In 2015, Kakogawa City had the third-worst crime rate in Hyogo, a prefecture in western Japan neighboring Osaka. Local authorities decided to implement a smart networked camera and sensor system they call mimamori, which means to watch over someone. With this, residents can monitor their children and elderly relatives. The system helps ensure their safety and security while protecting their data and privacy. Its one of the latest examples of how smart cities and data governance are helping improve society in Japan.

Fighting crime in the smart city

Located on the Seto Inland Sea about 30 km west of Kobe, Kakogawa is a city of about 264,000 people. To meet residents strong demands for safe streets, the municipal government worked with the Ministry of Internal Affairs and Communications and private businesses, including NEC and Nikken Sekkei Research Institute, to launch the mimamori system.

Municipalities in Japan and overseas are turning to smart city solutions to address social issues, prompting an explosion in data generated by cameras and other sensors.

In 2017 and 2018, the city installed about 1,500 networked cameras mainly around schools and school routes. About 2,000 sensors were also installed, both in fixed locations and on 265 government vehicles and 176 Japan Post motorcycles. The system is able to detect residents carrying Bluetooth Low Energy tags to confirm their location. The city is using FIWARE, a framework of open-source components to power smart cities and protect their data. The data is uploaded to cloud servers and the information is made available to volunteers and family members via the Kakogawa App.

The networked camera and sensor system has already had an effect. Aside from making residents feel more secure about their loved ones, the crime rate in Kakogawa fell below the Hyogo Prefecture average for the first time in November 2018.

We built an environment in which children and elderly people can be monitored by the local community, says Nishimori Yoko, a Kakogawa City official. The system can be effective in the event of an emergency. We have had several cases of missing people who were located quicker compared to before the system was deployed.

Some residents were worried about leaks of images from the system containing personal information, but the city has emphasized its policies on privacy and data governance. To assuage public concern about the new system, Kakogawa Mayor Yasuhiro Okada visited 12 sites and briefed members of the public. In a survey of 862 residents, over 98% responded that the system was necessary or probably necessary.

Kakogawa City installed about 1,500 networked cameras mainly around schools and school routes. Residents can monitor loved ones locations via a city app.

Kakogawa is working with other municipalities around the world to promote smart city policies. Representatives joined the G20 Global Smart Cities Alliance Launch Event held in Yokohama in October 2019 under the aegis of the Cabinet Office of the Government of Japan and the World Economic Forum Centre for the Fourth Industrial Revolution Japan (C4IR Japan). Participants including representatives from cities such as Barcelona and Cincinnati discussed issues including the use of technology in smart cities. Fifteen cities announced the launch of theG20 Global Smart Cities Alliance on Technology Governance, which is focused on producing standards for connected devices in public spaces.

Protecting data in Society 5.0

Theres a smart city boom emerging in Japan now, and data governance is the lifeblood of smart cities, says C4IR Japan head Suga Chizuru, who spoke at the Yokohama event. Were doing this to benefit citizens by tackling technical unattractive issues.

Representatives from smart cities around the world joined the G20 Global Smart Cities Alliance Launch Event held in Yokohama in October 2019.

The Ministry of Economy, Trade and Industry chose Suga for C4IR Japan based on her outstanding performance. At the ministry, she organized a study group aimed at modernizing Japans financial regulations amid the rise of fintech. As she gave presentations on how Japan should embrace fintech, the group gained members and attention. Eventually, it helped get legislative reforms to accelerate the adoption of fintech on the agenda in Japan. At C4IR Japan, Suga is focused on facilitating global consensus around data governance, with expert groups on healthcare, smart cities and mobility.

As more and more municipalities in Japan and overseas turn to smart city solutions to address social issues, the volume of data being generated by cameras and other kinds of sensors is seeing explosive growth. Managing that data is becoming increasingly important amid the expansion of Society 5.0, defined by the Cabinet Office as a human-centered society that balances economic advancement with the resolution of social problems by a system that highly integrates cyberspace and physical space.

