Now Reading
Securing the Identity of Things (IDoT) for the Internet of Things
1

Securing the Identity of Things (IDoT) for the Internet of Things

Posted by Jeremy CowanMarch 26, 2015

In its recent report, The Identity of Things (IDoT) for the Internet of Things, Gartner lays out how it believes the Internet of Things (IoT), or what is often now referred to as the Internet of Everything (IoE), cannot and will not prosper unless organisations knuckle down and come to grips with how to manage multiple identities.

The report then goes on to detail how today’s identity and access management technologies cannot provide the scale or manage the complexity that IoT brings to these organisations, further complicating the problem.

A strikingly common misconception I come across in the industry, says Neil Chapman of ForgeRock, is that IoT is just about introducing different types of devices into business scenarios. It’s not.

Businesses looking to harness IoT in fact require a completely different approach to viewing and implementing processing, analytics, storage, and communications. Certainly, identifying ‘who’s who, what’s what, and who gets access to what’ is one aspect. But how this is processed, managed, protected, stored, and communicated is a whole new kettle of fish for businesses.

Identity management

Identity management is not just about securing IoT devices; it must rationally secure and make sense of the entire environment, from customers to partners, websites to webpages, to mobile devices, apps, and the cloud. This is by no means a comprehensive list – just one that will hopefully give you an idea of the number of links in the chain.

Static and portable devices need to communicate. Human-to-Machine (H2M) and Machine-to-Machine (M2M) identification and interaction must also take place. Without the right model, organisations make data vulnerable to security breaches.

Securing the Identity of Things in the Internet of Things demands a new way of thinking about connectivity and security.

Back in an age where companies only connected computers to other trusted computers, life was far simpler. Legacy systems were created to maximise internal security, keeping threats well outside. Security was perimeter-based. Firewalls protected organisations. Identity was about internal stakeholders, creating identities for employees to access the right information and services securely. Businesses used to have to cope with, on average, 20-40,000 identities.

However, the dawning of the IoE has turned this on its head. Organisations everywhere need systems that provide secure access externally, to customers, partners, and other important stakeholders. This means systems have to cope with millions of identities, and most of them outside any firewall. Static and portable devices need to talk to each other, and then there’s H2M and M2M identification and interaction on top of that.

Customers need to access company systems via multiple devices or objects and expect a bespoke user experience based on how, when, and where they access services. This requires a single, secure platform to unify the entire company ecosystem and enable a straightforward, repeatable way of securing an increasing number of devices. Building a platform that supports and unifies the entire ecosystem is challenging enough, but organisations also need to be able to support new services, new devices, and new infrastructure on the back end.

So how do businesses protect data they can’t see as it’s communicated between machines and other parts of the ecosystem?

Contextual knowledge is power

Contextual intelligence and awareness can add significant value to digital services. For instance, a connected car can remember the personal preferences of every driver or the Sony Smart B Trainer can offer personalisation to support the user’s individual fitness goals. This new data enables companies to better understand their customers, as well as protect them. Devices come to know what to expect from you as a typical user — and notice abnormal behaviour that triggers enhanced security measures. This kind of contextual intelligence also opens up revenue opportunities for cross-selling, upselling, and delivering personalised services.

Encrypting and authenticating this data is essential; however, it is also imperative to understand who accesses data and how, as well as where and when they access it. Knowing this information will help authenticate the user and confirm that their behaviour is in-line with past behaviour.

Real-time contextual clues, in addition to credentials, provide organisations with the tools needed to decide whether to grant access and how much access to allow. For instance, if a system detects a login attempt with correct credentials, but from an unrecognised IP address or at an uncharacteristic time of day, it can activate additional security measures such as requesting personal security questions or sending verification codes to a user’s mobile phone.

The speed at which organisations get to reap the rewards of IoT lies firmly in their hands. The Internet of Things requires oganisations to understand and manage an external-facing identity management platform effectively. Unless organisations can link objects, devices, and new mobile and social apps to a single security platform, they won’t be able to truly harness the enormous growth potential offered by IoT. At the dawn of IDoT, that’s one quick way for an IDioT to watch the sun set on their business.

The author is Neil Chapman, senior vice president & managing director EMEA, ForgeRock

You can comment on this article here or on Twitter:     @m2mnow     OR      @jcm2m

About The Author
Jeremy Cowan
1 Comments
  • March 30, 2015 at 10:35 am

    Building the IoT devices is the simple and playful stuff. Security and Privacy are the most necessary features that should be on the first page of the product spec:

    * Design for access over public networks, with strong end-2-end encryption and authentication of allowed users, applications and devices.

    * Be selective in what data and what control to provide to different users. Consider anonymizing data as much as possible to protect customer privacy.

Leave a Response