Data Security in A Smart Residential Community
When Singapore, the world’s top ranking Smart City unveiled its pilot trial at the residential-business estate, Jurong Lake District in 2014, it served as a crucial test bed for the country's smart nation technologies and services. It included the rollout of more than 1,000 data sensors in the area, located in the western part of Singapore, which captures information--including video images--to be used in applications around urban mobility, sustainability, and improving "sensing and situational awareness". The trials involved multiple government agencies including the Housing Development Board (HDB), Urban Redevelopment Authority, National Environment Agency, and Land Transport Authority, as well as more than 20 companies and startups.
A smart queue monitoring system is one of the applications that tap advanced video sensing to determine in real-time the length and flow of a queue, for instance, at taxi stands. This information including potential waiting time can be fed to commuters who can then decide if they want to join the queue or take the bus. The data can also alert taxi companies in locations that require more cabs.
However, the plan was to capture all the data via sensors and the collected data will be analyzed and securely managed through a new Smart Nation Platform that all government agencies can connect to. Ultimately the government will own the platform but it is open to having private sector entities operate and manage it at the same time.
Smarter, More Data & Security MeasuresWith so much data involved, data privacy and security is becoming one of the main concerns, especially when the government is excluded from the Data Protection Act. Some even questioned should the private companies allowed to manage and operate the Smart Nation Platform, and which set of data privacy laws should they abide by?
We all know that sensor networks and perpetual data flows produce new service models and analytics to make modern cities and smart communities more livable, sustainable, and equitable, but at the same time, connected smart city devices raise concerns about individuals’ privacy, autonomy, and freedom of choice, as well as potential discrimination by institutions or governments.
To be fully participative in the social data revolution, we must shed the old mindset of passive “consumers”, who take in whatever is placed before us, and embrace a new mindset, that of active co-creator of social data. The balance of power is shifting between government and people, buyers and sellers, employers and employees, then only the data of the people can and will become data for the people.
When a residential community upgraded itself to a so-called smart status loaded with all the smart systems, devices and sensors, the flow and generation of data would increase tremendously. In the past, the data might be kept on the local computer or server, or only can be accessed by a few administrators, and even if you are the transactions owner, for example, if you need the hard copy of your up-to-date service charges, you have to go to the office and demand for the account executive to access to your own account and to ask her/him to print it for you. What is the impact for individual and community as a whole of with all the residential community data floating on the cloud?
As an individual, your personal data such as name, ID and contact information, family members, vehicle numbers, home address, service account status and etc., most probably be captured and stored locally in the past but shifted to cloud in the smart era.
Your physical interactions with smart devices leave traces too. This set of access transaction data produces the time in/ timeout data when you drive through the boom gate, booking and using of facilities, and entering a condo’s lobby when returning home, taking a lift, or any other thresholds or doors that are possible using smart devices. And with the availability of Internet and cloud computing, it can generate real-time data too.
How do we perceive to have all of these generated data to adhere to our daily activities? As an urban dweller, can we still live as a recluse in addition to segregating ourselves from the outside world? If the answer is no, we have to deal with the data maturely instead of rejecting the trend that will inevitably come by.
Data Security: The Fear FactorsDr. Andreas Weigend, a global expert on the future Big Data, in his book, “Data For the People, How to Make Our Post-Privacy Economy Work for You”, laid three major fears in dealing with data that they can’t control.
First, there is the fear of information imbalance, of data being retrieved about others or the situation in a way that will alter the outcome of the interaction. When one side of a conversation has access to information and the other side does not have, the power of imbalance can be unbearable and heightened the feelings of insecurity.
Second, there is the fear of dissemination, of others sharing data with people, companies, or the web without permission.
Third, there is the fear of permanence, of others recording data and saving the data somewhere. In this case, the fear comes down to an uncertainty about how the data might be analyzed or used in the future. With no guarantee that the consequences of the recording will be positive, it might be best to assume the worst. In addition, laws differ from place to place about who is allowed to record what without permission.
