Organisations must control access and manage identities to secure IoT

Identity and access management (IAM) is now recognised as a capability that providers of Internet of Things (IoT) services need to address if they are to offer secure services. After all, finds George Malim, if you can’t control access to a device or service, you can’t secure it.

The recent spate of cyberattacks and malware have heightened organisations’ awareness of the need for security in IoT and good work is now being done in encryption and rolling out standard IT security practices to IoT. However, the enormous attack surface and the number of points of vulnerability at which networks and services can be accessed makes the challenge harder to understand and the threats harder to identify. A foundational element to IoT security should be assuring the identity of devices and users and securing access to systems. These fundamental requirements are covered by the IAM discipline.

“IAM is a central component of the IoT market,” confirms François Lasnier, the senior vice president of identity protection and authentication at Gemalto. “It’s a key element in protecting an IoT environment and involves securing access to IoT devices and ensuring that only authorised parties have access to the right resources under the right conditions. IAM for IoT deals with various identities – of people, device and services – and their lifecycle, as well as all the relationships that need to be properly defined in order to put in place the right entitlement rules and secure access policies.”

Establishing and verifying identity is therefore becoming more widely understood. “Security practitioners have been focusing more and more on the critical role of understanding identity as a tool for reducing risk, and it’s logical that we adopt the same mind set when approaching the security of the IoT,” explains Geoff Webb, the vice president of strategy at Micro Focus. “This shift from device-centric thinking to identity-centric has really taken hold over the past four or five years, primarily because a deeper understanding of who someone is, and what their normal behaviour looks like, provides the lens through which to ensure that they can more easily get access to information.”

Andy Cory, a lead consultant at KCOM, fears the market has not prioritised IAM because it is seen as a dull necessity. “Internet-enabling things is sexy, and makes them sell,” he says. “IAM is necessary to prevent IoT becoming a security headache. It’s less sexy, but necessary; IAM is the fire-safety of the connected world.”

Regardless of a lack of market excitement, IAM is inescapable if organisations want IoT to be secure. “All IoT devices require some level of IAM,” acknowledges Emanuele Angelidis, the chief executive of Breed Reply. “What the market needs is a classification of security based on sensitivity of data and the capability and limitations of the IoT device.”

However, the market has only recently started to turn its attention to IAM, perhaps because the demands of IoT are different to standard network security. “In IoT you are authenticating devices – the things – instead of subscribers on a network which means people’s memory of passwords has to be replaced with electronic or programmatic tokens to authenticate identity,” explains Aman Brar, the vice president of global solutions and global alliances at Openwave Mobility. “IoT IAM systems also have to manage the lifecycle of identity tokens. Secondly, the IoT ecosystem is fragmented into multiple smaller systems based on device types, access networks, protocols and use cases. These factors define what kind of IAM is employed in order to balance the cost of IAM versus the damage that can occur due to threats related to privacy, network outage, data theft and billing scams.”

For Giovanni Verhaeghe, the director of Corporate Strategy at VASCO Data Security, the fragmentation of technologies and standards is at the heart of the IoT security challenge. “The problem with IoT is the current lack of standardisation and regulation,” he says. “Anyone can create their own IoT network.”

Webb agrees: “The sheer volume of potential IoT devices, and the complexity of interactions, means that it will be essentially impossible to build reliable security and privacy controls that aren’t grounded in a philosophy that manages the interactions of the devices and the people around them,” he says. “We need to apply the same lessons to IoT security that we have applied to other cyber-security practices, and place IAM at the heart of the strategy. Securing the IoT will ultimately depend on our ability to manage the identities, behaviours and interactions of those devices. It’s an IAM challenge, just on a much larger scale than one we’ve had to deal with before.”

There is some time, although not much, time for the IoT industry to implement proper IAM but there are fears that many IoT services won’t be viable without IAM. “Today, most IoT implementations are limited in scope and they already show some cracks in terms of security and threat vectors,” says Lasnier. “However, a new era of IoT based on complex ecosystems with many stakeholders and complex relationships between people, devices and services cannot and will not happen without a proper IAM framework in place. From this standpoint, we can safely say that the next phase of IoT will require mature IAM frameworks to be fulfilled.”

