Organisations must control access and manage identities to secure IoT
Identity and access management (IAM) is now recognised as a capability that providers of Internet of Things (IoT) services need to address if they are to offer secure services. After all, finds George Malim, if you can’t control access to a device or service, you can’t secure it.
The recent spate of cyberattacks and malware have heightened organisations’ awareness of the need for security in IoT and good work is now being done in encryption and rolling out standard IT security practices to IoT. However, the enormous attack surface and the number of points of vulnerability at which networks and services can be accessed makes the challenge harder to understand and the threats harder to identify. A foundational element to IoT security should be assuring the identity of devices and users and securing access to systems. These fundamental requirements are covered by the IAM discipline.
“IAM is a central component of the IoT market,” confirms François Lasnier, the senior vice president of identity protection and authentication at Gemalto. “It’s a key element in protecting an IoT environment and involves securing access to IoT devices and ensuring that only authorised parties have access to the right resources under the right conditions. IAM for IoT deals with various identities – of people, device and services – and their lifecycle, as well as all the relationships that need to be properly defined in order to put in place the right entitlement rules and secure access policies.”
Establishing and verifying identity is therefore becoming more widely understood. “Security practitioners have been focusing more and more on the critical role of understanding identity as a tool for reducing risk, and it’s logical that we adopt the same mind set when approaching the security of the IoT,” explains Geoff Webb, the vice president of strategy at Micro Focus. “This shift from device-centric thinking to identity-centric has really taken hold over the past four or five years, primarily because a deeper understanding of who someone is, and what their normal behaviour looks like, provides the lens through which to ensure that they can more easily get access to information.”
Andy Cory, a lead consultant at KCOM, fears the market has not prioritised IAM because it is seen as a dull necessity. “Internet-enabling things is sexy, and makes them sell,” he says. “IAM is necessary to prevent IoT becoming a security headache. It’s less sexy, but necessary; IAM is the fire-safety of the connected world.”
Regardless of a lack of market excitement, IAM is inescapable if organisations want IoT to be secure. “All IoT devices require some level of IAM,” acknowledges Emanuele Angelidis, the chief executive of Breed Reply. “What the market needs is a classification of security based on sensitivity of data and the capability and limitations of the IoT device.”
However, the market has only recently started to turn its attention to IAM, perhaps because the demands of IoT are different to standard network security. “In IoT you are authenticating devices – the things – instead of subscribers on a network which means people’s memory of passwords has to be replaced with electronic or programmatic tokens to authenticate identity,” explains Aman Brar, the vice president of global solutions and global alliances at Openwave Mobility. “IoT IAM systems also have to manage the lifecycle of identity tokens. Secondly, the IoT ecosystem is fragmented into multiple smaller systems based on device types, access networks, protocols and use cases. These factors define what kind of IAM is employed in order to balance the cost of IAM versus the damage that can occur due to threats related to privacy, network outage, data theft and billing scams.”
For Giovanni Verhaeghe, the director of Corporate Strategy at VASCO Data Security, the fragmentation of technologies and standards is at the heart of the IoT security challenge. “The problem with IoT is the current lack of standardisation and regulation,” he says. “Anyone can create their own IoT network.”
Webb agrees: “The sheer volume of potential IoT devices, and the complexity of interactions, means that it will be essentially impossible to build reliable security and privacy controls that aren’t grounded in a philosophy that manages the interactions of the devices and the people around them,” he says. “We need to apply the same lessons to IoT security that we have applied to other cyber-security practices, and place IAM at the heart of the strategy. Securing the IoT will ultimately depend on our ability to manage the identities, behaviours and interactions of those devices. It’s an IAM challenge, just on a much larger scale than one we’ve had to deal with before.”
There is some time, although not much, time for the IoT industry to implement proper IAM but there are fears that many IoT services won’t be viable without IAM. “Today, most IoT implementations are limited in scope and they already show some cracks in terms of security and threat vectors,” says Lasnier. “However, a new era of IoT based on complex ecosystems with many stakeholders and complex relationships between people, devices and services cannot and will not happen without a proper IAM framework in place. From this standpoint, we can safely say that the next phase of IoT will require mature IAM frameworks to be fulfilled.”
Maturity is a key word and Verhaeghe doesn’t think we’ve seen anything approaching it when it comes to IAM. “Frankly, we’ve yet to see many IAM best practices in IoT,” he says. “We believe that the rise of artificial intelligence for example will make these applications even more user-friendly, applicable and usable but companies tend to fall back on a nonstructured platform. In those cases, IAM is built as a feature, and not as a business enabler. You can compare it with what IAM did 20 years ago with the virtual identity of human beings.”
Mistakes are being made and those are concerns for Webb. “There’s a lot we’re getting wrong today,” he acknowledges. “IoT devices are being deployed with little thought as to how they might be attacked, and worse, there’s no real way to respond to such attacks. We can’t afford to deploy the IoT and then figure out how to keep it secure, as we did with the early days of the internet. Attackers have come too far and there’s simply too much at stake. We need to start now with standards for device security, and the ability to manage the lifecycle of IoT devices, before we simply lose control to the bad guys.”
The challenges may be new but many of the answers exist in the experience of IAM vendors and IoT companies should seek to access that. “Previously, companies have only had to manage identities of their staff, other corporates they do business with and, possibly, currently active customers,” says Cory. “The number of identities they have to keep track of will rise by orders of magnitude when everything they sell has an identity itself and one for its owner. The challenges involved in IoT are familiar to the IAM industry, though the scale involved is not. The challenge will be difficult to meet for organisations that have not previously had to engage with IAM and haven’t given thought to the issues involved.”