Data Security in A Smart Residential Community

July 03, 2018 i-Neighbour Smart Community 2 Comments

When Singapore, the world’s top ranking Smart City unveiled its pilot trial at the residential-business estate, Jurong Lake District in 2014, it served as a crucial test bed for the country's smart nation technologies and services. It included the rollout of more than 1,000 data sensors in the area, located in the western part of Singapore, which captures information--including video images--to be used in applications around urban mobility, sustainability, and improving "sensing and situational awareness". The trials involved multiple government agencies including the Housing Development Board (HDB), Urban Redevelopment Authority, National Environment Agency, and Land Transport Authority, as well as more than 20 companies and startups.

A smart queue monitoring system is one of the applications that tap advanced video sensing to determine in real-time the length and flow of a queue, for instance, at taxi stands. This information including potential waiting time can be fed to commuters who can then decide if they want to join the queue or take the bus. The data can also alert taxi companies in locations that require more cabs.

However, the plan was to capture all the data via sensors and the collected data will be analyzed and securely managed through a new Smart Nation Platform that all government agencies can connect to. Ultimately the government will own the platform but it is open to having private sector entities operate and manage it at the same time.

Smarter, More Data & Security Measures

With so much data involved, data privacy and security is becoming one of the main concerns, especially when the government is excluded from the Data Protection Act. Some even questioned should the private companies allowed to manage and operate the Smart Nation Platform, and which set of data privacy laws should they abide by?

We all know that sensor networks and perpetual data flows produce new service models and analytics to make modern cities and smart communities more livable, sustainable, and equitable, but at the same time, connected smart city devices raise concerns about individuals’ privacy, autonomy, and freedom of choice, as well as potential discrimination by institutions or governments.

To be fully participative in the social data revolution, we must shed the old mindset of passive “consumers”, who take in whatever is placed before us, and embrace a new mindset, that of active co-creator of social data. The balance of power is shifting between government and people, buyers and sellers, employers and employees, then only the data of the people can and will become data for the people. 

When a residential community upgraded itself to a so-called smart status loaded with all the smart systems, devices and sensors, the flow and generation of data would increase tremendously. In the past, the data might be kept on the local computer or server, and can only be accessed by a few administrators. Hence, even if you are the transactions owner, for example, if you need the hard copy of your up-to-date service charges, you have to go to the office and demand for the account executive to access your own account as well as ask her/him to print it for you. What is the impact for the individual and community as a whole with all the residential community data floating on the cloud?

As an individual, your personal data such as name, ID and contact information, family members, vehicle numbers, home address, service account status and etc., most probably will be captured and stored locally in the past but shifted to cloud in the smart era.

Your physical interactions with smart devices leave traces too. This set of access transaction data produces the time in/out data when you drive through the boom gate, book facilities, and access the condo’s lobby when returning home in addition to taking the lift, or any other thresholds or doors that are possible using smart devices. And with the availability of Internet and cloud computing, it can even generate real-time data as well.

How do we perceive to have all of these generated data to adhere to our daily activities? As an urban dweller, can we still live as a recluse in addition to segregating ourselves from the outside world? If the answer is no, we have to deal with the data maturely instead of rejecting the trend that will inevitably come by.

Data Security: The Fear Factors

Dr. Andreas Weigend, a global expert on the future Big Data, in his book, “Data For the People, How to Make Our Post-Privacy Economy Work for You”, laid three major fears in dealing with data that they can’t control.

First, there is the fear of information imbalance, of data being retrieved about others or the situation in a way that will alter the outcome of the interaction.  When one side of a conversation has access to information and the other side does not have, the power of imbalance can be unbearable and heightened the feelings of insecurity. 

Second, there is the fear of dissemination, of others sharing data with people, companies, or the web without permission.

Third, there is the fear of permanence, of others recording data and saving the data somewhere. In this case, the fear comes down to an uncertainty about how the data might be analyzed or used in the future. With no guarantee that the consequences of the recording will be positive, it might be best to assume the worst. In addition, laws differ from place to place about who is allowed to record what without permission.

