This content is part of the Essential Guide: How to deal with Identity and access management systems

When your IAM policy encounters the internet of things

Aging identity and access management tools, and technical innovations like the internet of things, make it imperative that you update your enterprise IAM policy now. Here's how.

Of all the emerging technology trends, the internet of things may offer the greatest business opportunities, but it also introduces the greatest risks to information security and the greatest challenges for a company's IAM policy.

Aging identity and access management (IAM) technology is already struggling to handle cloud and virtual environments, and the internet of things (IoT) will only compound the problem as it increases the control software exerts over the physical world. Identities need to be a core aspect of the IoT environment, and enterprises need to reevaluate their IAM policies and architectures to safely make the most of the IoT revolution. IoT identity and access management is essential, not only to protect the exchange of IoT-generated data, but to protect the rest of the network from this new attack vector.

IoT transforms everyday life and the way businesses operate. Objects ranging from simple sensors to home automation devices --  and even more complex autonomous devices like smart cars -- are connecting to the internet. Analysts estimate anywhere from 20 billion to 200 billion devices could connect to the internet by 2020. However, security remains a big worry, with 56% of executives concerned about the lack of authentication and authorization capabilities built into many IoT devices. Every device connected to a network increases its attack surface, and IoT devices have the potential to dramatically increase the number of entry points into a network.

For example, Whitescope found 50,000 building management systems connected to the internet, 2,000 of which are online with no password protection. Compromised IoT devices and data have the potential to cause far more serious damage than a hacked desktop: Disruption to critical civil infrastructure services, compromised medical devices and hijacked cars are just a few examples.

Deploying end-to-end encryption can help deter hackers and protect data in transit and at rest. But the problem of authentication is more complex due to the sheer number and diversity of IoT devices, and due to the myriad interactions between people, devices and apps with multiple uses and contexts. An effective IAM policy now must recognize that many IoT devices will need digital identities that are linked to human identities. These devices must be able to secure numerous interrelationships in the IoT ecosystem, including context-based identity delegation and access control.

Traditional IAM manages human identities, controlling access to an enterprise's networked resources based on broadly defined job roles and titles that can't be extended to the world of IoT. Those who try to will quickly find themselves unable to offer secure and positive IoT user experiences. Most IoT devices don't have input/output mechanisms to support complex passwords, while authentication based solely on IP addresses is problematic for any device that's mobile. IoT devices are also bidirectional, not only outputting data, but also accepting commands and information requests for data, which can be distributed across multiple systems, each requiring authorized access.

IoT identity and access management tools have to be more device-centric than user-centric, allowing devices to authenticate themselves to other devices. While IP address, media acces control address, OEM-based identifiers and device behavior will play a role in identification, device authentication and security will most likely be enabled through an IoT security management plane using API calls, public key infrastructure certificates or leveraging the OAuth 2.0 protocol to authorize an entity -- whether it's a user, service, or another device -- to access a resource or application. For customer-facing IoT use cases, an IAM solution that enables single sign-on, biometrics or social login capabilities will be important to balance convenience with effective authentication.

Another crucial capability to include in any IoT IAM policy has to be aggregating user-preference data captured from different devices into a single profile, while allowing users to self-manage privacy preferences such as granting consent for data sharing across different devices and services. Managing dynamic relationships between users and devices is as important as the ability to manage identities. User-managed access, which allows users to perform self-service for their IoT devices, will become vital as connected devices proliferate and become more intelligent. Without this control, privacy concerns may slow IoT acceptance and adoption.

The commercial pressure to be first to market with the latest IoT device or service means invisible security features get overlooked in favor of eye-catching user features. The backend systems needed to support IoT are also often short on security and privacy controls, leaving enterprise networks and IoT users vulnerable to security attacks and privacy violations. IoT authentication has to be addressed before IoT can reach its full potential. Without it, the world of IoT will quickly become a dangerous one, used for malicious surveillance and massive attacks.

An effective IAM policy for IoT is essential; bolting on IAM for IoT is not an option. A trusted identity must be built into every connected device, particularly as firmware in IoT devices is far harder to patch or upgrade. Enterprises need to look for devices where basic device and user provisioning, registering and authentication tasks are embedded features, providing a suitable mix of security and user experience. This will entail understanding how information security is included in a manufacturer's development processes. An IAM policy will require a platform that provides hardened IAM APIs and addresses the unique IoT requirements of scalability and high availability, along with complete lifecycle support for devices and users.

Next Steps

Learn why RSA's president is focused on IAM security technology now

Discover how to craft identity-based security for cloud

TechTarget's Security School teaches you how to update IAM frameworks 

Dig Deeper on Internet of Things (IoT) Security Strategy