Data governance is also at the heart of policies being promoted by the Japanese government and its partners. Research firm Gartner defines data governance as the specification of decision rights and an accountability framework to ensure the appropriate behavior in the valuation, creation, consumption and control of data and analytics.

Thats one of the aims of C4IR Japan, which was established in 2018 in an unprecedented partnership between the WEF, the Japanese government and Japanese organizations and corporations. Its dedicated to maximizing the benefits of the Fourth Industrial Revolution and Society 5.0, which are periods of rapid change driven by progress in science and technology, by promoting open innovation and interoperability in policymaking.

No country has the best data governance solution, and were still in an exploration phase as we share knowledge for the best governance framework, says Suga Chizuru, head of C4IR Japan.

To emphasize that data governance must be a key priority in the Fourth Industrial Revolution, the center hosted a data governance conference in November 2018. Prime Minister Abe Shinzo followed up with a speech at the Davos Forum annual conference in January 2019, announcing that his administration would prepare the Osaka track for Data Governance. G20 leaders, together with World Trade Organization Director-General Roberto Azevdo, joined Abe during the G20 Osaka summit to discuss the importance of the digital economy. They adopted the Osaka Track on the digital economy to craft rules on governance in international data traffic under the motto Data Free Flow With Trust (DFFT). The new rules are designed to benefit individuals, businesses, organizations and even smart cities like Kakogawa.

No country has the best data governance solution, and were still in an exploration phase as we share knowledge for the best governance framework, says Suga. Flexible and appropriate data governance will enable societies to enjoy the fruits of the Fourth Industrial Revolution and redistribute its wealth.

To learn more about World Economic Forum Centre for the Fourth Industrial Revolution Japan, click here.

More:
Data Governance And Smart Cities Are Helping Improve Quality Of Life In Japan - Forbes

Identity Management for healthcare businesses offers not only an opportunity to fortify IT infrastructures. It can also help ensure compliance, specifically with the Health Insurance Portability and Accountability Act (HIPAA), and with the user experience. Therefore, your healthcare business needs to consider the benefits of identity management.

Here, we present the three major benefits of identity management for healthcare businesses, and how it all fits together. However, first, we need to address what makes healthcare identity management so complicated and challenging.

First, healthcare perhaps more than any other industry deals with constantly expanding business lines and mergers and acquisitions. This means improved and competitive service for patients, but it also means growing attack surfaces for threat actors.

Additionally, continually growing networks as seen in healthcare results in fragmented patient data. Often, this means sensitive data may exist in unsecured databases allowing for easy theft. Additionally, fragmented patient data can lead to redundant and unnecessary care, misdiagnosis, and incorrect medication.

So the need for centralized patient data doesnt just constitute a threat to databases and network security; it can also impact patients physical safety. Moreover, identity management for healthcare faces challenges typical for other enterprises expanding their IT infrastructures. Usually, these include dealing with on-premises applications, edge devices, and new cloud applications.

Finally, healthcare organizations need to deal with the erosion of the network perimeter and medical services devices such as medical IoT. So what can identity management for healthcare businesses actually do to solve these problems?

Obviously, the first benefit of identity management centers on cybersecurity. Hackers frequently target healthcare providers in part because these businesses rarely deploy proper cybersecurity protocols; in fact, according to Armis, WannaCry continues to wreak havoc on healthcare businesses even after the devastating 2017 wave. In other words, healthcare enterprises have not adapted proper cybersecurity protocols despite the known threats targeting them.

Therefore, your healthcare business needs a next-generation solution that repels hackers and maintains consistent access rules through authentication. Strong authentication not only stops hackers, but it also deters less experienced ones by demonstrating identity management awareness. Also, authentication can fortify and monitor web applications, cloud servers, and patient portalsthe various environments in which healthcare operates.

Further, next-generation identity management for healthcare enables your business to benefit from multifactor authentication (MFA). Multifactor authentication is unquestionably the strongest form of authentication available to enterprises of all sizes.