With all the fear factors, if a community still has no idea on how to make use of the data for the larger benefits of the community, how can they minimize the risk and keep the data safely hosted on the cloud?

Five Types Of Data

Data is kept on the cloud storage according to its requirement.  We can classify community data into five types of data, which are:

a. Informative Data
Basic information such as resident and organization info, e-document and e-contact created by the community, unless the resident no longer stays in the neighbourhood, his/her basic data would be there for general access by him/herself or the authorized personnel.

b. Transaction Activity Data
Data derived from the transaction activities such as accounting billing, visitors activities, trigger of panic button, notifications, report incidents, e-polling and etc.

c. IoT Sensing Data
Data derived or generated from the transaction activities from the IoT devices for community use such as barrier gate, turnstile, elevator, smart lock and IoT reader for facility rooms, common areas and all other community purposes.

d. Video Surveillance Data
I separated video surveillance data from IoT device data due to the nature of the data and it can be based on transaction if set to motion detection mode or on-going recording mode. Hence, video surveillance data takes more storage than other types of data. And, if a longer duration is required, it can be divided to local storage and cloud storage, whereby cloud storage is for shorter period, cost concern and security measure and it likewise only store relevant activity images rather than video footages on the cloud.

e. Social Activity Data
Community tends to use the third party well-known social media tools like Facebook, WhatsApp, WeChat, Telegram and etc. to fulfill the residential community social needs, instead of using their own smart platform, which may or may have the social functionality. If third party social activity data is involved, means it falls to the social media provider’s terms and conditions, and of course, the appointed administrators or moderators can set their own rules to protect the community social activity data, for example, if Facebook is used, the privacy is encouraged to set as closed community, only invited members can view the page and post to the page.   

What are the best practices a community should have to ensure that data security risk is lowered to the very minimum before kick starting a smart residential community project?

A. Form A Data Security Committee

I suggest the community sets up an internal data security committee (can be limited to one person if there is manpower shortage), the leader should have some basic know-how about data security, at least lay down a simple framework for data security policy. 

Data security committee has to decide on the type of information to be collected from residents and visitors, the duration to keep different type of data on the cloud, to decide role-based of system administration and users, to ensure the adopted smart community system to have met some security measures, to play a role in selecting smart system providers, to audit from time to time whether the data security complies and meets the criteria, to educate the neighbourhood on the good practices of data security at a community level and personal level.

B. Vendor Selection

Since self-initiated smart residential community project normally will engage a third party vendor or an integrator during implementation, the selection of the vendor becomes the most crucial task because companies awarded with the project is at the forefront of installing the system that deals with the abundance of data generated while in daily operation, the backend to house your data, and the knowledge on how to secure the data during transmission. Among all these, how seriously a company treats data security into its account is the foremost important criteria in evaluation. 

Some evaluation criteria can be considered as follows:


1. Whether or not the company is ISO 27001 certified?
ISO 27001 is a security management standard that specifies security management best practices and comprehensive security controls following the ISO 27001 best practice guidance. The basis of this certification is the development and implementation of a rigorous security program, which includes the development and implementation of an Information Security Management System (ISMS), which defines how the company perpetually manages security in a holistic, comprehensive manner. This widely-recognized international security standard specifies the entities as follow:

Systematically evaluate the information security risks, taking into account the impact of the company's threats and vulnerabilities.

Design and implement a comprehensive suite of information security controls and other forms of risk management to address the company's architecture security risks.

Adopt an overarching management process to ensure that the information security controls meet the company's information security needs on an ongoing basis.


2. Whether or not the company does third party penetration test yearly?
A penetration test, or pen test, is an attempt to evaluate the security of an IT infrastructure by safely trying to exploit vulnerabilities. These vulnerabilities may exist in operating systems, service and application flaws, improper configurations, or risky end-user behaviors. Such assessments are also useful in validating the efficacy of defensive mechanisms as well as end-user adherence to security policies. A penetration test can help determine whether a system is vulnerable to attack, if the defences were sufficient, and which defences (if any) the test defeated.


