02 Jul Internet of Things and IAM
The Internet of Things (IoT) and the Internet of Everything (IoE) continue to be major buzzwords. It’s true that appliances, house hold items, home automation devices, all kinds of sensors and controllers, and many other mechanical devices are connecting more and more to the wider network called the Internet. Some of the comments about IoT/IoE have expressed concerns about the exploding security problem as dumb(?) devices without any built-in security connect to the malware and exploit-infested Internet.
For consumers the IoT/IoE will mean access to information and the possibility to control devices remotely. I wouldn’t mind if an outside party would see that my fridge mostly has nothing more than a light bulb inside, but I would mind if someone could remotely start up connected devices, especially if they heat up something. Potentially, someone could do something malicious. There are already sauna stoves which can be controlled (started) by sending an SMS message to it. You just need to know the phone number of the controller.
The common challenge is that while the device most likely will have an identity (IP-address, or MAC, serial number, device certificate or OID based identifier), who controls the access to that device, or to the information the device sends out? Identity and Access Management (IAM) has a link here. If a device can be identified, access can be controlled as well. IP address as an identifier could be problematic if the device is mobile.
The standardization efforts for IAM & IoT/IoE are just beginning to take shape at this point, led by efforts from groups like Kantara and developing standards such as OAuth. There are lot of things to consider, as the connected devices become more intelligent, collect and send out more information, offer wider range of remote control mechanisms. Identifying the connected device is quite crucial.
IAM can be extended to also include connected devices. Traditional IAM concentrates on people, and managing their access privileges and attributes associated to the users. In principle, these functions also work well with identifiable devices. The IoT/IoE though goes further, due to the nature of the devices. Normal IAM focuses mostly in unidirectional control – user / person is accessing something, when IoT/IoE by nature is bidirectional. A connected device sends information out, but also accepts commands, information requests etc.
Plugging the connected devices into the IAM architecture yields many benefits. If the Identity Provider supports multiple authentication mechanisms, the end user can be offered a convenient way to access and control the device remotely. Passwords are not convenient, but an embedded finger print sensor is – like the ones in modern smart phones. Controlling access to the information sent out by the device can be controlled by the appropriate method of authorization.