the argument for backing up every computer for the last few decades:
If the machine dies, we’ll lose valuable business data.
Now apply that to IoT. If there is an outage and your machine goes down, any unprotected data is unavailable. Worse yet, if your machine is ruined and the data is irrecoverable, then it will be a while before you’re manufacturing pickup trucks again.
That same business value applies also to smart thermostats that learn homeowners’ temperature preferences, security sensors that detect patterns in the flow of people, devices that passively trace drug distribution and IFTTT recipes that store workflow automation. That value is worth protecting, whether it’s in the center stack of a car or the welding robot on an automotive assembly line.

Why is this such a stretch?

Why do we reflexively think about backing up devices on the internet, yet have a “Wait...what?” moment when it comes to backing up devices on the Internet of Things?
True, with the exception of the Zip drive, data protection has never been very exciting. Still, you’d think we’d be ready for it by now. New machines mean new data, and new data means more backup.


That’s how the data protection half of the picture looks. Next time I’ll describe the IoT security half of the picture.