3.  Whether the company that provides the smart community platform is ready with two-factor authentication?
For increased security, we recommend that you configure 2-factor authentication to help protect your system accounts. 2-factor authentication adds extra security because it requires the administrators with the highest authority to access the system via a unique authentication code from an approved authentication device.


4.  Whether the company host the smart community service in a trusted cloud server?      
Since there is only a handful of global renowned cloud computing platform providers such as Amazon AWS, Microsoft Azure, Google GCP, HP Cloud, Alibaba Cloud, this shouldn’t be a problem if the big names are seen in your selection, because your cloud data would eventually reside on the cloud server of the vendor that you choose to work with. But beware of the vendor who often use security measures provided by these cloud platform providers and claim that those are theirs. It is certainly not totally wrong, but always remember, when Amazon AWS guarantees a 99.95% uptime, it does not mean that the smart community system that is provided by the vendor will tag along with the uptime too. The smart community system that is hosted on AWS might still be down due to other reasons, in which the responsibility will be solely borne by the smart system provider.


5.   Whether the company is in compliance with GDPR?
On 25 May 2018, the General Data Protection Regulation (GDPR), a new data protection law for European countries started to take effect. GDPR is meant to strengthen the protection of personal data, it is a wide-reaching legislation, as it applies to all companies handling personal data of EU residents and its scope also covers almost all data relating to an individual, such as IP addresses, website cookies and more. With this, the EU has really taken a major step forward to strengthen data protection by shifting the rights over personal data away from companies back into your hands. A lot of privacy protection statements are self-claimed by vendors without having taken the compliance very seriously. GDPR, even though it is dependent on a company to be self-regulated, a compliant company will have to offer clearer explanations about what data is being collected and how it is going to be used. For example, consent shall be presented in a manner in which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding. In other words, if a company is ready to comply with GDPR, the community has less to worry about the measure it has taken for data protection.

C. Adhere to Role-based Access for the Smart Community System

In computer systems security, role-based access control is an approach to restrict system access to authorized users. Role-based access control is sometimes referred to as role-based security. System roles control what sections in the Administrator Panel are available to different types of users. That said, most users have a system role of none, which means that they do not have access to the Administrator Panel.

You can use system roles to assign subsets of administrative privileges to other users. This helps you delegate routine administrative tasks to other users. For example, you can grant an instructor access to the user management pages, where the instructor can create users, edit user profiles, or change a user's enrollment in courses.

Only a user with full administrator privileges can assign privileges to a system role.

If your institution licenses community engagement, you can assign multiple secondary system roles to a user account. Multiple system roles grant the user the sum of their privileges. This makes it possible to create system roles based on tasks instead of creating a separate system role for every possible set of privileges.

In a smart community system, account executives are only assigned with an account and billing module, while security guard when calling residents through their guardhouse panel, may not have the access to view the contact numbers of the residents.

D. Decide on the Data to be Collected

Smart community system will flood with all types of data and information. Some data are raw and self-generated whenever there is a transaction occurring on IoT devices. Unless the smart devices are absent in a smart community system, which is unlikely, so these self-generated data is auto-collected and the committee can only decide on the duration it resides on the cloud server.

Some collected information can be decided by the community, for example designing an online visitor form to be filled up either by visitors, residents or security guards. A community can even add on a registration form complete with the  capability to auto-capture a visitors’ image from their identity card, driver’s license or live image from an installed camera.

Collecting of information should not be excessive; as long that it meets the requirements to keep the smart community moving should be adequate.

E. Decide on the Duration to Keep the Data

Different types of data might have varying durations to be kept in the cloud. For example the basic informative data such as names, contact numbers and etc., would be kept until the resident is no longer staying at the premises; for accounting records, the management committee are governed under the Strata Act, whereby the accounting record shall be kept according to the Company Act, for example, 7 years after the completion of the transactions and operations.

Some types of data might need to be kept in a separate copy in the local storage like surveillance video footage to save cost and to provide convenience for daily operation. And cloud storage should only be limited to activity images, like the snapshot of visitor photos from the guardhouse for recording purposes.

