I have always been a huge fan of SAS and their approach to R&D and acquisitions. First, they spend a lot on new technologies in order to gain intelligent entrance into new markets. They do not acquire new markets and then try to figure things out – instead, they do their work first and then succeed. Along those lines, they are more interested in acquiring technology and experience to help them learn than they are in trying to buy some market leader to gain a new avenue of revenue.
This is why I was surprised to read an article today about their take on IoT and GDPR. In this article, the CTO/COO, Oliver Schabenberger, discussed how SAS is rapidly growing their new IoT division. He correctly discussed how blockchain will be a big part of that growth over time. Then he said that his company would be in full compliance of the GDPR regulations by the May timeframe.
How is that possible?
As of right now, there is no IoT solution on the market that can fully implement GDPR standards (and they have not called us yet <grin>!). Perhaps SAS has baked in SSL into all of their IoT devices in the hopes that this encryption will somehow cover them. As we explained before, encryption is just one small piece of security and not sufficient to meet several critical GDPR requirements.
The main issue is proper audit trails from the point of collection throughout a system. Encryption options such as SSL/TLS do not provide any such feature so a company such as SAS will have to write their own custom logging systems within their applications. The trouble with that approach is that the devices are doing much more than the applications record and this lack of comprehensive auditing might become an issue.
This issue actually leads into the second major challenge – adaptability. The GDPR states that actions must be constantly taken to protect consumer data in the face of new threats. In order to properly understand a new attack, a complete audit trail of device (not application) activity is required. But, more to the point, you need to adapt.
And everything on the market is static – especially in the IoT world.
The only recourse right now is to manually try to patch any holes – good luck with that at the scale of millions of devices – or pay massive fines (up to 4% of annual revenues per incident) or both. Going out the door with inferior security efforts drastically increases risk and sets up companies, such as SAS, for major issues down the road.
There are better ways (and, yes, we have our hand up in the air) and companies really need to start thinking through the true impact of the wrong IoT security now before the GDPR regulations force them into action.