With all the fear factors, if a community still has no idea on how to make use of the data for the larger benefits of the community, how can they minimize the risk and keep the data safely hosted on the cloud?
Five Types of DataData is kept on the cloud storage according to its requirement. We can classify community data into five types of data, which are:
a. Informative Data
Basic information such as resident and organization info, e-document and e-contact created by the community, unless the resident no longer stays in the neighbourhood, his/her basic data would be there for general access by him/herself or the authorized personnel.
b. Transaction Activity Data
Data derived from the transaction activities such as accounting billing, visitors activities, trigger of panic button, notifications, report incidents, e-polling and etc.
c. IoT Sensing Data
Data derived or generated from the transaction activities from the IoT devices for community use such as barrier gate, turnstile, elevator, smart lock and IoT reader for facility rooms and common areas and all other community purposes.
d. Video surveillance data
I separated video surveillance data from IoT device data due to the nature of the data and it can be based on transaction if set motion detection mode, or an on-going recording mode. Hence, video surveillance data takes more storage than other types of data. And, if longer duration is required, it can split to local storage and cloud storage, which cloud storage for shorter period for cost concern and security measure, or only store relevant activity images rather than video footage on cloud.
e. Social Activity Data
Community tends to use the third party well-known social media tools like Facebook, WhatsApp, WeChat, Telegram and etc. to fulfill the residential community social needs, instead of using their own smart platform, which may or may have the social functionality. If third party social activity data is involved, means it falls to the social media provider’s terms and conditions, and of course, the appointed administrators or moderators can set their own rules to protect the community social activity data, for example, if Facebook is used, the privacy is encouraged to set as closed community, only invited members can view the page and post to the page.
What are the best practices a community should have to ensure that data security risk lower to the very minimum before kick starts a smart residential community project?
A. Form a Data Security CommitteeI suggest the community sets up an internal data security committee (can be limited to one person if they have manpower shortage), the leader should have some basic know-how about data security, at least lay down a simple framework for data security policy.
Data security committee has to decide on the type of information to be collected from residents and visitors, the duration to keep different type of data on the cloud, to decide role-based of system administration and users, to ensure the adopted smart community system to have meet some security measures, to play a role in selecting smart system providers, to audit from time to time whether the data security complies and meets the criteria, to educate the neighbourhood on the good practices of data security at community level and personal level.
B. Vendor SelectionSince self-initiated smart residential community project normally will engage a third party vendor or an integrator in implementation, the selection of the vendor becomes the most crucial task because the company or companies awarded the project is at the forefront installing system that deal with the abundance of data generated in the daily operation, at the backend to house your data, and has the knowledge on how to secure the data during transmission. Among all these, how seriously a company treats data security into its account is the foremost important criteria in evaluation.
Some evaluation criteria can be considered as follows:
1. Whether or not the company is ISO 27001 certified?
ISO27001 is a security management standard that specifies security management best practices and comprehensive security controls following the ISO 27001 best practice guidance. The basis of this certification is the development and implementation of a rigorous security program, which includes the development and implementation of an Information Security Management System (ISMS), which defines how the company perpetually manages security in a holistic, comprehensive manner. This widely-recognized international security standard specifies entities:
Systematically evaluate the information security risks, taking into account the impact of company threat and vulnerabilities;
Design and implement a comprehensive suite of information security controls and other forms of risk management to address company and architecture security risks.
Adopt an overarching management process to ensure that the information security controls meet the company information security needs on an ongoing basis.
2. Whether or not the company does third party Penetration Test yearly?
A penetration test, or pen test, is an attempt to evaluate the security of an IT infrastructure by safely trying to exploit vulnerabilities. These vulnerabilities may exist in operating systems, service and application flaws, improper configurations, or risky end-user behavior. Such assessments are also useful in validating the efficacy of defensive mechanisms, as well as, end-user adherence to security policies. A penetration test can help determine whether a system is vulnerable to attack, if the defences were sufficient, and which defences (if any) the test defeated.
