Security and Privacy of Internet of Things (IoT) has become an important issue. Since IoT is becoming one of the most prominent trend in the current technological advancement, as the world is becoming inter-connected with the internet. IoT has influenced all the technological domains starting from a simple fitness tracker to a fully automated autonomous car manufacturing industry. In this chapter we will show the background of IoT, Security and privacy issues concerning IoT and its interleaved technologies, objective of the dissertation, and a brief discussion on the proposed methodologies.

Internet of Things

According to (Roberto Minerva & Rotondi (2015)), IoT is a system of collaboration of computational elements controlling physical entities with respect to some events in the real world. In different context IoT can be defined as Machine-to-Machine (M2M) communications, where different devices communicate with each other in order to fulfill a common goal together. With the help of IoT, physical objects can be controlled or sensed remotely from anywhere using the existing network infrastructures. The network infrastructure allows direct integration of physical standalone things into computer based systems, which is improving efficiency, accuracy and also reducing human intervention. IoT can be traced back to simple Wireless Sensor Network (WSN) and have evolved to become a sophisticated and complex mesh network of devices, domains, and industries .

Some of the examples of IoT are in health-care, smart-grid, self-driving cars and drones, video surveillance system with tracking using image recognition, contactless and biometric systems for payment, agriculture and mining, production and even in education and training (Ashton (2016)). IoT has influenced in every aspects of personal life, ranging from automated coffee machine to a fully automated smart environment or cities. The trend IoT is following (Newman (2017)), it will become more fragmented and distributed.

Security issues regarding IoT

Security and privacy always been a challenging aspect while dealing with technology and personal data. Due to the rapid technological advancement, the need for security and privacy has increased drastically over the few years. According to the Annual Cybercrime Report (Morgan (2018)) from Cybersecurity Ventures predicts that cybercrime will cost $6 trillion annually by 2021. Meanwhile, Ponemon Institute funded by IBM (Institute (2018)), conducted a study on Data Breach that the global average cost of a data breach is $3.62 million. According to Gartner (Gartner (2017b)), worldwide spending on information security products and services at $86.4 billion in 2017, and they predicted that spending will increase to $93 billion in 2018.

Data Confidentiality, Integrity and Availability (CIA) Triad  is the basic model for designing any technological security system. CIA Triad allows the security experts and manufacturers to balance the different aspects aspects for the emerging technologies. As the cyber threat vectors are becoming more complex day by day there is an addition of « resilience » in the CIA triad. Resilience means failure of any discrete component should not cause systemic failure. According to the new laws and regulations enforced by the government like FTC (FTC (2016)), GDPR (GDPR (2016)), FISMA (FISMA (2016)) for personal data protection, as for example, the guideline for protecting PII (Erika McCallister & Scarfone (2010)), the security aspects while dealing with personal data has to changed. for example, all data should be kept encrypted, the communication has to be secured as well processing of data, the data owner has the right to decide what part of the data can be accessed by the service provider and what should be shared to the third party, etc. Also the regulations state that the service providers have to protect personal data during their business period and then delete the data after that as well as the service provider can not share those data with any third parties.

The popularity of IoT is increasing mainly due to the drastical increase of popularity and crave for smart devices, sensors, cheaper devices and the capabilities of cloud computing. IoT devices fully depend on the computational power of the cloud and existing network infrastrucutures to work together as one to serve a common purpose. The services provided by the Cloud can easily satisfy the massive and changing demand on different resources constrained devices.

It is providing all the necessary services like computation, analytics and storage for the IoT resource constrained devices (Avoyan (2017)). According to (McKendrick (2016)) by the end of 2020, 68% of the cloud workloads will be in public cloud data centers. So data privacy and security in the third party cloud services brings new concerns, since the clouds might be honest but as well as curious (Chai & Gong (2012)) by collecting information without notifing the data owner. There are several security issues (Brodkin (2008)) (Prinzlau (2017)) related to the third party cloud service, for example, there are chances of for the loss of sensitive data and data leakage which raises the risk of data misused by the service provider or attacker, cloud credential and key management of cloud services might lead to potential breaches. Al Morsy et al. (Almorsy et al. (2016)) showed some of the security issues relevant to virtualization, multi-tenancy, management and hostile networks. Even though cloud services provides basic security features and functionality to ensure the security of the whole database, but most of the time the data itself is not secured, so there is always a single point of failure.

IoT Middleware
Middleware or Smart Gateway plays an vital role in the IoT infrastructure. Middleware is a collaboration of hardware and software which is responsible for receiving or sending the data from and to the sensors on behalf of the users. It serves as an intermediary for the embedded systems and the application to communicate with each other. They also provide a platform for the users or services to communicate with the sensors and actuators. Some of the middleware requirements for IoT are functional, non-functional and architectural (Razzaque et al. (2016)) (Stankovic (2014)).

– Functional requirements
• Resource discovery: The middleware must have mechanisms to detect the presence of devices or sensors and should be able to dynamically connect to them.
• Resource management: A middleware needs the manage the services provided by the sensors or devices and should be able to monitor them.
• Data management: A middleware needs to have the capabilities to manage data that is sent to it from the sensors or devices for processing, filtering and storage.
• Event management: A middleware should be able to handle huge number of events that is being sent from sensors or devices without creating congestion or degrading the performance of the system.
• Code management: A middleware must be able to deploy codes that is upgrade version of the application without being interrupted from its regular services.

– Non-functional requirements
• Scalability: A middleware needs to have be scalable to the growth of the devices or sensors so that it can accommodate the applications and network.
• Real time: The middleware should provide services in real-time and on time when an event is occurred.
• Reliability: The middleware should be reliable and work smoothly during the lifetime of the system even if there is a failure.
• Availability: The middleware has to available or appear to be online especially in mission critical situation like in healthcare. The middleware should be prune to fault tolerance.
• Security and privacy: The middleware must have security mechanism so that there no malicious attacker can have access into the middleware is not information leakage.
• Ease-of-deployment: The middleware needs to have the portability that is easily deployed with less or no knowledge of the system.
• Popularity: The middleware should provide service and support throughout the life time of the system.

– Architectural requirement
• Programming abstraction: The middleware needs to provide API for developers for faster development of application.
• Interoperable: The middleware has to work with heterogeneous devices, technologies or application without additional effort.
• Service-based: The middleware should be service-based to offer high flexibility when a function needs to be added or deleted.
• Adaptive: The middleware needs to adaptive so that it can evolve to fit itself into changes in its environment.
• Context-aware: The middleware should be aware of the users, devices or environments context and use these for effective and essential services offering to users.
• Autonomous: The middleware must be able to communicate with each other without human intervention.
• Distributed: The middleware has to be sufficient to support many distributed services and application.