To understand what’s coming in 2017 in the worlds of data privacy, information security, and digital identity, we need to understand the implications of a handful of developments that happened in October 2016. These events largely occurred in the U.S., but reached Australia and will continue to reverberate here into the future.
First was communication giant AT&T’s proposed acquisition of Time Warner, which highlighted exactly how legacy media and telecommunications companies perceive themselves to be vulnerable to disruptive forces like cord cutting. “Digital pipe” companies feel like they need to lock in content providers in order to capture and hold audiences, and preserve value (U.S. cable giant Comcast has already gone down this road with its acquisition of NBC Universal back in 2013).
While regulators may frown on such industry consolidation, we’re likely to see more merger activity in the telecom/media sectors through 2017, with incumbent players globally adopting digital transformation as a strategy to stave off disruption. In Europe we’re seeing this trend take hold with developments including the MyBBC project.
Globally, independent players like Netflix and semi-independent players like Hulu and independent cable TV producers continue to find ways to directly insert successful content into the entertainment bloodstream. Across the media landscape, it’s well-understood that making content easily accessible through the full array of channels is key to locking in loyalty and preserving lifetime value (LTV).
The Dyn DDoS Attack & IoT Security
It wasn’t obvious at first, but in the days after many of the largest sites on the Web began experiencing outages back on October 21st, it became clear that we’d entered an alarming new era of Internet vulnerability. The outages of October weren’t caused by some garden variety Distributed Denial of Service attack, no it was a DDoS attack of unprecedented size and scope aimed at one of the Internet’s choke points, an obscure domain name systems (DNS) provider called Dyn.
Though Dyn is based in New Hampshire in the U.S., sites all over the world were affected, including Europe and Australia, with household names like Twitter, Amazon and Spotify all experiencing performance issues or outages. More ominous still, the attack was carried out through a global botnet involving of millions of connected devices including baby cams, smart lighting arrays, wearables and so forth. In short, this was the first DDoS attack powered by the Internet of Things (IoT).
Can we expect more such attacks in 2017? Given the enormous number of cheap, insecure IoT devices flooding the market, and the ready availability of the Mirai botnet malware that was used to manage the attack, the simple answer is yes. The bigger picture, however, is that such attacks are likely to become less lethal as DNS service providers and Internet backbone networks boost their defenses. But the real key to eliminating this type of vulnerability will be device manufacturers adopting identity-based security measures to close vulnerabilities.
A very large percentage of IoT devices deployed globally shipped from the factory with default passwords and usernames. Unless the user takes the time to update the device with a new password, it’s pretty much wide open for takeover by bad actors.
In 2017 we can expect to see more devices getting shipped without hard-coded passwords or user names. For devices intended to connect to back-end cloud services, increasingly we’ll see the device receiving credentials in the form of a “pin and pair” style relationship, with the device owner using authorization standards such as OAuth2 to receive short-lived access tokens. This can allow for simple pairing and revocation processes, which protect access to the cloud service and the owner’s personal information. Indeed, “passwordless” will become a word we’ll all hear more often in 2017. As more and more devices, things and services come online through the IoT, legacy approaches to authentication, authorization and identity management will need to change.
When things like home lighting arrays, garage door openers and smart wearables become connected systems, using legacy username and passwords to control access and authorisation just won’t be workable. The way forward will be to use passwordless identity management and continuous security techniques to maintain secure access to devices and services.
We’re likely to see the rise of authorisation through methodologies involving push notifications – using real-time messaging to smartphones to grant access to data or authorise use of online services. Mobile phones are ideal for authentication because users are familiar with how they function, they’re closely associated physically with the individual, and they can receive notifications to the phone proper, or within specific apps running on the phone.
The New Era of Personal Privacy - the FCC Has Elevated the Privacy Rights of the Individual Over Commercial Interests, and Business Will Need to Change
Finally, the third significant event from October 2016 that will carry over into the new year came when the U.S. Federal Communications Commission issued a ruling requiring broadband providers to secure consent from their customers before sharing their personal data with third parties.
This ruling brings the Internet into a new era where the ability of the individual to keep their browsing data and other personal information private is now more broadly protected. This move by the FCC brings the US more into line with Europe, where ISPs and telecommunications carriers have long been subject to regulations that elevate the privacy of the individual over commercial interests.
For global players in Australia, the ruling will result in a more standardised online business environment globally. And it also presents ISPs and telecommunications firms with an opportunity to use strong privacy protections as a competitive differentiator to cement customer loyalty. Strong, scalable customer identity technology will be a critical element in those efforts.