Organisations must control access and manage identities to secure IoT

Identity and access management (IAM) is now recognised as a capability that providers of Internet of Things (IoT) services need to address if they are to offer secure services. After all, finds George Malim, if you can’t control access to a device or service, you can’t secure it.

The recent spate of cyberattacks and malware have heightened organisations’ awareness of the need for security in IoT and good work is now being done in encryption and rolling out standard IT security practices to IoT. However, the enormous attack surface and the number of points of vulnerability at which networks and services can be accessed makes the challenge harder to understand and the threats harder to identify. A foundational element to IoT security should be assuring the identity of devices and users and securing access to systems. These fundamental requirements are covered by the IAM discipline.

“IAM is a central component of the IoT market,” confirms François Lasnier, the senior vice president of identity protection and authentication at Gemalto. “It’s a key element in protecting an IoT environment and involves securing access to IoT devices and ensuring that only authorised parties have access to the right resources under the right conditions. IAM for IoT deals with various identities – of people, device and services – and their lifecycle, as well as all the relationships that need to be properly defined in order to put in place the right entitlement rules and secure access policies.”

Establishing and verifying identity is therefore becoming more widely understood. “Security practitioners have been focusing more and more on the critical role of understanding identity as a tool for reducing risk, and it’s logical that we adopt the same mind set when approaching the security of the IoT,” explains Geoff Webb, the vice president of strategy at Micro Focus. “This shift from device-centric thinking to identity-centric has really taken hold over the past four or five years, primarily because a deeper understanding of who someone is, and what their normal behaviour looks like, provides the lens through which to ensure that they can more easily get access to information.”

Andy Cory, a lead consultant at KCOM, fears the market has not prioritised IAM because it is seen as a dull necessity. “Internet-enabling things is sexy, and makes them sell,” he says. “IAM is necessary to prevent IoT becoming a security headache. It’s less sexy, but necessary; IAM is the fire-safety of the connected world.”

Regardless of a lack of market excitement, IAM is inescapable if organisations want IoT to be secure. “All IoT devices require some level of IAM,” acknowledges Emanuele Angelidis, the chief executive of Breed Reply. “What the market needs is a classification of security based on sensitivity of data and the capability and limitations of the IoT device.”

However, the market has only recently started to turn its attention to IAM, perhaps because the demands of IoT are different to standard network security. “In IoT you are authenticating devices – the things – instead of subscribers on a network which means people’s memory of passwords has to be replaced with electronic or programmatic tokens to authenticate identity,” explains Aman Brar, the vice president of global solutions and global alliances at Openwave Mobility. “IoT IAM systems also have to manage the lifecycle of identity tokens. Secondly, the IoT ecosystem is fragmented into multiple smaller systems based on device types, access networks, protocols and use cases. These factors define what kind of IAM is employed in order to balance the cost of IAM versus the damage that can occur due to threats related to privacy, network outage, data theft and billing scams.”

For Giovanni Verhaeghe, the director of Corporate Strategy at VASCO Data Security, the fragmentation of technologies and standards is at the heart of the IoT security challenge. “The problem with IoT is the current lack of standardisation and regulation,” he says. “Anyone can create their own IoT network.”

Webb agrees: “The sheer volume of potential IoT devices, and the complexity of interactions, means that it will be essentially impossible to build reliable security and privacy controls that aren’t grounded in a philosophy that manages the interactions of the devices and the people around them,” he says. “We need to apply the same lessons to IoT security that we have applied to other cyber-security practices, and place IAM at the heart of the strategy. Securing the IoT will ultimately depend on our ability to manage the identities, behaviours and interactions of those devices. It’s an IAM challenge, just on a much larger scale than one we’ve had to deal with before.”

There is some time, although not much, time for the IoT industry to implement proper IAM but there are fears that many IoT services won’t be viable without IAM. “Today, most IoT implementations are limited in scope and they already show some cracks in terms of security and threat vectors,” says Lasnier. “However, a new era of IoT based on complex ecosystems with many stakeholders and complex relationships between people, devices and services cannot and will not happen without a proper IAM framework in place. From this standpoint, we can safely say that the next phase of IoT will require mature IAM frameworks to be fulfilled.”

Maturity is a key word and Verhaeghe doesn’t think we’ve seen anything approaching it when it comes to IAM. “Frankly, we’ve yet to see many IAM best practices in IoT,” he says. “We believe that the rise of artificial intelligence for example will make these applications even more user-friendly, applicable and usable but companies tend to fall back on a nonstructured platform. In those cases, IAM is built as a feature, and not as a business enabler. You can compare it with what IAM did 20 years ago with the virtual identity of human beings.”

Mistakes are being made and those are concerns for Webb. “There’s a lot we’re getting wrong today,” he acknowledges. “IoT devices are being deployed with little thought as to how they might be attacked, and worse, there’s no real way to respond to such attacks. We can’t afford to deploy the IoT and then figure out how to keep it secure, as we did with the early days of the internet. Attackers have come too far and there’s simply too much at stake. We need to start now with standards for device security, and the ability to manage the lifecycle of IoT devices, before we simply lose control to the bad guys.”

The challenges may be new but many of the answers exist in the experience of IAM vendors and IoT companies should seek to access that. “Previously, companies have only had to manage identities of their staff, other corporates they do business with and, possibly, currently active customers,” says Cory. “The number of identities they have to keep track of will rise by orders of magnitude when everything they sell has an identity itself and one for its owner. The challenges involved in IoT are familiar to the IAM industry, though the scale involved is not. The challenge will be difficult to meet for organisations that have not previously had to engage with IAM and haven’t given thought to the issues involved.”

 

FEATURED IoT STORIES

9 IoT applications that will change everything

Posted on: September 1, 2021

Whether you are a future-minded CEO, tech-driven CEO or IT leader, you’ve come across the term IoT before. It’s often used alongside superlatives regarding how it will revolutionize the way you work, play, and live. But is it just another buzzword, or is it the as-promised technological holy grail? The truth is that Internet of

Read more

Which IoT Platform 2021? IoT Now Enterprise Buyers’ Guide

Posted on: August 30, 2021

There are several different parts in a complete IoT solution, all of which must work together to get the result needed, write IoT Now Enterprise Buyers’ Guide – Which IoT Platform 2021? authors Robin Duke-Woolley, the CEO and Bill Ingle, a senior analyst, at Beecham Research. Figure 1 shows these parts and, although not all

Read more

CAT-M1 vs NB-IoT – examining the real differences

Posted on: June 21, 2021

As industry players look to provide the next generation of IoT connectivity, two different standards have emerged under release 13 of 3GPP – CAT-M1 and NB-IoT.

Read more

IoT and home automation: What does the future hold?

Posted on: June 10, 2020

Once a dream, iot home automation is slowly but steadily becoming a part of daily lives around the world. In fact, it is believed that the global market for smart home automation will reach $40 billion by 2020.

Read more
RECENT ARTICLES

IoT solution providers now can integrate LoRaWAN connectivity with thingPark embedded OEM program

Posted on: December 3, 2021

Actility launches ThingPark Embedded, an OEM-type Partner Program which enables IoT Solution Providers and device manufacturers to integrate a full-featured industrial-grade LoRaWAN infrastructure to their offering.

Read more

Schneider Electric launches grids of the future lifecycle management at Enlit Europe event

Posted on: December 3, 2021

Rueil-Malmaison, France. 2 December 2021 – Schneider Electric, the provider of digital transformation of energy management and automation and The World’s 2021 Most Sustainable Corporation, believes that electricity is the only energy that offers the fastest vector for decarbonisation through a combination of renewables and digital software-led solutions.

Read more