The Internet of Things, big data and the cloud: implications for privacy and trust Russell Craig National Technology Officer, Microsoft NZ russell.craig@microsoft.com
What are we going to talk about? What is the Internet of Things? What is big data? How do they relate to the cloud? Privacy Issues what should we care about/why should we care? Enabling trust the role of the industry
What is the Internet of Things? Connected world solutions combine sensors and technologies to enable objects and infrastructure to interact with monitoring, analytics and control systems over Internet-style networks. Things Data Connectivity Analytics Source: Forrester
Hardware is cheap Connectivity is pervasive Development is easy Huge benefits fuel demand New Innovative Scenarios
Moore s Law Metcalf s Law Koomey s Law Transistors 10,000,000,000 1,000,000,000 100,000,000 10,000,000 1,000,000 100,000 10,000 1,000 1970 1980 1990 2000 2010 1940 1975 2010 Computations per KWh 1.E+14 1.E+12 1.E+10 1.E+08 1.E+06 1.E+04 1.E+02 1.E+00 Over the history of computing hardware, the number of transistors in a dense integrated circuit has doubled approx. every two years. Value of a telecommunications network is proportional to the square of the number of connected users of the system (n2). The energy needed for a fixed computing load falls by a factor of 100 every decade.
will become ambient intelligence intelligence from machine learning
What Microsoft Says You have things that you get data from and store that you derive insights from that allows you to do Infrastructure Things Citizen Things Transportation Things Cloud Storage HDInsight Power BI Predictive Maintenance Command and Control 9
Make IoT real in your business Improve efficiency Decrease costs through asset monitoring Enable innovation Increase revenue through service improvement Transform your business Create additional revenue streams by monetizing new opportunities Remote monitoring and management Improve customer service and loyalty Reach new customers and markets 10
The connected cow: Using IoT to transform cattle production CHALLENGE SOLUTION BENEFITS Fujitsu is the world s fourth-largest IT services provider with approximately 162,000 employees in more than 100 countries and holds about 97,000 patents worldwide. Fujitsu wanted to help dairy farmers increase production, improve data insights and transform their business by optimizing the timing of artificial insemination (AI). It also wanted to decrease loss through early detection of health issues. Fujitsu learned from public research that a cow produces more estrus (goes into heat) 16 hours after the number of steps increases significantly. The company created an innovative solution which uses a rugged pedometer with a five-year battery to measure the number of footsteps a cow takes, then sends that data to the cloud for analysis to determine optimum AI timing and even affect calf gender. In addition, the patterns of steps can detect disease in cattle. Alerts are delivered to the farmer s cell phone. o o o o Improves calf production up to 31%, with an average of 12% Modernizes data access with mobile phone alerts, reducing labor costs for monitoring cows Transforms herd management by allowing farmers to increase chances of producing a male or female calf Reduces loss by detecting 8-10 different kinds of diseases in cattle Create the Internet of Your Things www.internetofyourthings.com FUJITSU
The Internet of Things Healthcare PATIENT HOME HOSPITAL OUTPATIENT FACILITY Monitor patient conditions with in-home medical devices that alert care team staff when a health event occurs. Enable an interactive experience between patients and collaborative care teams, and reduce response times by providing remote access to the latest patient data. Connect patient data to contextual data, so the latest patient data automatically displays on care provider devices based on their location and role. Make authorized patient data accessible from a unified point, enabling a holistic view of the patient s journey so providers can optimize each care interaction. 35 Transform the vehicle into a smart environment that monitors health indicators. Combine data from various sources to uncover insights that enable an enhanced patient journey, improved operational efficiency, and better risk management. Make patient data visible and actionable in near real-time, enabling improved outcomes through datadriven decision making, better coordination and error reduction. HEALTHCARE ECOSYSTEM Integrate data from existing and nontraditional sources to drive Big Data analytics, enabling care process innovation and healthcare transformation. WEATHER PHARMACY GOVERNMENT INSURANCE COMPANIES RETAIL RESEARCH DEMOGRAPHICS