MFA doesnt just rely on passwords to verify users; this is just as well, as passwords prove easy to circumvent, guess, or otherwise subvert. Instead, MFA uses all of the tools available to create a barrier between the users access request and the data. Factors may include hard tokens, biometrics, geofencing, time of access request monitoring, and context.

For healthcare, frequent challenges in identity and access management include lifecycle management, governance, and multiple login points. While numerous next-generation identity management capabilities can help solve these challenges, single sign-on (SSO) can certainly solve the latter. SSO helps prevent multiple log-ins and thus multiple passwords that expands the attack surface.

If you work in healthcare, you care about HIPAA. This compliance mandate focuses on patient privacy and protections; it involves not only technical safeguards for patients but physical and administrative safeguards as well. In other words, HIPAA places a significant security burden on your healthcare organization.

However, this comes with good news; HIPAA compliance helps your business tap into markets that use electronic health records; the overwhelming majority of physicians and hospitals use electronic health records.

Thankfully, next-generation identity management for healthcare businesses can help you achieve HIPAA compliance. First, authentication and access management helps ensure patients data stays secure on your networks, fulfilling part of the mandate. Second, solutions with governance capabilities often feature out-of-the-box reporting and automated forms for HIPAA compliance.

Finally, identity management can actually help make the patient-user experience and ultimately their care better. Through identity federation, disparate databases containing patient information can be centralized and secured simultaneously. This can prevent the problems with fragmented patient data and making sure the information stays out of reach of hackers.

As stated above, single sign-on also avoids the need for continual authentication and log-ins. Identity management can optimize workflows, and assist with reviewing coverage, managing claims, and scheduling appointments. In short, this level of personalization should invoke a memory of customer identity and access management (CIAM); it helps to maintain consistent patient data and makes those patients feel individual and appreciated.

Check out our Identity Management Buyers Guide. We cover the top solution providers, their use cases, and key capabilities in detail.

Ben Canner is an enterprise technology writer and analyst covering Identity Management, SIEM, Endpoint Protection, and Cybersecurity writ large. He holds a Bachelor of Arts Degree in English from Clark University in Worcester, MA. He previously worked as a corporate blogger and ghost writer. You can reach him via Twitter and LinkedIn.

Related

See the original post here:
The Benefits of Identity Management for Healthcare Businesses - Solutions Review

Seattle-area startup Wyze offers low-cost video security cameras and other IoT devices. (Wyze Photo)

Post updated at 6 p.m. on Dec. 29.

Seattle-area startup Wyze, a provider of home video cameras and other Internet of Things (IoT) devices, announced on Dec. 26 that it had been informed of a data leak that reportedly exposed the personal information of 2.4 million of its customers.

The problem arose from a new internal project to find better ways to measure basic business metrics like device activations, failed connection rates, etc., writes Dongsheng Song, Wyze co-founder and chief product officer, in the companys post.

We copied some data from our main production servers and put it into a more flexible database that is easier to query, he explains. This new data table was protected when it was originally created. However, a mistake was made by a Wyze employee on December 4th when they were using this database and the previous security protocols for this data were removed.

Founded in 2017 by a group of Amazon veterans, Wyze offers a series of low-priced cameras, plugs, bulbs and other smart-home devices. The company, based in Kirkland, Wash., has raised $20 million in venture capital. GeekWire has contacted Wyze for additional comment.

To Wyzes credit, it has been very detailed in describing what happened, when, why, how, and what the company is doing about it.

A post by Twelve Security claimed that the leaked data included the following:

Wyze quoted that list in its original post but added, We dont collect information about bone density and daily protein intake even from the products that are currently in beta testing.

In looking over this event, there are ten key security and privacy takeaways.

Wyze has been upfront about the manner in which it was informed of the leak, with little or no time to mitigate the problem before it was made public. ZDNets Catalin Cimpanu summed up the feelings of many (likely including Wyze) about whether this disclosure was responsible or not.

