IoT Security and Identity Access Management

By Cynthia S. Artin November 08, 2017

With all the emphasis lately being placed on securing the edge of the IoT and IIoT, secure network connectivity is often considered more of a “downstream” requirement. In fact, given the fundamental nature of smart products being valuable because they can be connected to the cloud, data and analytics, and increasingly real-time closed-loop systems, securing network infrastructure and the sessions moving over that infrastructure should be more than a second thought.

As more attacks through botnets are being announced, and particularly as IoT moves beyond consumer mainstream wearables and into massive enterprise deployments, IT and OT teams are paying more and more attention to securing access to the networks that connect more valuable things, including factory equipment, smart grid hardware, and more. Regulators are paying attention, and legislation is being drafted, particularly associated with critical infrastructure to ensure that the networks IIoT systems rely on are at least as secure as the end-points getting all the attention of late.

IoT is focused on the interaction between connected things, people, tools, and apps. Gartner called out the future need for Identity Access Management back in 2015, noting that “IAM” and Privileged Access Management (PAM) will be mainstays in ensuring IoT/IIoT networks cannot be hacked into by unauthorized administrators. We’ve learned recently that more than half of attacks on corporate networks have come from the inside – and when we envision a “corporate network” supporting, for example, dozens of chemical plants, we can also envision a dark situation where an employee can control the release of deadly chemical agents into the environment, for example.

IAM and PAM demands will become much more complicated in the world of IoT, with harder problems to solve, and exponentially more endpoints.

The security industry is seeing a paradigm shift whereby IAM is not only individually concerned with managing people but also managing the hundreds of thousands of “things” that are connected to a network.

IoT for IAM will require:

Enforcement of Security Best Practices: IoT solutions mingle the physical and digital worlds and results in more serious impacts from IoT-related data that includes intrusion of privacy and harm to physical property. Identity management solutions will need to be designed to address these concerns. IoT IAM platforms will need to offer end-to-end data encryption, DOS /overload detection, adaptive authentication, and automatic load balancing to provide the robust security capabilities needed to unlock the full potential of the IIoT in particular.

Privacy and Preference Management: End customers are concerned that as devices gain the ability to collect large volumes of personal data, the potential for privacy violations grows. This happens especially when this data is shared and used, which is part of the cloud and API nature of the IIoT. IAM solutions permit customers to self-manage preferences such as opting in or out of communications and granting their approval for data sharing. When a company sells an enterprise a solution connecting smart products purchased by consumers, they will insist upon the ability to reassure customers that by installing a smart doorbell, images of visitors to their homes will not become public. This is just one of many scenarios where a criminal inside an enterprise with access to the network could extract images and other information from an end-point the system designed to protect their customer, not expose them to identity theft.

Policy-Based Data Access Governance: IoT IAM requires extreme governance capabilities to manage data access across things, applications, people, and devices. Data access should be granted or denied as per the IP address, industry or geographic regulatory constraints, time frames, and individual customer consent. IAM solutions that centralize governance policies and execute them across multiple channels and collection points will be “table stakes” for identity management on the massive IoT and IIoT in the near future.

The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining and raising awareness of practices to help ensure a secure cloud computing environment, has released a summary guidance report titled “Identity and Access Management for the Internet of Things.”

Identity and access management (IAM) will be vital to effective IoT solutions, says Saniye Burcu Alaybeyi, research director at Gartner. Ms. Alaybeyi further adds that IAM will soon become, if not already, an integral part of each and every IoT solution.

While we are starting to see early offerings in IAM and PAM specifically designed to protect the IoT and IIoT, we expect to see many more in 2018. 

Edited by Ken Briodagh

Contributing Writer

Related Articles

AT&T and Los Angeles Explore Partnership

By: Ken Briodagh    9/20/2018

AT&T and the City of Los Angeles are looking to team up to make LA one of the smartest cities in America and to Drive Traffic, Public Safety and Disas…

Read More

SAS IoT to power China's Wuxi High-Tech Zone

By: Ken Briodagh    9/19/2018

Partnership builds on SAS' position as the IoT analytics leader in smart cities arenas.

Read More

AT&T, G+D and Altair Team Up to Spur IoT Deployment

By: Ken Briodagh    9/19/2018

Next-Generation Integrated SIM Will Meet the Needs of an Expanding Global Internet of Things Market

Read More

Top 5 Reasons Why APIs Lead to Blockages in B2B Operations

By: Special Guest    9/18/2018

These days, enterprises are increasingly adopting API led solutions for Business to Business (B2B) connectivity.

Read More

Technology Companies Join to Reduce Water Consumption for Commercial Farms

By: Cynthia S. Artin    9/18/2018

Three companies have announced an Industrial IoT (IIoT) "stack" combining sensors, signals, semiconductors, algorithms, expertise in social moisture m…

Read More