3. Whether the company that provides the smart community platform is ready with two-factor authentication?
For increased security, we recommend that you configure 2-factor authentication to help protect your system accounts. 2-factor authentication adds extra security because it requires the administrators who always have the highest authority to access the system via a unique authentication code from an approved authentication device.
4. Whether the company hosting the smart community service in the trusted cloud server?
Since there is only a handful of global renowned cloud computing platform providers such as Amazon AWS, Microsoft Azure, Google GCP, HP Cloud, AlibabaCloud, this shouldn’t be a problem if the big names are seen in your selection, because your cloud data would eventually reside on the cloud server of the vendor that you choose to work with. But beware of the vendor who often use security measures provided by these cloud platform providers and claim that those are theirs. It is certainly not totally wrong, but always remember, when Amazon AWS guarantees a 99.95% uptime, it does not mean that the smart community system that is provided by the vendor will tag along with the uptime too. The smart community system that is hosted on AWS might still be down due to other reasons, in which the responsibility will be solely borne by the smart system provider.
5. Whether the company is in compliance with GDPR?
On 25 May 2018, the General Data Protection Regulation (GDPR), a new data protection law for European countries started to take effect. GDPR is meant to strengthen the protection of personal data, it is a wide-reaching legislation, as it applies to all companies handling personal data of EU residents and its scope also covers almost all data relating to an individual, such as IP addresses, website cookies and more. With this, the EU has really taken a major step forward to strengthen data protection by shifting the rights over personal data away from companies back into your hands. A lot of privacy protection statements are self-claimed by vendors without having taken the compliance very seriously. GDPR, even though it is dependence on a company to be self-regulated, a compliance company will have to offer clearer explanations about what data is being collected and how it is going to be used. For example, consent shall be presented in a manner in which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding. In other words, if a company is ready to comply with GDPR, the community has less to worry about the measure it has taken for data protection.
C. Adhere to Role-based Access for the Smart Community SystemIn computer systems security, role-based access control is an approach to restrict system access to authorized users. Role-based access control is sometimes referred to as role-based security. System roles control what sections in the Administrator Panel are available to different types of users. Most users have a system role of none, which means that they do not have access to the Administrator Panel.
You can use system roles to assign subsets of administrative privileges to other users. This helps you delegate routine administrative tasks to other users. For example, you can grant an instructor access to the user management pages, where the instructor can create users, edit user profiles, or change a user's enrollment in courses.
Only a user with full administrator privileges can assign privileges to a system role.
If your institution licenses community engagement, you can assign multiple secondary system roles to a user account. Multiple system roles grant the user the sum of their privileges. This makes it possible to create system roles based on tasks instead of creating a separate system role for every possible set of privileges.
In a smart community system, an account executive only assigns to have account and billing module, while security guard when calling residents through their guardhouse panel, may not have the right to see the contact numbers of the residents.
D. Decide on the Data to be CollectedSmart community system will flood with all types of data and information. Some data are raw and self-generated whenever there is a transaction activity happened on IoT devices. Unless the smart devices are absence in a smart community system, which is unlikely, so these self-generated data is auto-collected and the committee can only decide on the duration it is resided on the cloud server.
Some collected information can be decided by the community, for example designing of an online visitor form to be filled up either by visitors, residents or security guards. A community even can add on a registration form complete with auto-capturing of visitors’ image from their identity card, driver’s license or live image from an installed camera.
Collecting of information should not be excessive; as long that it meets the requirements to keep the smart community moving should be adequate.
E. Decide on the Duration to Keep the DataDifferent types of data might have varying durations to be kept in the cloud. For example the basic informative data like names, contact numbers and etc., would be kept until the resident is no longer staying at the premises; and for accounting records and the management committee they are governed under the Strata Act, whereby the accounting record shall be kept according to the Company Act, for example, 7 years after the completion of the transaction and operations.