These are valid and reasonable concerns. As is often the case regarding the disclosure wars, there likely wont be any resolution, but instead a renewed airing of both sides of the argument. Those supporting the disclosure can and will say the information was public for a number of days and holding that information back prolongs the risk. Those against it will say this just wasnt enough time for the vendor to take action. Either way, this situation shows that the disclosure wars will continue so long as theres no collective agreement on how to handle these situations.

One thing to Wyzes credit: they clearly jumped on this fast once it broke. The companys post states: Immediately upon hearing about a potential breach, Wyze mobilized the appropriate developers and executives (CEO and CPO) to address the allegations.

It adds later, This means that all Wyze user accounts were logged out and forced to log in again (as a precaution in case user tokens were compromised as alleged in the blog post). Users will also need to relink integrations with The Google Assistant, Alexa, and IFTTT.

This level of response and these steps are reasonable to address the risks around potentially lost authentication tokens. These are also actions that will impose a burden on users.

Going back to our first point, people can and will argue how much of this response is due to the nature of the disclosure. But these are good, concrete steps, which put security ahead of ease-of-use: Wyze is risking user frustration for better security.

One thing that Wyze isnt doing, however, is forcing password resets on users. While Wyze has said that passwords werent stolen, its often hard to be certain. And if the current situation involving Amazons Ring has taught us anything, its that people are regularly reusing passwords, especially where IoT devices are concerned. Not forcing a password reset is missing an opportunity to be thorough in the response to improve overall customer security.

Ring has been in the news a lot lately for being hacked. As Ive noted, the nature of those hacks boil down to the inherent weakness of relying on passwords. This situation is different because its a leak of data held by Wyze. In fact, it even appears that password information wasnt involved.

In this case, even if youve used two-factor authentication (2FA), you still are at risk from this data breach.

If the Ring situation has reminded us of the risks of password reuse and the overall weakness of passwords as a security measure for IoT, this breach helps show us the risks inherent to losing the kind of data used byIoT and health-related devices in the home.

By their very nature, IoT devices are integrated into our most intimate spaces. Cameras in particular represent a major window into our most protected personal spaces, as weve seen in the reactions to the Ring situation.

Looking at the information thats potentially lost in this breach, we get a more concrete sense of IoT data breaches can mean in real terms.

In particular, Wyze notes that the data loss includes: List of all cameras in the home, nicknames for each camera, device model and firmware. WiFi SSID, internal subnet layout, last on time for cameras, last login time from app, last logout time from app.

This data is troubling because it can give very specific information that can be useful for real-world crime. People regularly name devices in ways that are descriptive for themselves, not expecting them to be publicly known. For example, people might name a camera in a childs room Bettys Room. Information like this can give an attacker information about who is in the house, where they might be and where cameras are going to be placed. All of this can be useful information for people who want to enter the home for malicious purposes.

One thing that Wyze has not recommended, which I would recommend, is that users rename their internal WiFi SSIDs, rename their cameras and potentially reposition those cameras. All these steps can mitigate the risks of that information now being publicly accessible.

Another piece of the exposed data is this: Height, Weight, Gender, Bone Density, Bone Mass, Daily Protein Intake, and other health information for a subset of users.

Wyze goes to some length to point out that this information lost only affects a very small subset of their users, specifically 140 external beta testers. Yes, that is a very small number of people. But the information thats was exposed is very sensitive and very personal health information. Its a reminder of the nature of the data thats being handled by IoT and health devices.

The similarities to the Capital One data breach are striking. In this case, as Wyze says: a mistake was made by a Wyze employee on December 4th when they were using this database and the previous security protocols for this data were removed.

While this isnt exactly the same thing that happened with Capital One, in both cases you have data that was accessible in the cloud without appropriate security protections due to human error. Its also notable that in both cases, auditing and monitoring failed to catch the misconfiguration.

Both of these cases are a reminder that, unfortunately, when things are deployed to the cloud, the risks of exposure and breach are frequently greater. And in terms of IT operations and practice, the controls and countermeasures often arent as robust and mature for cloud deployments as they are for traditional on premises deployments.

