Is actually inevitable, isn't it, that the security industry should be all over the Internet of Things. If you are feeling like you've observed it all before, you probably have. The top of set of issues is that the 'things' themselves are going to be insecure. They're running operating systems and software, neither of which may have been considered with security in thoughts.

The consequence is a massive increase in what security pros know as the 'attack surface', that is, the scope of things that can be aimed by malicious hackers, fraudsters or other nondescripts. The resulting challenge is very real, particularly given the personal nature of information being captured -- from center rates to locations -- and its possibility of wrong use.

In the spirit of the brainstorm, let's make an assumption however: that there is nothing we can do about it. The genie is well and truly out of the bottle, let us say, and our every movements and behaviour can and will be logged for private, commercial and governmental purposes. While we may profit, we also may need to live with the security risks.

This ultra-transparent scenario might not exactly become the case, but even if it doesn't, there will be situations that make it seem to be that way. What is more, the devices that we depend after will inevitably become both smarter, and more susceptible to attack. We must face up to our complicity in this: who thinks about data security before buying a fitness device, for example?

By simply seeing such risks as read, we can lender them and move on to other areas of interest. The above covers data, however in its most körnig sense -- facts about individuals, or login details, are a risk in themselves. But there's a deeper level -- that the data is open to manipulation.

For sure, insurance providers may refuse to cover an individual whose fitness device shows the occasional coronary heart flutter. But what if the data stream itself is modified, through malice or through incompetence, such that numerous heart rates incorrectly indicate a flutter?

A few have speculated about the potential to modify farming data as a way of manipulating futures marketplaces. Equally, a home automation company could rig your systems so it made more money -- for example, turning on the heating system for 29 seconds extra every day. Not a figure to join up on one thermostat, but one which would ring up a sizable amount of small change.

Therefore , not only do we need mechanisms to protect the confidentiality of our data, based on the same assumption that the bad thing is reasonably more likely to happen, we also need to consider how to prove that your data is valid.

One opportunity is to make each sensor reading linked to securities key, but the phrase sledgehammer and nut suspension systems into your head. Equally, the size of the solution would be too costly to be achievable.

Is there a response? Yes indeed, and it lies in taking a tea leaf from the works of the Jericho Forum, that body of Chief Details Security Officers founded in 2002 and disbanded a decade later, when the girls deemed its work on 'de-perimeterisation' to be complete. Complete? Really? How could information security ever be complete?

The CISOs realised that they needed to manage data wherever it was, rather than seeking to keep it in one place -- and also to do so, they needed a way to identify who, or what, was creating or accessing it. In November 2010 they announced the Identity and Access Management Commandments, a set of design concepts technologies need to look at.

This specific finding -- that personality needs to be present -- is profound. A new corollary principle has been adopted by Google in its Beyond Corp motivation for its internal systems, which treats networks as insecure and instead, permits data access based on being able to identify the device, and the individual, making the access request.

We could take this insight one step further. That data which cannot prove its source (i. e. from an identifiable person or device) could, or even should be treated as unacceptable. The notion of security by design is a start, but perhaps it will only be through identity by design that we can architect the Internet of Things to be both transparent and trusted.