By Mike Ellis, CEO at ForgeRock
Due to the ubiquitous nature of connected objects in the Internet of Things (IoT), an unprecedented number of devices are expected to be connected to the Internet in the next few years. IoT, mobile and security are growing at a massive pace. In fact, IDC mentions that spend in these areas will be $7.3 trillion (IoT), $107 billion (mobile), and $8 billion (security), respectively, by 2017. Not one of these areas can exist without the ability to propagate and manage identities across them.
Before the Internet of Things, in an age where companies only connected computers to other computers that were ‘trusted’ and within the network, security was a much simpler affair. Legacy systems were created to be secure on an internal basis, keeping all evil at bay. Security was perimeter based. Everything was behind the firewall. It was about serving internal stakeholders, for instance, creating identities for employees to access the right information and services securely. Of equal importance was the need to comprehensively take away those access rights once an employee left that company. These systems used to have to cope with small scale ranging from 20-40,000 identities. All very much manageable.
However, the dawning of an era where all things are connected - the IoT – has turned this approach to identity on its head. Organisations everywhere now have a need to build systems that provide secure access externally too: to customers, partners and other important stakeholders. This means systems have to cope with millions of identities, most of them outside of any firewall. Static and portable devices need to communicate with each other and then there’s human-to-machine and machine-to-machine identification and interaction to take into account. Identifying who’s who and what’s what has never been so complex.
Recent serious IoT attacks – genuine or just proof of concept?
Without the right identity model in place, organisations could be at risk of making their data openly available to the bad guys. They also risk their systems becoming increasingly expensive to run as a result of the explosion of new devices requiring access to the network, which one by one have to be painstakingly authenticated.
So, when you think of the risks associated with mis-managed identities in a corporate network, you think of laptops, smartphones and tablets. However, when talking about the Internet of Things, we need to think much farther and wider than that. Think cars, think wearable devices, think domestic appliances, even think lightbulbs. Yes, even lightbulbs. And they’re not a threat in the future, they are in the here and now. Many high profile attacks on IoT devices have been reported in the media over recent months. A recent example is the smart LED light bulbs that leaked WiFi passwords. (See, I wasn’t joking). These attacks demonstrate just how easily systems can be hacked, no matter how early the developments are. To date, to my knowledge, there hasn’t been anything with huge negative implications for people or business. Yet. However, soon we will reach a tipping point and hacks will become much more serious.
It is also worth noting that the impact of these hacks can go much further than simple inconvenience for the user. It is a matter of trust. Once trust is broken, even if a customer has not been personally affected, brand reputation can suffer greatly.
Securing your IoT devices
As consumers look for and expect more ways to engage with businesses, companies are encouraging them to shift from a closed, protective world of Identity Access Management (IAM) to the open, evolving and confidently secure Identity Relationship Management (IRM) universe. This is because identity and access management tools are a necessity for managing trust relationships with parties both inside and outside of a company—relationships that are now tied directly to the business’ top line.
The ideal IRM platform should include all aspects of identity lifecycle management. So not only identity administration, access management and identity data stores, but also a solution that can define and establish relationships between all those identities. This way, attributes, context, and behavior can all be analysed for security purposes.
As with any emerging technology, there are mixed views out there on how to improve the security of IoT devices. Gartner has commented that ‘the increasing digitisation and automation of the multitudes of devices deployed across different areas of modern urban environments are set to create new security challenges to many industries’. I’d agree, of course. However, if managed in the right way from the start, IoT devices do not need to create further security headaches. Identity and context-based security is the key. These are the layers where software application development professionals need to start building into their project architectures. They need to look at how the data is transferred between Internet-enabled machines so that it is both encrypted and authenticated.
To ensure that a request to access a machine is valid, a number of factors must be checked. Data such as location, time and device must be verified to ensure that requests are warranted, and past behaviour can be analysed in order to achieve that.
It’s a new way of thinking and acting, but one that will help future-proof the business. There are four initial stages I’d recommend to anyone considering how they continue to manage identities connecting to their corporate network:
1.) Think external, not internal – it’s not just about keeping a close eye on what devices employees are connecting to the network. External contacts and clients now expect to connect to your network. These devices need to be authenticated
2.) Use a unified identity platform – it will provide a simple, repeatable way to protect an everlasting number of devices. Protecting on a device-by-device basis is near an impossible task. Duct tape architectures are your nemesis.
3.) Use open standards and technologies, supported by your identity platform – the platform needs to be reachable in a standardised way, whether the communication comes through a human or machine
4.) Analyse real-time behaviour and context – look at how data is being communicated between IoT devices and ensure that it is encrypted and authenticated. Check the location, time and device to ensure requests to connect are valid and business warranted. Past behaviour is a key factor to consider during this process
The adoption of IoT is set to stay and will no doubt continue to grow at a rapid pace. Businesses need to act now in order to ensure they can authenticate the countless number of devices connecting to the network. It is essential that they protect their most valuable asset… their data.