Microsoft Azure Cloud is fundamental enabler of IoT and big data Compute Data Storage Network Services App Services Global Physical Infrastructure Stores over 50 trillion objects Handles on average 127,000 requests/second Peak of 880,000 requests/second > 2 billion active directory transactions/day 14
Devices Device Connectivity Storage Analytics Presentation & Action Event Hubs SQL Database Machine Learning App Service Service Bus Table/Blob Storage Stream Analytics Power BI External Data Sources { } DocumentDB HDInsight Notification Hubs External Data Sources Data Factory Mobile Services BizTalk Services
Azure Intelligent Systems Service Automotive Retail Industrial Healthcare Security & Surveillance Energy Smart Home Smart Cities Microsoft Azure Intelligent Systems Service(s) Monitoring Remote Access SHFA@live.be Content Distribution Configuration Management Data collection and alerts Asset tracking & Geo-fencing Preventive maintenance Usage based billing Securely log into remote devices and products to diagnose issues Remote servicing - diagnose, and repair problems Automate software deployment to assets Distribute files to devices. Content includes asset-specific files, doc, ads Store and access asset configurations Compliance Management Telematics Windows I0 IoT NETWORK M2M Gateway Vehicle Tracking Device Cameras Power Meter Load Meter Smoke Fire Alarms Humidity Sensor Flow Meter Occupancy Sensor Temperature Sensor INTELLIGENT DEVICES Machine Controller Vehicle Tracking Smart Grid General Equipment Retail Kiosk Fire Detection Healthcare Smart Building Automation Digital Advertising Smart Home Automation
Switching focus: data and analytics Gartner identifies Big Data and extreme information processing and management, in-memory database management systems and quantum computing as transformational with adoption between 2 and 5 years This would also enable enterprises to leverage Predictive Analytics which has already seen greater mainstream adoption combined with cloud computing as transformational in broadening the options in developing and sourcing IT
Humans as data sources Per person per day (in golden billion ) 50-200 e-mails 10-50 voice calls 1-100 SMS and twits 0.1 blog posts 1-20 financial transactions 3-30 search requests 10-30 articles, read on the Internet 10 audio records 30-90 minutes of TV/Video 20-200 appearances in video monitoring cameras 1-100 geospatial notches 20-200 RFID checks And at least 4.5 billion of people have at least phones (mostly wireless) From The Human Face of Big Data by Rick Smolan. EMC inspired.
World today
and tomorrow
What should we care about? Our vision: New Zealand is a world leader in the trusted, inclusive and protected use of shared data to deliver a prosperous society 1. Get the rules of the game right. 2. Create value by doing. 3. Establish the foundations: value, inclusion trust and control.
Why should we care?
Big = big opportunity For governments: Budget savings Transparency and responsibility Real insight into society Optimal decisions
Big data = big opportunity For people: Self organization Better experiences Intelligent environment Introspection
Big data = big opportunity For business: Converting products to services Expanded value chains New business models Educated targeting F r o m P r o d u c t t o S e r v i c e V = V 0 + A N + B N 2 Value for customer Socialization of Business Clients Employees Partners Imminent value Mobility & Connectivity Volume value On Premise Off Premise Big Data & BI Network value Value http://www.businesslogicsystems.com/data%20management
Big data = big opportunity For IT industry Next chance to change the world Step towards internet of everything Completely new markets
Big challenge For people New lack of privacy Automated justice Need to understand Risks of: Re-identification Re-personalization Undesirable profiling False aggregation Incorrect inferences Unwanted targeting Etc. Joseph Goebbels