For startups, there are two lessons, as well. One is cautionary and the other potentially positive.

First the cautionary tale: speed kills.

Once again, to its credit, Wyze is open about what happened, and theres a very clear message for startups. From the companys posting: To help manage the extremely fast growth of Wyze, we recently initiated a new internal project to find better ways to measure basic business metrics like device activations, failed connection rates, etc. We copied some data from our main production servers and put it into a more flexible database that is easier to query.

Two things happened here that are common for startups. First, the company experienced sudden, fast growth. Second, it moved quickly to address the implications of the growth.

As noted above, it was during this fast move that, at some point, the security that had protected the data was removed by an employee.

Its great that Wyze was able to move fast to address issues related to their fast growth. But this is also a reminder that speed can kill. Mistakes happen when things move fast and theres little checking. This is a risk that all startups face and should be conscious of.

Of course, the speed that can kill you as a startup can also save you. The fast response that we see from Wyze is an example of the speed startups can achieve. Another positive aspect of this speed is shown in the statement that is going to bump up priority for user-requested security features beyond 2-factor authentication.

If we compare and contrast this with Rings response to its current situation, the difference is stark. Ring has made no announcements of any major plans to improve security capabilities in the wake of stories of Ring devices being hacked. By contrast Wyze has committed early and openly to reworking their prioritization of new user-requested security features.

Here too is another lesson for startups: use the speed and agility that being a startup gives you to move quickly to turn disadvantage into advantage.

In its post, Wyze very clearly refuted the claim that it is sending data to Alibabas cloud in China. A question and answer in the post speaks directly to this:

Is there validity to the claim that Wyze is sending user data to China?

Wyze does not use Alibaba Cloud. The claim made in the article that we do is false.

It goes on to note that the company has employees and manufacturers in China, but Wyze does not share user data with any government agencies in China or any other country.

The fact that this claim was made and Wyze feels a need to refute it points to another takeaway: there is an emerging, almost McCarthyite trend lately to imply or allege that tech companies with ties to China are storing data in China and/or sharing data with the Chinese government. Weve seen similar insinuations in regards to TikTok as well.

Partly, this represents the sort of speculation that can fill a vacuum when companies dont provide clear information themselves about where they store their data. A few years ago, people, especially in Europe, were concerned about data being stored in the United States and its possibly being subject to seizure under the Patriot Act. Now, people are concerned about data being stored in China and accessible by the government there.

One thing companies can do to mitigate this concern is to be open about where they store data.

Beyond that, though, there is clearly heightened concern now about data being stored and shared with China, and that concern is manifesting in claims and insinuations about data being stored or shipped there.

The Wyze breach is a serious one. And Wyze deserves credit for doing a lot of things right, quickly, in response. But as we dig into it more, we can see that this situation raises a number of issues around IoT devices, data storage, security and incident response.

We can all learn from this, which is one reason why its so good that the Wyze team has been open and up front about the situation: it helps the industry learn and grow collectively. And because Wyze is a startup, its experience and response has particular lessons for other up-and-coming companies in the IoT space.

Update: Wyze disclosed an additional issue in a Dec. 29 update to its post.

We have been auditing all of our servers and databases since then and have discovered an additional database that was left unprotected. This was not a production database and we can confirm that passwords and personal financial data were not included in this database. We are still working through what additional information was leaked as well as the circumstances that caused that leak.

Weve also clarified our post above to note that Wyze says it doesnt collect information about protein intake or bone density, contrary to a report that said such data was included in the leak.

Read more:
Wyze data leak: Key takeaways from server mistake that exposed information from 2.4M customers - GeekWire

City of Cottonwood is now a Certified Sustainable Business at the Conservationist/Bronze level.

Sedona AZ (January 1, 2020) The City of Cottonwood has worked diligently on behalf of its citizens and the Verde Valley to reduce water consumption. In 2005, they became the largest water provider in the Verde Valley after purchasing the six private water companies that previously had served the Cottonwood area. The city immediately began making repairs and upgrades to the water production and distribution system to improve its reliability and reduce the lost and unaccounted for water that was previously occurring.

