ArticlePublisher preview available

Applying Privacy Patterns to the Internet of Things’ (IoT) Architecture

Authors:
To read the full-text of this research, you can request a copy directly from the authors.

Abstract and Figures

The concept of cloud computing relies on central large datacentres with huge amounts of computational power. The rapidly growing Internet of Things with its vast amount of data showed that this architecture produces costly, inefficient and in some cases infeasible communication. Thus, fog computing, a new architecture with distributed computational power closer to the IoT devices was developed. So far, this decentralised fog-oriented architecture has only been used for performance and resource management improvements. We show how it could also be used for improving the users’ privacy. For that purpose, we map privacy patterns to the IoT / fog computing / cloud computing architecture. Privacy patterns are software design patterns with the focus to translate “privacy-by-design” into practical advice. As a proof of concept, for each of the used privacy patterns we give an example from a smart vehicle scenario to illustrate how the patterns could improve the users’ privacy.
This content is subject to copyright. Terms and conditions apply.
Applying Privacy Patterns to the Internet of Things(IoT) Architecture
Sebastian Pape
1
&Kai Rannenberg
1
Published online: 2 October 2018
#Springer Science+Business Media, LLC, part of Springer Nature 2018
Abstract
The concept of cloud computing relies on central large datacentres with huge amounts of computational power. The rapidly
growing Internet of Things with its vast amount of data showed that this architecture produces costly, inefficient and in some
cases infeasible communication. Thus, fog computing, a new architecture with distributed computational power closer to the IoT
devices was developed. So far, this decentralised fog-oriented architecture has only been used for performance and resource
management improvements. We show how it could also be used for improving the usersprivacy. For that purpose, we map
privacy patterns to the IoT / fog computing / cloud computing architecture. Privacy patterns are software design patterns with the
focus to translate Bprivacy-by-design^into practical advice. As a proof of concept, for each of the used privacy patterns we give
an example from a smart vehicle scenario to illustrate how the patterns could improve the usersprivacy.
Keywords Privacy by design .Cloud computing .Fog computi ng .Internet of things .Privacy pat terns .Autonomous cars .Smart
vehicles
1 Introduction
With an estimated number of 50 billion ubiquitous and inter-
connected devices by the year 2020 the Internet of Things
(IoT) is growing rapidly [1]. Since its beginning, the IoT con-
cept has been relying on a strong computing infrastructure
built on cloud computing services [2]. However, new concepts
and technologies to manage the huge amount of devices are
gaining importance. The backbone evolved into a more het-
erogeneous concept which is known as fog (or sometimes
mist or edge) computing. A literature survey by Thien and
Colomo-Palacios [3] showed that the main purposes or devel-
opments of the architecture addressed six different areas: re-
source management, energy efficiency, offloading, data pro-
cessing, performance enhancement and networking. All of
these are merely performance problems.
However, privacy concerns in the IoT are not only a re-
search topic [4], but have arrived at customers which were
spied by their devices [5,6]. Adams [7] notes that due to the
nature of IoT devices and the way they collect information,
their use leads to a higher risk of having information collected
and shared. Often the IoT devices and sensors come together
with mobile apps. Papageorgiou et al. [8] discovered in the
mobile health domain that most of the apps do not follow
well-known practices and guidelines jeopardizing the privacy
of millions of users. Weinberg et al. add that in the IoT envi-
ronment the user faces a trade-off between convenience and
privacy [9]. Moreover, Adams [7] and Walker [10] found that
the regulators cannot keep up with the advances in the market,
e.g. because of the speed with which data is exchanged.
Apparently, privacy notices or policies could reduce the risk
of disclosing personal information, but customers got increas-
ingly frustrated with them [11,12]. Since this discovery, not
much has changed, as a recent study on IoT privacy policies
shows [13].
We argue that in particular with the General Data
Protection Regulation (GDPR) which has just become effec-
tive, more emphasis should be put on designing privacy-
friendly services (privacy by design). Therefore, we investi-
gate how the different characteristics within the IoT / Cloud /
Fog architecture could be used to improve usersprivacy.
The remainder of this work is organized as follows.
Section 2gives a brief introduction into fog computing and
describes related work, in particular about privacy in IoT en-
vironments and privacy patterns. In Section 3suitable privacy
patterns are mapped to the IoT / Cloud / Fog architecture.