Why Netflix's Facebook app would be illegal By Julianne Pepitone @CNNMoneyTech March 27 VPPA arose from strange circumstances surrounding the failed Supreme Court nomination of Robert Bork. While Bork's nomination hearings were taking place in 1987, a freelance writer for the Washington City Paper talked a video store clerk into giving him Bork's rental history. Target Predicts Pregnancy with Big Data http://smallbusiness.yahoo.com/advisor/target-predicts-pregnancy-big-data-104057627.html Big challenge For business Hard to comply Easy to violate Unexpected backfire Need to defend sources Google facing legal threat from six European countries over privacy http://www.guardian.co.uk/technology/2013/apr/02/google-privacy-policy-legal-threat-europe
http://online.wsj.com/article/sb10001424052970203391104577124540544 822220.html?mod=googlenews_wsj http://www.wikileaks.org/ Big challenge For government It is hard to be transparent It is easy to overuse Hard to defend sources George Orwell, 1984 http://budget4me.ru/ob/faces/home http://www.washingtonpost.com/ investigations/us-intelligencemining-data-from-nine-usinternet-companies-in-broadsecretprogram/2013/06/06/3a0c0da8- cebf-11e2-8845- d970ccb04497_story.html
Big challenge For IT industry Needs new hardware and software architecture to address scale Needs to know how to protect customers Needs to address extremely complicated usage scenarios Risk of over-restrictive regulation
Pro Con People: collective knowledge Business: from disordered offerings to quality of life service Government: know and address real needs of citizens IT industry: change the world (again?) People: final lack of privacy Business: disruptive scenarios Government: chance to miss everything loss of trust IT industry: new approaches to hw and sw architecture, addressing new challenges
Long term Q: where do societies need to focus? A: computational ethics and Big Data
Why ethics? Benefiting from opportunities and mitigating risks assumes careful handling of digital assets of high business and personal value, both in known scenarios and in completely new situations To proceed successfully one should follow some sort of fundamental principles clear and consistent Ethics, also known as moral philosophy, is a branch of philosophy that involves systematizing, defending and recommending concepts of right and wrong conduct. http://www.iep.utm.edu/ethics/
Big Data and traditional ethics Let s take concepts from traditional ethics and examine how they should apply to the digital world, and how they evolve under influence of Big Data capabilities Four elements of Big Data Ethics: Identity, Privacy, Ownership, Reputation Big Data is ethically neutral Personal data not some specific data, but any data generated in the course of a person s activities Privacy interests, not always ultimate rights Kord Davis; Ethics of Big Data - Balancing Risk and Innovation. O'Reilly Media, 2012 A responsible organization is an organization that is concerned both with handling data in a way that aligns with its values and with being perceived by others to handle data in such a manner.
Big-Data ethics: Privacy Privacy is the ability of an individual or group to seclude themselves or information about themselves and thereby reveal themselves selectively (wikipedia). In 1993, the New Yorker published a cartoon whose caption read: On the Internet, nobody knows you re a dog At the time, this was funny because it was true. Today, in the age of big data, it is not only possible to know that you re a dog, but also what breed you are, your favorite snacks, your lineage, and whether you ve ever won any awards at a dog show. There are two issues. First, does privacy mean the same thing in both online and offline in the real world? Second, should individuals have a legitimate ability to control data about themselves, and to what degree? Following Davis Kord. Ethics of Big Data.
Benefits of ethics inquiry Faster consumer adoption by reducing fear of the unknown (how are you using my data?) Reduction of friction from legislation from a more thorough understanding of constrains and requirements Increased pace of innovation and collaboration derived from a sense of purpose generated by explicitly shared values Reduced risk of unintended consequences from an overt consideration of long-term, far-reaching implications of the use of big-data technologies Partially following Kord Davis. Ethics of Big Data.
