Taking on the Tough Guys: Implementing IAM Policy for IoT DevicesOren Harel July 3, 2017
The Internet of Things (IoT) is – to quote the title of a well-known Beatles song – “Here, There, and Everywhere.” Recent estimates (according to Gartner) indicate over 20.4 billion connected “things” will be in use by 2020, with the technology yielding a whopping $2 trillion in revenue.
Vulnerabilities in IoT
But with the almost endless business opportunities that IoT represents, comes some equally impressive challenges. IoT opens the door to security breaches that, unfortunately, loom greater and deeper than any we’ve experienced before. IoT devices are easy to hack and security protocols often aren’t built in. The ease with which smart homes, pacemakers, connected cars, webcams and even gas station devices have been compromised is a very worrisome trend.
What makes it even more dangerous, are the protocols dictating how all of these connected devices communicate with one another, potentially spreading the infection across many types of devices.
Legacy IAM systems are not designed to handle the scale and complexity IoT brings to access management: billions of new users and devices online, as well as new cloud services. IoT forces organizations to adapt their technologies to manage the influx of these users, devices, and interaction points that have access to information.
However, due to its distributed nature and the limited ability to rely on perimeter security measures, IAM is at the heart of the IoT revolution. It must advance, modernize itself to be able to handle IoT – and that’s where policy-based IAM solution come into play.
IAM is the Ideal Security Layer for IoT
These are the very reasons why the rise in adoption of the Internet of Things will require IAM systems to adapt. Originally developed to manage digital identities of people, IAM systems now must also integrate and manage hundreds of thousands of IoT devices.
A report published by Cloud Security Alliance, shows that the rapid growth in IoT devices demands management of more identities across devices than existing IAM systems are equipped to support. To safety integrate IAM within IoT networks, the report recommends integration of IoT implementation into existing IAM and governance frameworks. The report also recommends to design authentication and authorization schemes based on system-level threat models.
IAM for IoT is Context Aware
The primary strategy for meeting IoT-related security threats lies in adopting an approach to security that is context aware. Variations in identities, environment (e.g. time, location, and events), and access to apps, data and resources must be taken into account in real time, to allow the identification of problematic behavior and stop breaches before they occur.
Herein lies the advantage of a sophisticated IAM solution. Whereas other approaches rely on definitions from an earlier time – with an IAM, the decision to give a user access to a particular resource at a given time is not predetermined.
This provides a degree of control that’s impossible with other systems. For example, let’s say an employee of a U.S.-based company logs on from an unusual location – perhaps Thailand. With the capabilities inherent to contextual authorization, an IAM system can be set to flag unusual locations. The employee – or, the imposter who stole the employee’s password details – will be denied access, and the behavior flagged for review. Breach averted.
Policy Creation and Management – and IoT
An access control solution built on context-based security policies considers the particular set of circumstances when the request to access data is made – the resource, the environment, the requester. It’s this kind of comprehensive, real-time approach that ensures a digital identity can act based on the here and now, and thus limiting the risk at any point in time.
The same is true for API access: Effective API control involves developing manageable access policies that ensure APIs don’t create vulnerabilities (as explained here). The challenge lies in ensuring the APIs enable data access for use by any end-point (used by human or not), while simultaneously protecting a company’s back-end services.
Making Sure Small “Things” Don’t Make a Big Mess
One of the trickiest aspects of the IoT challenge is simply its scale.
To secure an enterprise, according to research by the Cloud Security Alliance about implementing IAM for IoT, an IAM solution must be robust enough to facilitate policy management and provision both users and devices on a massive scale – covering everything from in-house systems to mobile apps and customer-facing services for millions of devices.
Only an advanced access control protection strategy can meet these complex security challenges. A policy-based solution is the best approach for this growing challenge – offering maximum protection despite the sheer number and wide range of IoT devices, in different locations, that continuously connect to the enterprise network.
The risks of IoT-related breaches mean that the time is ripe to make sure your organization is set up to make informed decisions about access control that reflect a real-time understanding of circumstances, and can effectively avoid a breach by maintaining a policy of minimum access.