*Sebastian Pape
sebastian.pape@m-chair.de
Kai Rannenberg
kai.rannenberg@m-chair.de
1
Deutsche Telekom Chair of Mobile Business & Multilateral Security,
Goethe University Frankfurt, Theodor-W.-Adorno-Platz 4,
60323 Frankfurt, Germany
Mobile Networks and Applications (2019) 24:925933
https://doi.org/10.1007/s11036-018-1148-2
Content courtesy of Springer Nature, terms of use apply. Rights reserved.
... Cloud computing helps prevent the users' personal information and ensures privacy, which helps improve the overall performance of the application. 11,15 Then the main contribution of the paper is listed as follows. ...
Article
Full-text available
The Internet of Things (IoT) houses a diverse range of applications and users, providing different services securely. Privacy and access management are the challenging processes in administering user‐end security measures. User management, density, and behavior levy a complicated security requirement. A lightweight access management scheme (LAMS) is projected in this article to address this issue. User access permissions and privacy are jointly handled by this scheme based on trust evaluation (TE) and access history. In this scheme, an interlinked relationship is constructed between the trust and access permission features in the IoT platform verified using the transfer learning paradigm. The previous TE is used for deciding the access delegation level for the current user application. In the privacy‐preserving process, amendable keys are used for securing the delegated access sessions alone. This key distribution is used for adapting varying session lengths, preventing privacy breaches. In this key generation and distribution, the elliptic curve cryptographic paradigm is used that adapts the session length and access permission relationship defined. The proposed scheme's performance is verified using 12.32% less access time, 7.16% less failure, 10.27% high sustainability, 11.98% less authentication time, and 10.47% less overhead for different session lengths. In addition to this, the method achieves 12.42% less access time, 8.4% less failure, 11.91% high sustainability, 10.9% less authentication time, and 10.34% less overhead for different users.
... Nonetheless, even if an organization wants to provide services in an ethical way, the resulting trade-offs are sometimes difficult to overcome. Examples are the storage of personal data, where it is not per se clear if data on a local device is necessarily more secure than if stored in the cloud [69]. Although it might seem logical that the users keeps as much data as possible on their devices, with manufactures not providing updates for still used devices and current malware targeting mobile users, it may be that data stored in a trustworthy environment, such as a cloud, where professionals operate and secure the systems might be more secure. ...
Book
Full-text available
This book presents the main scientific results from the GUARD project. It aims at filling the current technological gap between software management paradigms and cybersecurity models, the latter still lacking orchestration and agility to effectively address the dynamicity of the former. This book provides a comprehensive review of the main concepts, architectures, algorithms, and non-technical aspects developed during three years of investigation.
... Nonetheless, even if an organization wants to provide services in an ethical way, the resulting trade-offs are sometimes difficult to overcome. Examples are the storage of personal data, where it is not per se clear if data on a local device is necessarily more secure than if stored in the cloud [69]. Although it might seem logical that the users keeps as much data as possible on their devices, with manufactures not providing updates for still used devices and current malware targeting mobile users, it may be that data stored in a trustworthy environment, such as a cloud, where professionals operate and secure the systems might be more secure. ...
Chapter
Enabling cybersecurity and protecting personal data are crucial challenges in the development and provision of digital service chains. Data and information are the key ingredients in the creation process of new digital services and products. While legal and technical problems are frequently discussed in academia, ethical issues of digital service chains and the commercialization of data are seldom investigated. Thus, based on outcomes of the Horizon2020 PANELFIT project, this work discusses current ethical issues related to cybersecurity. Utilizing expert workshops and encounters as well as a scientific literature review, ethical issues are mapped on individual steps of digital service chains. Not surprisingly, the results demonstrate that ethical challenges cannot be resolved in a general way, but need to be discussed individually and with respect to the ethical principles that are violated in the specific step of the service chain. Nevertheless, our results support practitioners by providing and discussing a list of ethical challenges to enable legally compliant as well as ethically acceptable solutions in the future.
... Nonetheless, even if an organization wants to provide services in an ethical way, the resulting trade-offs are sometimes difficult to overcome. Examples are the storage of personal data, where it is not per se clear if data on a local device is necessarily more secure than if stored in the cloud [69]. Although it might seem logical that the users keeps as much data as possible on their devices, with manufactures not providing updates for still used devices and current malware targeting mobile users, it may be that data stored in a trustworthy environment, such as a cloud, where professionals operate and secure the systems might be more secure. ...