IoT data will account for roughly 10 percent of all the data registered globally in 2020, according to IDC market intelligence firm. Most IoT adopters fail to use their data or they derive just a small part of its value. For example, only one percent of data coming from the 30k sensors on a single oil grid gets turned into actionable insights. Unless a community has already figured out how to exploit its IoT data to a greater efficiency, a community has to decide whether, after a certain duration, an expired IoT transaction data can be purged automatically from the cloud. 

F. Select IoT Smart Devices with Data encryption during Transmission

In order to secure all data traffic between the smart devices and mobile phones, if Bluetooth communication is deployed, make sure that the IoT devices are embedded with Advanced Encryption Standard (AES) encryption.

AES was published by the National Institute of Standards and Technology (NIST) in 2001 after the evaluation process of the AES contest. Rijndael was the winner of the contest and NIST selected it as the algorithm for AES. Starting from 2001, AES has been adopted by the U.S. government and is now being used worldwide. It supersedes the Data Encryption Standard (DES) which was published in 1977. The algorithm described by AES is a symmetric-key algorithm, meaning the same key is used for both encrypting and decrypting the data. AES is considered secure, very fast and compact which is about 1 kB of code; its block size is a multiple of 32 (typically 128 bits), its key length is also a multiple of 32 (typically 128, 192, or 256 bits), and it has a neat algebraic description.

AES encryption is used for encoding the information being exchanged between Bluetooth devices in such a way that eavesdroppers cannot read its contents. So, the contents that are sent between IoT device and mobile phone are safe and secure. Besides data encryption, we also have adjusted the Bluetooth range or Bluetooth antenna of the IoT devices to fit for particular usage and prevented someone from Bluesnarfing on our IoT devices. For example, for a smartphone to connect to a BLE door lock, the person must be within 1-2 meters from the IoT device to prevent intruders from eavesdropping at a corner.

In a nutshell, Bluetooth technology particularly BLE, is a great addition to businesses and consumers. However, it is also important for all users to understand the technology and the risks involved in its use so the risks can be mitigated for better user experience.

G.  Conduct Audit from Time to Time on Data Security

It is hard for a smart community to comply with ISO 27001 or to engage with a third-party organization in auditing its data security practice. The data security committee should establish a data security checklist with further revision and enhancement from time to time, and conduct an audit once in a year based on the checklist to ensure correction and remedy actions are taken if the practice deviates from the checklist.

H.  Conduct Data Security Awareness and Precaution Training Class

Another role of the committee is to conduct data security workshops or seminars by inviting experts to present talks and provide trainings to the community members from time to time. 

Personal Level Data Security

For personal level, since the community members or the residents will opt for smartphones and its smart community App rather than its web portal for the purposes of making payment, viewing notifications, inviting visitors, booking facilities and etc; and furthermore if the community is installed with smart devices which use smartphones as personal credentials for access, then the increase of utilization of smartphone at the personal level would be apparent. Hence, we list down a set of security guides to keep your phone and data safe even though it is general practices that are not targeted solely on a smart community platform. 


1. Activate A Screen Lock
After a short period of inactivity (30 seconds, for example), your phone should auto-lock itself. It is a must not only for your mobile device, but also for your laptop or tablet. This is the easiest way to keep intruders away from your data. It is also essential that you enforce automatic wiping of the device after several failed login attempts.

2. Mind Your Apps
Always use official app stores to download and install an app. Disable the option to allow installation of third party apps as they usually carry malware that will harm your smartphone. Of course, the app that is using to manage your smart community is chosen at the community level, not a personal decision and with sufficient consideration and guidance, so the risk to download the community app does not arise here. 

3. Install Ad Blocker
It is recommended to install an ad blocker. Not because the ads are intrusive and have been failing potential customers, but because they can be exploited by cyber criminals. For example, malvertising can be served right on your smartphone through ad servers – and you don’t even need to click on anything in order to get infected!