Shorter term: focus on enabling trust Where do we start? - understand the domain & who is responsible for what. What should we expect of the cloud industry? - industry is an enabler - all clouds are not equal - public should expect a lot
Microsoft s approach to trust: building security, privacy, transparency and compliance into the cloud
Cloud is becoming integral to business transformation The secure pathway to innovation Start with a trusted & resilient foundation Leverage economies of scale and expertise Use the cloud to drive business strategy Reshape how you engage with customers Enable more productive work Drive new and more rapid sources of innovation 39
Cybersecurity concerns persist Global attacks are increasing and costs are rising Cybercrime extracts between 15% and 20% of the value created by the Internet. 1 In the UK, 81% of large corporations and 60% of small businesses reported a cyberbreach in the past year. 2 Total financial losses attributed to security compromises increased 34% in 2014. 3 Impact of cyber attacks could be as much as $3 trillion in lost productivity and growth. 4 40
But cloud momentum continues to accelerate If you re resisting the cloud because of security concerns, you re running out of excuses. The question is no longer: How do I move to the cloud? Instead, it s Now that I m in the cloud, how do I make sure I ve optimized my investment and risk exposure? By 2020 clouds will stop being referred to as public and private. It will simply be the way business is done and IT is provisioned. 41
The Microsoft Trusted Cloud 200+ cloud services, 1+ million servers, $15B+ infrastructure investment 57% of Fortune 500 4 10,000 new subscribers per week 2 3.5 million active users 4 Online 5.5+ billion worldwide queries each month 3 300+ million users per month 5 1 billion customers, 20 million businesses, 90 countries worldwide 1 1.2 billion worldwide users 2 48 million members in 57 countries 4 450+ million unique users each month 6 42
Microsoft cloud a trusted foundation Privacy and Security Transparency Compliance Control 43 43
Azure Security Microsoft delivers enterprise cloud services customers can trust Industry-leading best practices in the design and management of online services Enhanced security, operational management, and threat mitigation practices Trustworthy enterprise cloud services Centers of excellence 44
Infrastructure protection Azure infrastructure includes hardware, software, networks, administrative and operations staff, policies and procedures, and the physical data centers that house it all 24 hour monitored PHYSICAL SECURITY Centralized MONITORING AND ALERTS Update MANAGEMENT Anti-Virus/Anti-Malware PROTECTION Red Teaming PENETRATION TESTING FIREWALLS 45
Network protection Azure networking provides the infrastructure necessary to securely connect VMs to one another and to connect on-premises data centers with Azure VMs. Network isolation: Blocks unauthorized users from the network using a distributed virtual firewall Virtual networks: Customers can connect one or more cloud services using private IP addresses. VPN and ExpressRoute: Site-to-site and point-to-site VPNs help enable secure connections. Encrypted communications: Encryption within and between deployments, and from Azure to on-premises datacenters with TLS and Perfect Forward Secrecy. 46
Identity & access control Azure enables customers to better control access in a multi-tenant environment Enterprise cloud directory Azure Active Directory (AD) offers enterprise identity and access management in the cloud. Multi-Factor Authentication (MFA) Strong authentication adds an extra layer of security for user logins. Access monitoring and logging Security reports monitor access patterns that help identify potential threats. Single sign-on Users get a single sign-on option across multiple applications and services. Integration with customer applications Developers can integrate their app with Azure AD for single sign-on functionality for their users. 47
Azure Privacy Privacy & Control Microsoft makes our commitment to the privacy of our customers a priority with independently audited policies and practices that include restricting the mining of Customer Data for advertising or similar commercial purposes. 48
Trustworthy Privacy foundation Privacy by Design Microsoft privacy principles are designed to facilitate the responsible use of customer data, be transparent about practices, and offer meaningful privacy choices. Microsoft Privacy Standard Guidelines that help ensure privacy is applied in the development and deployment of products and services. Data segregation Azure uses logical isolation to segregate each customer s data from that of others. 49
ISO/IEC 27018 Microsoft is the first major cloud provider to adopt the first international code of practice for governing the processing of personal information by cloud service providers. Prohibits use of customer data for advertising and marketing purposes without customer s express consent. Prevents use of customer data for purposes unrelated to providing the cloud service. 50
Contractual commitments Adopt ISO/IEC 27018 code of practice Microsoft was the first major cloud service provider to Offer customers E.U. Standard Contractual Clauses that provide specific contractual guarantees around transfers of personal data for in-scope services. Have European data privacy authorities validate that its enterprise agreement meets EU requirements on international data transfers Abide by US-EU Safe Harbor Framework and the US-Swiss Safe Harbor Program. 51