Chapter
Detection of unknown attacks is challenging due to the lack of exemplary attack vectors. However, previously unknown attacks are a significant danger for systems due to a lack of tools for protecting systems against them, especially in fast-evolving Internet of Things (IoT) technology. The most widely used approach for malicious behaviour of the monitored system is detecting anomalies. The vicious behaviour might result from an attack (both known and unknown) or accidental breakdown. We present a Net Anomaly Detector (NAD) system that uses one-class classification Machine Learning techniques to detect anomalies in the network traffic. The highly modular architecture allows the system to be expanded with adapters for various types of networks. We propose and discuss multiple approaches for increasing detection quality and easing the component deployment in unknown networks by known attacks emulation, exhaustive feature extraction, hyperparameter tuning, detection threshold adaptation and ensemble models strategies. Furthermore, we present both centralized and decentralized deployment schemes and present preliminary results of experiments for the TCP/IP network traffic conducted on the CIC-IDS2017 dataset.
... Nonetheless, even if an organization wants to provide services in an ethical way, the resulting trade-offs are sometimes difficult to overcome. Examples are the storage of personal data, where it is not per se clear if data on a local device is necessarily more secure than if stored in the cloud [69]. Although it might seem logical that the users keeps as much data as possible on their devices, with manufactures not providing updates for still used devices and current malware targeting mobile users, it may be that data stored in a trustworthy environment, such as a cloud, where professionals operate and secure the systems might be more secure. ...
Chapter
Full-text available
For many years signature-based intrusion detection has been applied to discover known malware and attack vectors. However, with the advent of malware toolboxes, obfuscation techniques and the rapid discovery of new vulnerabilities, novel approaches for intrusion detection are required. System behavior analysis is a cornerstone to recognizing adversarial actions on endpoints in computer networks that are not known in advance. Logs are incrementally produced textual data that reflect events and their impact on technical systems. Their efficient analysis is key for operational cyber security. We investigate approaches beyond applying simple regular expressions, and provide insights into novel machine learning mechanisms for parsing and analyzing log data for online anomaly detection. The AMiner is an open source implementation of a pipeline that implements many machine learning algorithms that are feasible for deeper analysis of system behavior, recognizing deviations from learned models and thus spotting a wide variety of even unknown attacks.
... It is worth to note that there is one primary study (Pape and Rannenberg 2019) dedicated to IoT privacy patterns. There are seven patterns for IoT privacy presented in Pape and Rannenberg (2019), which describe different possibilities of privacy violation and the corresponding solutions. We summarize these patterns according to the main elements of security pattern in Table 3. ...
Article
Full-text available
Security of the Internet of Things (IoT)-based Smart Systems involving sensors, actuators and distributed control loop is of paramount importance but very difficult to address. Security patterns consist of domain-independent time-proven security knowledge and expertise. How are they useful for developing secure IoT-based smart systems? Are there architectures that support IoT security? We aim to systematically review the research work published on patterns and architectures for IoT security (and privacy). Then, we want to provide an analysis on that research landscape to answer our research questions. We follow the well-known guidelines for conducting systematic literature reviews. From thousands of candidate papers initially found in our search process, we have systematically distinguished and analyzed thirty-six (36) papers that have been peer-reviewed and published around patterns and architectures for IoT security and privacy in the last decade (January 2010–December 2020). Our analysis shows that there is a rise in the number of publications tending to patterns and architectures for IoT security in the last three years. We have not seen any approach of applying systematically architectures and patterns together that can address security (and privacy) concerns not only at the architectural level, but also at the network or IoT devices level. We also explored how the research contributions in the primary studies handle the different issues from the OWASP Internet of Things (IoT) top ten vulnerabilities list. Finally, we discuss the current gaps in this research area and how to fill in the gaps for promoting the utilization of patterns for IoT security and privacy by design.
... A significant amount of research has also been conducted on mobility-related use cases such as VANETs using -anonymity [40,41] or HE [17,31] to ensure the privacy of vehicles. Pape and Rannenberg [29] demonstrate how the application of privacy patterns in fog computing environments can improve the users' privacy in a smart vehicle use case. ...
