Given the proliferation of interconnected Things on the Internet (aka IoT), it was only a matter of time before the pressing need for robust, pervasive governance became imperative. How can we manage the rights and permissions needed to do stuff with and / or by things? The following are some thoughts, based on a previous foray into the topic, and building on my earlier book on the related world of Digital Rights Management (aka DRM).
Does anyone remember DRM – that much maligned tool of real / perceived oppression, (somewhat ineptly deployed by a napsterized music industry)? It has all but disappeared from the spotlight of public opinion as the content industry continues to evolve and embrace the complex digital realities of today. But what has that got to do with the IoT, and what triggered the thought in the first place, you might ask.
Well, I recently had opportunity to chat with friend and mentor, Andy Mulholland (ex global CTO at Capgemini), and as usual, I got a slight headache just trying to get a grip on some of the more esoteric concepts about the future of digital technology. Naturally we touched on the future of IoT, and how some current thinking may be missing the point entirely, for example:
1. What is the future of IoT?
Contrary to simplistic scenarios, often demonstrated with connected sensors and actuators, IoT ultimately enables the creation and realisation of a true digital services economy. This is based on 3 key aspects of: ‘Things’, ‘Events’ and ‘Connectivity’ which will work together to deliver value via autonomous agents, systems and interactions. The real players, when it comes to IoT, actually belong outside the traditional world of IT. They include organisations in industries such as manufacturing, automotive, logistics etc., and when combined with the novel uses that people conceive for connected things, the traditional IT industry is and will continue to play catch up in this fast evolving and dynamic space.
2. What are key components of the IoT enabled digital services?
An autonomous or semi-autonomous IoT enabled digital service will include: an event hub (consisting of graph database and complex event processing capability) in the context of ‘fog computing‘ architectures (aka cloud edge computing) – as I said, this is headache territory (read Andy’s latest post if you dare). Together, event handling and fog computing can be used to create and deliver contextually meaningful value / services for end users. The Common Industrial Protocol (CIP) and API engines will also play key roles in the deployment of autonomous services between things and / or people. Finally, businesses looking to compete in this game need to start focusing on identifying / creating / offering such resulting services to their customers.
3. Why is Graph Database such an important piece of the puzzle?
Graph databases provide a way to store relationships in an unstructured manner, and IoT enabled services will need five separate stores for scaled up IoT environments, as follows:
- Device Info – e.g. type, form and function, data (provided/consumed), owner etc.
- Customer/Users – e.g. Relationship of device to the user / customer
- Location – e.g. Where is device located (also relative to other things / points of reference)
- Network – e.g. network type, protocols, bandwidth, transport, data rate, connectivity constraints etc.
- Permission – e.g. who can do: what, when, where, how and with whom/what, and under what circumstances (in connection with the above 4 four graphs) – According to Andy, “it is the combination of all five sets of graph details that matter – think of it as a sort of combination lock!”
4. So how does this relate to the notion of “DRM for Things”?
Well, it is ultimately all about trust, as observed in another previous post. There must be real trust in: things (components and devices), agents, events, interactions and connections that make up an IoT enabled autonomous service (and its ecosystem). Secondly, the trust model and enforcement mechanisms must themselves be well implemented and trustworthy, or else the whole thing could disintegrate much like the aforementioned music industry attempts at DRM. Also, there are some key similarities in the surrounding contexts of both DRM and IoT:
- The development and introduction of DRM took place during a period of Internet enabled disruptive change for the content industry (i.e. with file sharing tools such as: Napster, Pirate Bay and Cyberlockers). This bears startling resemblance to the current era of Internet enabled disruptive change, albeit for the IT industry (i.e. via IoT, Blockchain, AI and Social, Mobile, Big Data, Cloud etc.)
- The power of DRM exists in the ability to control / manage access to content in the wild, i.e. outside of a security perimeter or business boundary. The ‘Things’ in IoT exist as everyday objects, typically with low computing overheads / footprints, which can be even more wide ranging than mere digital content.
- Central to DRM is the need for irrefutable identity and clear relationships between: device, user (intent), payload (content) and their respective permissions. This is very much similar to autonomous IoT enabled services which must rely on the 5 graphs mentioned previously.
Although I would not propose using current DRM tools to govern autonomous IoT enabled services (that would be akin to using yesterday’s technology to solve the problems of today / tomorrow), however because it requires similar deperimeterised and distributed trust / control models there is scope for a more up-to-date DRM-like mechanism or extension that can deliver this capability. Fortunately, the most likely option may already exist in the form of Blockchain, and its applications. As Ahluwalia, IBM’s CTO for Cloud, so eloquently put it: “Blockchain provides a scalable, trustworthy, highly distributed, redundant and peer-to-peer verification process for processing, coordinating device interactions and sharing access to assets in an IoT network.” Enough said.
In light of the above, it is perhaps easier to glimpse how an additional Blockchain component, for irrefutable trust and ID management, might provide equivalent DRM-like governance for IoT, and I see this as a natural evolution of DRM (or whatever you want to call it) for both ‘things’ and content. However, any such development would do well to take on board lessons learnt from the original Content DRM implementations, and to understand that it is not cool to treat people as things.