Restricted data access Customer data is only accessed when necessary to support customer s use of Azure (e.g. troubleshooting or feature improvement), or when required by law. When granted, access is controlled and logged. Strong authentication, including MFA, helps limit access to authorized personnel only. Access is revoked as soon as it s no longer needed. Access controls are verified by independent audit and certifications. 52
Law enforcement requests Microsoft does not disclose Customer Data to law enforcement unless as directed by customer or required by law, and will notify customers when compelled to disclose, unless prohibited by law. The Law Enforcement Request Report discloses details of requests every 6 months. Microsoft doesn t provide any government with direct or unfettered access to Customer Data. Microsoft only releases specific data mandated by the relevant legal demand. If a government wants customer data it needs to follow the applicable legal process. Microsoft only responds to requests for specific accounts and identifiers. 53
Customer Data When a customer utilizes Azure, they retain exclusive ownership of their data. Control over data location Customers choose data location and replication options. Role based access control Tools support authorization based on a user s role, simplifying access control across defined groups of users. Encryption key management Customers have the flexibility to generate and manage their own encryption keys. Control over data destruction Deletion of data on customer request and on contract termination. 54
Data protection Azure provides customers with strong data protections both by default and as customer options Data isolation Logical isolation segregates each customer s data from that of others is enabled by default. At-rest data protection Customers can implement a range of encryption options for virtual machines and storage. In-transit data protection Encryption Industry-standard protocols encrypt data in transit to/from outside components, as well as data in transit internally by default. Data encryption in storage or in transit can be deployed by the customer to align with best practices for ensuring confidentiality and integrity of data. Data redundancy Customers have multiple options for replicating data, including number of copies and number and location of replication data centers. Data destruction Strict standards for overwriting storage resources before reuse and the physical destruction of decommissioned hardware are by default. 55
Cloud Transparency Microsoft helps enable customer control over Customer Data by providing transparency into where it is stored, who can access it, and how Microsoft helps secure it, with accessible tools and straightforward language. 56
Data storage and use Customers control where Customer Data is stored Customers know where and how their data is stored and used Microsoft doesn t use Customer Data for advertising Microsoft doesn t share Customer Data with our advertiser-supported services or mine it for marketing Microsoft uses Customer Data only to provide the services, including purposes compatible with providing the services. Customers may delete Customer Data or leave the service at any time 57
Security practices Build security into software code (SDL) Customer knows how we help secure their data Ensure Azure infrastructure is resilient to attack Safeguard user access to Azure environment Keep customer data secure through encrypted communications 58
Microsoft and compliance Microsoft invests heavily in the development of innovative compliance technology, processes and integration in Azure. The Microsoft compliance framework for online services maps controls to multiple regulatory standards, which helps drive the design and building of services that meet today s high level of security and privacy needs. 59
Azure Compliance Azure meets a broad set of international, regional, and industry-specific compliance and regulatory standards. Microsoft s security compliance program includes rigorous testing, the implementation of best practices, and many other functions to achieve certificates and attestations. 60
Compliance framework Compliance certifications Continual evaluation, benchmarking, adoption, test & audit Independent verification Access to audit reports Best practices Microsoft maintains a team of experts focused on ensuring that Azure meets its own compliance obligations, which helps customers meet their own compliance requirements. Compliance strategy helps customers address business objectives and industry standards & regulations, including ongoing evaluation and adoption of emerging standards and practices. Ongoing verification by third party audit firms. Microsoft shares audit report findings and compliance packages with customers. Prescriptive guidance on securing data, apps, and infrastructure in Azure makes it easier for customers to achieve compliance. 61
Extensive experience and credentials CSA Cloud Controls Matrix SOC 1 SOC 2 HIPAA/ HITECH UK G-Cloud OFFICIAL AU IRAP Accreditation Singapore MCTS CJIS CDSA 2010 2011 2012 2013 2014 2015 ISO/IEC 27001:2005 FISMA ATO Operations Security Assurance FedRAMP P-ATO EU Data Protection Directive PCI DSS Level 1 ISO/IEC 27018 62
Partnering with industry leaders Promoting a standardsbased approach to cloud compliance Extensive experience in security compliance assessments for both U.S. and global government customers Proposing clear principles for reform of government surveillance 63
russell.craig@microsoft.com