Chapter
The Internet of Things (IoT) patterns are the best practices used to solve common recurring problems in the IoT paradigm. Due to its scope and magnitude, the IoT consists of many patterns which are used by IoT practitioners to design and build ubiquitous smart objects for various IoT use cases. At the moment, finding appropriate classification schemes for these patterns is still an obstacle encountered by many IoT architects and practitioners. Existing classification schemes are either arbitrary, incomplete, or use overlapping categorisation domains. This paper conducts a survey on some of the known IoT patterns and their classification schemes, and systematically review the literature to show commonalities and prime focus areas in the IoT pattern literature. A shift in focus towards using a collaborative IoT pattern language and an ontology to organise the IoT patterns is recommended.
Article
Full-text available
The implementation of IoT related technologies in tourism is promoting the achievement of smart tourism. In this context, Fifth generation (5G) technology, which aims to address the limitations of previous cellular systems, massively expands the implementation of IoT and gradually drives the Internet future to the edge. In order to facilitate the implementation, the work tries to formulate a definition of IoT enabled tourism and make a visualization review on the relevant literature to IoT enabled tourism in recent 10 years. The definition of IoT enabled tourism is helpful for extending the current research topics related to smart tourism. The visualization review identifies the intellectual bases and influential studies of IoT enabled tourism. Meanwhile, the outstanding cooperation relationships among authors, institutions and countries are detected out. These findings are helpful for the academic circle making further efforts on IoT enabled tourism and finally facilitating the achievement of smart tourism.
Article
Recent advances in hardware and telecommunications have enabled the development of low cost mobile devices equipped with a variety of sensors. As a result, new functionalities, empowered by emerging mobile platforms, allow millions of applications to take advantage of vast amounts of data. Following this trend, mobile health applications collect users health-related information to help them better comprehend their health status and to promote their overall wellbeing. Nevertheless, healthrelated information is by nature and by law deemed sensitive and, therefore, its adequate protection is of substantial importance. In this article we provide an in-depth security and privacy analysis of some of the most popular freeware mobile health applications. We have performed both static and dynamic analysis of selected mobile health applications, along with tailored testing of each application’s functionalities. Long term analyses of the life cycle of the reviewed apps and our GDPR compliance auditing procedure are unique features of the present article. Our findings reveal that the majority of the analyzed applications does not follow well-known practices and guidelines, not even legal restrictions imposed by contemporary data protection regulations, thus jeopardizing the privacy of millions of users.
Article
Internet of Things (IoT) allows billions of physical objects to be connected to collect and exchange data for offering various applications, such as environmental monitoring, infrastructure management and home automation. On the other hand, IoT has unsupported features (e.g., low latency, location awareness and geographic distribution) that are critical for some IoT applications, including smart traffic lights, home energy management and augmented reality. To support these features, fog computing is integrated into IoT to extend computing, storage and networking resources to the network edge. Unfortunately, it is confronted with various security and privacy risks, which raise serious concerns towards users. In this survey, we review the architecture and features of fog computing and study critical roles of fog nodes, including real-time services, transient storage, data dissemination and decentralized computation. We also examine fog-assisted IoT applications based on different roles of fog nodes. Then, we present security and privacy threats towards IoT applications and discuss the security and privacy requirements in fog computing. Further, we demonstrate potential challenges to secure fog computing and review the state-of-the-art solutions used to address security and privacy issues in fog computing for IoT applications. Finally, by defining several open research issues, it is expected to draw more attention and efforts into this new architecture. Keywords: Fog computing, Internet of Things, edge computing, security and privacy.
Conference Paper
This paper surveys fog computing and embedded systems platforms as the building blocks of Internet of Things (IoT). Many concepts around IoT architectures, with various examples, are also discussed. This paper reviews a high-level conceptual layered architecture for IoT from a computational perspective. The architecture incorporates fog computing to address several issues associated with cloud computing; however, it is never a binary decision between fog and cloud. Many of the world’s physical objects are being embedded with sensors and actuators, tied by communication infrastructures, and managed by computational algorithms. IoT sensor networks and embedded systems connecting smart objects are revolutionizing how we approach our daily lives, health care, energy, and transportation. Such computational needs are addressed with an array of various models and frameworks. In an attempt to consolidate the use of these models, this paper reviews the state-of-the-art research in IoT, cloud computing, and fog computing.