The massive growth of Internet of Things (IoT) devices is placing significantly increased focus on identity management. Forrester has suggested that, by 2022, there may be up to 100 times more IoT devices in the world than there are cellphones and laptops. In this hyper-connected digital world, security and accessibility are must-have foundations. Welcome to the Identity of Things (IDoT). Let’s look at why you’re going to need an identity platform for your IoT initiatives.
Although slightly less optimistic, figures from Statistica estimate that there will be over 50 billion IoT connected devices globally by 2020 ꟷ almost double the number in 2017. Gartner predicts that, by 2020, there will be 215 trillion stable IoT connections, and 63 million new ones every second.
The use of IoT brings real benefits to the organization implementing the devices and those benefits grow the more devices they connect. In their IoT Barometer 2017/8, Vodafone found that 26% of companies with under 100 connected devices reported significant business benefits from their IoT investments, which rose to 67% for organizations with over 50,000 devices.
In addition, Vodafone found that organizations were integrating IoT closely with their business processes ꟷ 44% of respondents said IoT projects were part of wider initiatives and a further 46% reported integrating IoT with core systems such as ERP and CRM. As IoT becomes increasingly mission-critical in a wide range of industry sectors, organizations need a fresh approach to managing identity that moves beyond simple users to encompass all network entities ꟷ applications, systems, devices and things.
ABI Research predicts that identity and management of IoT will be worth $21.5 billion by 2022, noting: ‘We are entering a transformational period where device IDs, system IDs, and user IDs are forced to merge under the hyper-connected IoT paradigms, effectively altering the way IDoT will be perceived from now on.’
Just reading that sentence gives a great idea of the complexity that every organization faces as they increase their adoption of IoT technologies. However, the challenge starts with the devices themselves.
IoT devices – The weakest link?
No one really needs reminding of the security implications of IoT ꟷ the damage a hacker could achieve through compromising a connected vehicle, a copier connected to your corporate network, or even a medical device. The stakes are high and protecting an always-on IoT network is essential. Forrester points out that few IoT devices have been designed with security as a paramount consideration. This leaves enterprises vulnerable because IoT devices can act as a “back door” to the corporate network. Hackers can use the IoT devices connected to the network to launch major attacks on your company’s infrastructure and other resources. Once a vulnerability is identified and exploited, the cybercriminal can create botnets of IoT devices for the likes of denial of service attacks.
Lack of sophisticated operating systems
Forrester suggests that, in the drive to bring new devices to market, manufacturers can overlook the security of the operating system or firmware on the device. Devices like sensors are, by their nature, designed to conduct a specific discrete task so the operating system is going to be as limited as possible, lacking in security features especially authentication and cryptography. This appears an attractive opportunity for hackers.
No input mechanisms for complex passwords
Forrester also notes that almost any IoT device doesn’t have a keyword to enter a password. Let’s face it. If you have thousands or hundreds of thousands of IoT devices spread throughout your organization, you don’t want this to be your form of authentication. You need authentication at scale. This is a challenge as implementing multi-factor authentication ꟷ which you would employ for users ꟷ is going to be extremely difficult and probably inappropriate for IoT devices.
Traditional identity and access management (IAM) technologies and methods are ill-suited to this IoT environment. You require a new approach to delivering the secure and robust technologies needed to provision, authenticate, authorize and audit the identities of IoT devices. More importantly, you need to be able to manage the relationships between those devices, your systems, your applications and your people.
IDoT – A new identity management paradigm?
As early as 2014, Ant Allen, Vice President of identity and access management at Gartner was warning that traditional IAM systems would be unable to cope with the proliferation of connected IoT devices because traditional authentication was based solely around the user and their access to applications and data. What Allen pointed out as an issue four years ago has become a pressing concern today.
A new generation of identity management solutions such as OpenText™ Covisint Identity Platform have developed to address the needs of the new IoT-driven world. They address five key areas:
The relationships of networked entities
IAM can no longer be seen in the context of granting users ꟷ whether internal or external ꟷ access to network resources. You have to address all the devices, systems, people and things on the network. Each has multiple, multi-faceted relationships with other network entities. A device will communicate with other devices, end-users and applications. Every second there is a huge number of different relationships that have to be controlled, managed and secured.
While most companies are moving beyond single sign-on and implementing multi-factor authentication for their people, this is unlikely to be the answer for device authentication. Many experts suggest that using the public key infrastructure (PKI) information already in the device will be the answer. Either way, you need to support multi-tiered authentication to govern relationships where different entities require different authentication methods.
Identities and contextual access management
We all know that security isn’t just about giving the right levels of access. It is equally about when and why access is granted. Just as you will want to grant temporary or real-time access for users, you will need to set limits for IoT devices and determine what is appropriate. This type of large-scale provisioning must be able to understand the context of what the device does and why it is making the request ꟷ and, even better, if the system can make a prediction or suggest an action based on a determination of a normal state of behavior (related: this is one direction we’re headed and I’ll save the topic of identities and artificial intelligence (AI) for a future blog). This is an enormous undertaking and IT teams will struggle to reach this point on their own, even with the right talent, funds and resources, and other vendors are still focused on identity management for new employee onboarding and not identities for IoT initiatives.
Effective provisioning and de-provisioning
I doubt there’s a security manager today that has not had sleepless nights worrying about orphan accounts. How do we ensure that all access rights are removed when someone leaves the company? This issue is multiplied horribly when dealing with a massive amount of disparate devices ꟷ potentially spread globally. You not only need to provision new identities to devices quickly ꟷ with the correct access rights, which means you also need a rules engine ꟷ but you also need to be able to de-provision them just as effectively.
Delivering excellent user experience
IAM in the IoT world is much more multi-layered and complex than previously, but the compromise between accessibility and usability is less acceptable now than ever. People are used to the Internet as a medium that brings almost instant results, and they expect that whether online shopping or working on the corporate network. Today, how you deliver excellent user experience must be at the heart of your IDoT system.
The need for an IoT identity platform
I want to take a step back for a second and look at Forrester’s definition of IAM for IoT: ‘A collection of existing and emerging technologies that allow manufacturers, operators and end users to manage the identity life cycle, governance and authentication of IoT devices’.
This definition describes the current state of the market where there are many specialist solutions that address specific elements of the IDoT challenge. While excellent, these solutions require organizations to create an ecosystem of complementary solutions to address their overall requirements. It adds cost, complexity and management overhead to security and access in the IoT world.
This situation, according to Philip Windley of Brigham University, won’t continue. He says, “All the communities that already identify IoT components will become more aware of each other and begin to collaborate on broader IoT identity platform standards.” In fact, this type of comprehensive, enterprise IoT identity platform already exists today.
With the new generation of identity management platforms for IoT ꟷ such as OpenText Covisint Identity Platform ꟷ you already have the capabilities to effectively manage all the entities on your IoT network and the relationships between them.
If you’d like to know more about how an identity management platform can accelerate IoT success, this is a key topic at Enterprise World next month in Toronto. For a personalized and private meeting, please contact us through the website or email me directly.