Some types of data might need to be kept in a separate copy in the local storage like surveillance video footage to save cost and to provide convenience for daily operation. And cloud storage should only be limited to activity images, like the snap of visitor photos from the guardhouse for record purposes.
IoT data will account for roughly 10 percent of all the data registered globally in 2020, according to IDC market intelligence firm. Most IoT adopters fail to use their data or they derive just a small part of its value. For example, only one percent of data is coming from the 30k sensors on one oil grid turns into actionable insights. Unless a community has already known on how to exploit its IoT data to a greater efficiency, a community has to decide whether, after a certain duration, an expired IoT transaction data can be purged automatically from the cloud.
F. Select IoT Smart Devices with Data encryption During TransmissionIn order to secure all data traffic between the smart devices and mobile phones, if Bluetooth communication is deployed, make sure that the IoT devices have embedded with Advanced Encryption Standard (AES) encryption.
AES was published by the National Institute of Standards and Technology (NIST) in 2001 after the evaluation process of the AES contest. Rijndael was the winner of the contest and NIST selected it as the algorithm for AES. Starting from 2001, AES has been adopted by the U.S. government and is now being used worldwide. It supersedes the Data Encryption Standard (DES) which was published in 1977. The algorithm described by AES is a symmetric-key algorithm, meaning the same key is used for both encrypting and decrypting the data. AES is considered secure, very fast and compact which is about 1 kB of code, its block size is a multiple of 32 (typically 128 bits), its key length is also multiples of 32 (typically 128, 192, or 256 bits), and it has a very neat algebraic description
AES encryption is used for encoding the information being exchanged between Bluetooth devices in such a way that eavesdroppers cannot read its contents. So, the contents that are sent between IoT device and mobile phone are safe and secure. Besides data encryption, we also have adjusted the Bluetooth range or Bluetooth antenna of the IoT devices to fit for particular usage and prevented someone from Bluesnarfing on our IoT devices. For example, for a smartphone to connect to a BLE door lock, the person must be within 1-2 meters from the IoT device to prevent intruders from eavesdropping from a corner.
In a nutshell, Bluetooth technology particularly a BLE is a great addition to businesses and consumers. However, it is also important for all users to understand the technology and the risks involved in its use so the risks can be mitigated for better user experience.
G. Conduct Audit from Time to Time on Data SecurityIt is hard for a smart community to comply with ISO27001 or to engage with a third-party organization in auditing its data security practice. The data security committee should establish a data security checklist with further revision and enhancement from time to time, and conduct an audit once in a year based on the checklist to ensure correction and remedy actions are taken if the practice deviates from the checklist.
H. Conduct Data Security Awareness and Precaution Training ClassAnother role of the committee is to conduct some data security workshops or seminars by inviting experts to give talks and provide trainings to the community members from time to time.
Personal Level Data SecurityBesides the community level, for personal level, since the community members or the residents will opt for smartphones and its smart community App rather than its web portal for the purposes of making payment, checking notifications, inviting visitors, booking facilities and etc; and if the community is installed with smart devices which use smartphones as personal credentials for access, then the increase of utilization of smartphone at the personal level would be apparent. Hence, we list down a set of security guides to keep your phone and data safe even though it is general practices that are not targeted solely on a smart community platform.
1. Activate a Screen Lock
After a short period of inactivity (30 seconds, for example), your phone should auto-lock itself. It is a must not only for your mobile device, but also for your laptop or tablet. This is the easiest way to keep intruders away from your data. It is also essential that you enforce automatic wiping of the device after several failed login attempts.
2. Mind your Apps
Always use official app stores to download and install an app. Disable the option to allow installation of third party apps. Third party apps usually carry malware that will harm your smartphone. Of course, the app that is using to manage your smart community is chosen at the community level, not a personal decision and with sufficient consideration and guidance, so the risk to download the community app does not arise here.