4. Beware Of Phishing
It is much harder to spot a phishing page on your mobile phone than on your PC or your laptop. Keep your guard up against phishing on all your devices, no matter if it is a desktop, laptop, tablet or smartphone. Don’t click on short, suspicious links that you didn’t request. And be careful with those attachments that you've downloaded via email or instant messaging services.

5. Activate Remote Device Locator
In case your smartphone is lost or stolen, the easiest way to remotely locate it, is by installing a dedicated app and making sure that the option to track its location is always turned on.

6. Activate Automatic Backup
Have automatic backups in the cloud. This option is available on all operating systems, you just have to enable it (or don’t disable it, in case it’s already set as default). In case that your phone is lost, destroyed or stolen, you won’t have to worry about the fact that you didn’t get the chance to backup all your data on it. All apps and data will be automatically synchronized in the cloud.

7. Activate Two-Factor Authentication
No matter if you have an Apple, a Google or a Microsoft account, activating the two-factor authentication is a must. This will act as a second layer of security. In doing so, every time you sign in on a new device or from a new location, it will require you to verify your identity through a unique, time-sensitive code, that you’ll receive via text message.

8. Turn On Encryption
If your smartphone offers the option to encrypt the data on it, enable it.

9. Install An Antivirus
Install a trustworthy antivirus. Although they aren’t as potent as their desktop versions, it is still a better alternative rather than having no antivirus installed.

Summary

1.  In this chapter, the author discusses that a vast pool of data will be generated when shifting an existing community system to a smart community system, and data security will become a more crucial issue in which a community has to deal with.

2.  The interaction with IoT smart devices created more transaction data in a smart community system.

3.  The fear factors drive users to take data privacy and security more seriously. Hence, when adopting a smart community system, security precaution should be part of the entire implementation plan.

4.  The author lists down 5 major types of data namely informative data, transaction activity data, IoT sensing data, video surveillance data and social activity data generated when implementing a smart community system.

5.  At the community level, the author also lists 8 best practices to lower the risk of data security to a minimum. The practices are a) Form a data security committee; b) Vendor selection guideline; c) Adhere to role-based access; d) Decide the data set to be collected; f) Decide on the duration of time keeping the data; g) Ensure smart devices come with strong data encryption; h) To audit on data security measure from time to time, and i) Conduct data security awareness and training workshop for community members.

6.  At the personal level, the author also lists down 9 best practices to reduce data security risk. 

 References

1.  Cristina Chipurici 2017, Smartphone Security Guide: The Easiest Way to Keep Your Phone & Data Safe: How to enhance your smartphone’s security and privacy (handy tips included), Heimdal Security Blog, viewed 17 July 2018, <https://heimdalsecurity.com/blog/smartphone-security-guide-keep-your-phone-data-safe/>.

2.  Andreas Weigend 2017, Data For the People, How to Make Our Post-Privacy Economy Work for You, Basic Books, New York.

3.  Eileen Yu 2014, Data privacy ambiguity may hamper Singapore's smart nation ambition, ZDNet, viewed 14 July 2018, <https://www.zdnet.com/article/data-privacy-ambiguity-may-hamper-singapores-smart-nation-ambition/>.

4.  Katherine Lazarevich 2018, What You Should Be Doing With Your IoT Data,  Medium.com, viewed 19 July 2018, <https://medium.com/iotforall/what-to-do-with-your-iot-data-in-2018-4fc408ed18a9>.




Teh Hon Seng, Group CEO of TimeTec Group of Companies. Prior to forming TimeTec, Teh led PUC Founder (MSC) Bhd to be listed on MESDAQ (ACE) market of Bursa Malaysia in 2002. Teh initiated the R&D in fingerprint technology in 2000, which later developed into a renowned global brand for commercial fingerprint product known as FingerTec. In 2008, he foresaw the trend of cloud computing and mobile technology, and over the years, he had strategically diversified and transformed its biometric-focused products into a suite of cloud solutions that aimed at workforce management and security industries including smart communities that centered around the cloud ecosystem. Teh has more than 10 patents to his name, and he is also a columnist in a local newspaper and a writer of several books.