5.4     Security and privacy requirements



            5.4.1  Platform security

            Data and services can have different security requirements based on their scope. The platform
            that is going to support the services of the city should provide flexible security capabilities in
            order to accommodate the different needs of specific target scenarios by providing support for
            confidentiality, integrity, authentication, authorization, immutability, trust and non-repudiation when
            needed.


            5.4.2  Data protection and privacy


            Data protection and privacy issues should be addressed at several levels, from the low-level
            platforms to specific end-user applications.
                                                       31
            The system should use encryption and technology to authenticate and secure data in transit, as well
            as mitigate the risk of data theft by encrypting physical storage/media to protect data at rest. It is
            necessary to provide systems for monitoring against any attacks, and if a breach occurs (e.g., data
            are accessed by unauthorized entities) the system should be able to properly react with defined
            procedures.

            As data providers have the need to restrict the access of data source(s) to third parties, the system
            has to allow defining and managing policies for data and service access control. The data provider
            and the data consumer must comply with the privacy and data protection policy; thus, the system
            should provide procedures and guidelines in order to ensure compliance with respect to data
            protection rules. In addition, the system should provide data anonymization and aggregation
            functions in order to delete personal or restricted information.



            5.4.3  IoT and edge computing security


            The huge heterogeneity in the IoT devices’ capability (in terms of memory, computational, or
            energy requirements) makes it impossible to identify a “unique” or “common” security solution set,
            whereas they call for a large spectrum of security level versus resource consumption trade-offs. In
            order to support new and legacy IoT devices, the system should provide end-to-end security at
            the API level rather than supporting and coping with how different solutions (e.g., LoRa, 802.15.4,
            NB-IoT, Wi-Fi, LTE, GPRS) handle security measures such as key management, authentication,
            integrity and confidentiality. More specifically, the system should define adaptation policies of
            these mechanisms in the boundary points while assuring that security remains independent from
            low level IoT components.









             36  Redefining smart city platforms: Setting the stage for Minimal Interoperability Mechanisms