3. To Install Ad Blocker
Suggest to install an ad blocker. Not because the ads are intrusive and have been failing potential customers, but because they can be exploited by cybercriminals. For example, malvertising can be served right on your smartphone through ad servers – and you don’t even need to click on anything in order to get infected!
4. Beware of phishing
It is much harder to spot a phishing page on your mobile phone than on your PC or your laptop. Keep your guard up against phishing on all your devices, no matter if it is a desktop, laptop, tablet or smartphone. Don’t click on short, suspicious links that you didn’t request. And be careful with those attachments you download via email or instant messaging services.
5. Activate Remote Device Locator
In case your smartphone is lost or stolen, the easiest way to remotely locate it is by installing a dedicated app and making sure that the option to track its location is always turned on.
6. Activate Automatic Backup
Have automatic backups in the cloud. This option is available on all operating systems, you just have to enable it (or don’t disable it, in case it’s already set as default). In case that your phone is lost, destroyed or stolen, you won’t have to worry about the fact that you didn’t get the chance to backup all your data on it. All apps and data will be automatically synchronized in the cloud.
7. Activate Two-Factor Authentication
No matter if you have an Apple, a Google or a Microsoft account, activating the two-factor authentication is a must. This will act as a second layer of security. Every time you want to sign in on a new device or from a new location, it will require you to verify your identity through a unique, time-sensitive code, that you’ll receive via text message.
8. Turn on Encryption
If your smartphone offers the option to encrypt the data on it, enable it.
9. Install an Antivirus
Install a trustworthy antivirus. Although they aren’t as potent as their desktop versions, it is still a better alternative rather than having no antivirus installed.
Summary1. In this chapter, the author discusses that a vast pool of data will be generated in shifting of an existing community system to a smart community system, and data security will become a more crucial issue a community has to deal with.
2. The interaction with IoT smart devices created more transaction data in a smart community system.
3. The fear factors drive users to take data privacy and security more seriously, hence when adopting a smart community system, security precaution should be part of the entire implementation plan.
4. The author lists down 5 major types of data namely informative data, transaction activity data, IoT sensing data, video surveillance data and social activity data generated when implementing a smart community system.
5. At the community level, the author also lists 8 best practices to lower the risk of data security into a very minimum. The practices are a. Form a data security committee; b. Vendor selection guideline; c. Adhere to role-based access; d. decide the data set to be collected; f. Decide on the duration of time keeping the data; g. Ensure smart devices come with strong data encryption; h. To audit on data security measure from time to time, and i. Conduct data security awareness and training workshop for community members.
6. At the personal level, the author also lists down 9 best practices to reduce data security risk.
References1. Cristina Chipurici, “Smartphone Security Guide: The Easiest Way to Keep Your Phone & Data Safe: How to enhance your smartphone’s security and privacy (handy tips included” Heimdal Security Blog, 27 October 2017
2. Andreas Weigend, “Data For the People, How to Make Our Post-Privacy Economy Work for You”, Publisher: Basic Books, January, 2017
3. Eileen Yu, “Data privacy ambiguity may hamper Singapore's smart nation ambition”, ZDNet, 19 January, 2014
4. Katherine Lazarevich, “What You Should Be Doing With Your IoT Data”, Medium.com/iotforall, 27 March 2018
Teh Hon Seng, Group CEO of TimeTec Group of Companies. Prior to forming TimeTec, Teh led PUC Founder (MSC) Bhd to be listed on MESDAQ (ACE) market of Bursa Malaysia in 2002. Teh initiated the R&D in fingerprint technology in 2000, which later developed into a renowned global brand for commercial fingerprint product known as FingerTec. In 2008, he foresaw the trend of cloud computing and mobile technology, and over the years, he had strategically diversified and transformed its biometric-focused products into a suite of cloud solutions that aimed at workforce management and security industries including smart communities that centered around the cloud ecosystem. Teh has more than 10 patents to his name, and he is also a columnist in a local newspaper and a writer of several books.