In 2015, Gartner’s Earl Perkins discussed using an “identity of things” to manage interactions among the different components of an IoT environment. Yet, today’s IoT strategies are often device-centric, where individual products are deployed without a clear plan of who, how, when and where they’ll interact with other entities.
To understand how identity and IoT correlate, first consider the value of identity in the enterprise. Identity management, as a discipline, has been around for a very long time, initially focused on simply provisioning access to software and services. Over the past few years, however, attention has shifted to behavior monitoring in order to quickly identify when a device, or person, starts to do something “bad.” This has enabled enterprises to keep information under control and stay secure by focusing on presenting the identity context of interactions and activity.
We can use these proven strategies for IoT management. From a security perspective, simply protecting and hardening IoT devices themselves is not realistic for the scale at which IoT environments will evolve. It’s like stopping car crashes by making safer roads; focusing on the infrastructure can only make so much of a difference. The workload of keeping patches up to date is clearly already exceeding our collective ability to get the job done, even with today’s enterprise non-IoT environment. However, applying the principles of identity management will enable organizations to form the foundation upon which to build a workable security strategy. Understanding what each device is, how it normally behaves and what other devices (and people) it interacts with arms organizations with a baseline to measure against.
Once this baseline identity is established, enterprises will be much more prepared to get ahead of potential security issues. When normal interactions change, when the level of data exchange shifts, when the hours of activity become unusual or when something looks odd, then we have the best chance of spotting an attack before the real damage is done.
For example, imagine an office building filled with smart lights. If those lights suddenly start chatting with each other in an unusual way — yes, smart lightbulbs are hackable — then maybe they are under attack by someone with an IoT worm. If we don’t know the devices are lights and can’t tell who or what they are talking to, the traffic alone may not trigger an alarm until it’s far too late.
Understanding the identities of those lights may, on the other hand, give us the warning we need. We already know that attackers are looking at poorly secured IoT devices as both a pool of untapped compute resources for truly massive distributed denial-of-service attacks and the quickest way to breach corporate networks. And when potentially dealing with billions of devices, many of them of questionable heritage and security status, it’s clear that using an identity framework may not only be the best choice, but the only choice.
We should be under no illusions that the internet of things will be chaotic and potentially a security nightmare. Identity management — or identity of things — alone will not solve all security issues with the growing world of IoT, but it will significantly influence the IoT worldview. The best hope to keep that chaos to manageable levels is to at least understand the interactions of the identities involved, whether those are devices, services or regular old human beings like you and me.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.