IoT Security: Open-Source Effort Promotes Enterprise Trust
The shiny object syndrome is not the only pervasive problem in the tech sector. Another “is the insanity” of countless companies “reinventing the middle,” according to Jason Shepherd, chief technology officer, IoT and edge computing at Dell. The “middle” in this sense refers to the tendency or many organizations with edge computing initiatives to essentially duplicate middleware. EdgeX, the open-source initiative that is part of an umbrella of Linux Foundation efforts known as LF Edge, aims to address the former challenge.
Now, the nonprofit organization has launched Project Alvarium, an initiative intended to address another central hurdle — the lack of trust tied to many edge and IoT projects. “The next step is to build intrinsic trust into networks,” Shepherd said. “And no, it’s not just blockchain.”
While distributed ledger technology is an option for Project Alvarium, the initiative promotes the concept of a data confidence fabric. “We’ve got a baseline framework that bolts together various heterogeneous components and with these APIs that create the common glue,” Shepherd said.
Alvarium, meaning “beehive” in Latin, bolts together what Shepherd calls “various trust insertion technologies.” It uses a defense-in-depth strategy to promote collaboration. While security is a critical component, the main thrust of Alvarium is delivering data from devices to applications with measurable confidence. “Based on the layers of different technologies you use, you get a confidence score,” Shepherd said. It encompasses silicon-based root of trust, including trusted platform modules and Arm’s Platform Security Architecture and TrustZone as well as other options.
The central premise is: The more trust insertion technologies a project uses, the more trustworthy it tends to be, and thus, the higher the confidence score will be. The use of a numeric score will also make the prospect of evaluating the trustworthiness of, say, an IoT project with data sharing extending across multiple organizations. The potentially global scope could also be instrumental in supporting GDPR compliance.
Several organizations, including Arm, Dell, IBM, OSIsoft and IBM, support the initiative, which remains at an early stage of development. A late October press release from the Linux Foundation announces the organization’s “intent to form Project Alvarium.”
Project Alvarium uses open APIs for data ingestion. “You could use EdgeX, or you could swap it out. You could put Azure IoT or whatever in the middle. It’s all based on the sum of the trusted parts,” Shepherd said. The point is to build trust through consensus rather than to favor individual technologies. “You can use a mixture of commercial and open-source value-add.”
The initiative also makes use of immutable storage, so that if someone makes unauthorized changes to a file, it will trigger a hash mismatch error.
All of these technical features are designed to support a fundamental challenge shared by many digital initiatives, Shepherd said. “For IoT, digital, edge, insert whatever buzzword here, the number one problem is the business case. Is there even a reason to do it?” The next challenge is stakeholder complexity. “You know the drill: OT/IT. A lot of that stakeholder complexity is around trust: ‘I don’t trust that you are doing something good,’ ‘I don’t know if this is real,’” Shepherd said.
“The third problem is fragmentation. That is what EdgeX was all about. And the fourth one is security,” Shepherd said. Project Alvarium’s trust focus could be a boon for IoT security, even though that is not its sole focus, while also promoting a level of trust that could diminish stakeholder complexity.
While part of the hype surrounding blockchain last year resulted from the technology’s promises to do everything from promoting enterprise trust to improve IoT security, blockchain had its own trust-related issues. Many people continue to conflate it with cryptocurrency, while the grand promises often associated with the technology tended to lead skepticism. Project Alvarium offers support for two mainstream distributed ledger projects, the Linux Foundation’s Hyperledger and IOTA.
The open-source Alvarium project takes a broader view intended to spark short-term progress. The idea is to create “a network effect to create more consensus faster,” Shepherd said. It is not constrained to a given industry or technology. “Let’s say we all got together and said: ‘Hey, let’s create one magical standard — a protocol to rule the world. And let’s write documents around it,” he added. “It would be five to ten years.”
By contrast, Alvarium supports the use of a number of standards. “Would we be better off if we had fewer standards?” Shepherd asked. “Yes, but you need to have a center of gravity.”