They also installed 20 arsenic treatment systems to comply with new water quality standards for arsenic that went into effect in 2006. As a result of their efforts, the city is pumping about 30 percent less water today than the six private water companies were pumping in 2000 and their total gallons per capita per daily (GPCD) use has decreased from around 171 to 87; making it one of the lowest total GPCDs for a municipality in the State of Arizona.

The city is also diligently working to expand its use of reclaimed water by strategically installing purple pipe to accommodate the use of reclaimed water for irrigation at the large turf areas throughout the city. The city currently requires the use of reclaimed water for all construction use and delivers reclaimed water for irrigation to Cottonwood Ranch, plus the community garden, airport, and viticulture garden at Yavapai College. In the Spring of 2020, the city will begin delivering reclaimed water for irrigation to Riverfront Park, with plans to expand its use to the cemetery.

Cottonwood is also addressing energy use throughout the city. They installed solar systems for the Riverfront Reclamation Facility and Recreation Center pool, and now have LED lights in Old Town lamp posts, city hall, tennis courts, and the recreation center. The city is moving data storage from conventional servers to cloud servers and they are looking to replace conventional pool pumps with variable speed pumps. These combined efforts reduce costs and the consumption of energy from non-renewable resources.

The city has also taken steps to reduce the potential discharge and disposal of chemicals and pharmaceuticals into the environment by hosting household hazardous waste and pharmaceutical collection events. These events remove toxic chemicals and pharmaceuticals that may otherwise be flushed into the water system or end up in the wrong hands.

Cottonwood also has good employment practices. Employees have access to exercise facilities for physical health and to an Employee Assistance Program for mental health. They also do a lot to support the community including sponsoring Food for Finds, Neighborhood Officer Program, National Night Out, City Selfie Day, Toys for Tots, Thanksgiving Turkey Drive, and Steps to Recovery.

The City is currently working with the Sustainability Alliance to complete a 5-year sustainability plan. See who else is certified.

Go here to see the original:
City of Cottonwood now a certified sustainable business | Sedona.Biz - The Internet Voice of Sedona and The Verde Valley - Sedona.biz

Home > News > Cloud Hopper Attacks Far More Extensive than First Thought

Chinese hacker group APT10 has been plundering the cloud installations for dozens of businesses for over three years, but a news report by Reuters made their actions public knowledge. Now, further digging into the scandal has revealed that the groups impact was far more extensive than initially suspected. Several major cloud providers have fallen prey to the group. However, many companies have failed to inform their clients that they may be the victims of this particular hack. Providers, hoping to protect their reputation, had simply told their clientele that the issue was dealt with when it wasnt.

A report issued by the Wall Street Journalon the 30th of December, 2019 notes that at least a dozen cloud providers werecaught in the breach, including massive brands like IBM and Canadas CGI Group.Managed service providers are the ideal target for these hackers since oncethey breach the initial security, they have access to any of the data that thecompanies which use the service have stored on the server.

The WSJ report comes on the heels of aReuters scoop last year, which initially broke the news about APT10 and CloudHopper. The newest findings mention that over 10,000 records of US NavyPersonnel were taken. The impact on company reputations has made it difficultfor service providers to disclose details about the attack. However, the lackof knowledge about the events makes it even more difficult for cybersecurityfirms and departments to work out what happened. The UKs National CyberSecurity Centre issued warnings to companies that they should be extremely waryof cloud providers that are unwilling to share information about securitybreaches.

Over the last year since the story broke,APT10 has gone mostly silent. The US Justice Department has arrested twoindividuals it thinks took an active part in the campaign. However, certainsecurity companies still report software within the cloud pinging known APT10IPs, making it likely that the group is still operational in some way.

See the rest here:
Cloud Hopper Attacks Far More Extensive than First Thought - CloudWedge