Maturity is a key word and Verhaeghe doesn’t think we’ve seen anything approaching it when it comes to IAM. “Frankly, we’ve yet to see many IAM best practices in IoT,” he says. “We believe that the rise of artificial intelligence for example will make these applications even more user-friendly, applicable and usable but companies tend to fall back on a nonstructured platform. In those cases, IAM is built as a feature, and not as a business enabler. You can compare it with what IAM did 20 years ago with the virtual identity of human beings.”

Mistakes are being made and those are concerns for Webb. “There’s a lot we’re getting wrong today,” he acknowledges. “IoT devices are being deployed with little thought as to how they might be attacked, and worse, there’s no real way to respond to such attacks. We can’t afford to deploy the IoT and then figure out how to keep it secure, as we did with the early days of the internet. Attackers have come too far and there’s simply too much at stake. We need to start now with standards for device security, and the ability to manage the lifecycle of IoT devices, before we simply lose control to the bad guys.”

The challenges may be new but many of the answers exist in the experience of IAM vendors and IoT companies should seek to access that. “Previously, companies have only had to manage identities of their staff, other corporates they do business with and, possibly, currently active customers,” says Cory. “The number of identities they have to keep track of will rise by orders of magnitude when everything they sell has an identity itself and one for its owner. The challenges involved in IoT are familiar to the IAM industry, though the scale involved is not. The challenge will be difficult to meet for organisations that have not previously had to engage with IAM and haven’t given thought to the issues involved.”

 

RECENT ARTICLES

Self-driving technology firm Sensible 4 receives €8mn to boost sustainable transport

Posted on: May 19, 2022

Luxembourg & Finland. 19 May, 2022 – Sensible 4’s software enables vehicles to operate under the most challenging weather conditions, including snow, heavy rain, fog and sandstorms. Autonomous driving contributes to sustainable transport, reducing the number of traffic accidents and carbon dioxide and polluting emissions. It also provides a solution to the shortage of public

Read more

Wyld and DEWA partner to launch new satellite IoT network and service for utilities sector

Posted on: May 19, 2022

19 May 2022 – The Dubai Electricity and Water Authority (DEWA) has launched its satellite called DEWA-SAT1 and Wyld Networks has partnered with DEWA R&D Centre and Infra X, the telecoms arm of Digital DEWA, to develop IoT terminals to support the new satellite IoT network. Wyld is responsible for delivering the satellite IoT terminals

Read more
FEATURED IoT STORIES

9 IoT applications that will change everything

Posted on: September 1, 2021

Whether you are a future-minded CEO, tech-driven CEO or IT leader, you’ve come across the term IoT before. It’s often used alongside superlatives regarding how it will revolutionize the way you work, play, and live. But is it just another buzzword, or is it the as-promised technological holy grail? The truth is that Internet of

Read more

Which IoT Platform 2021? IoT Now Enterprise Buyers’ Guide

Posted on: August 30, 2021

There are several different parts in a complete IoT solution, all of which must work together to get the result needed, write IoT Now Enterprise Buyers’ Guide – Which IoT Platform 2021? authors Robin Duke-Woolley, the CEO and Bill Ingle, a senior analyst, at Beecham Research. Figure 1 shows these parts and, although not all

Read more

CAT-M1 vs NB-IoT – examining the real differences

Posted on: June 21, 2021

As industry players look to provide the next generation of IoT connectivity, two different standards have emerged under release 13 of 3GPP – CAT-M1 and NB-IoT.

Read more

IoT and home automation: What does the future hold?

Posted on: June 10, 2020

Once a dream, home automation using iot is slowly but steadily becoming a part of daily lives around the world. In fact, it is believed that the global market for smart home automation will reach $40 billion by 2020.

Read more

5 challenges still facing the Internet of Things

Posted on: June 3, 2020

The Internet of Things (IoT) has quickly become a huge part of how people live, communicate and do business. All around the world, web-enabled devices are turning our world into a more switched-on place to live.

Read more

What is IoT?

Posted on: July 7, 2019

What is IoT Data as a new oil IoT connectivity What is IoT video So what’s IoT? The phrase ‘Internet of Things’ (IoT) is officially everywhere. It constantly shows up in my Google news feed, the weekend tech supplements are waxing lyrical about it and the volume of marketing emails I receive advertising ‘smart, connected

Read more