Why the IoT Needs IAM, Part 2: The Complexity of Controlling Access

In a previous post Why the IoT Needs IAM, Part 1: Rise of the Botnets, we discussed the growth of the Internet of Things (IoT) and the enormous attack surface created by billions of Internet-connected devices. Many of these devices have been recruited into botnet armies that are used to launch distributed denial of service (DDoS) attacks. Others are being used to gain access to corporate networks, steal information, and disrupt business operations.

Part of the problem is that the devices themselves are not secure. An HP Security Research study found that 70 percent of commonly used IoT devices had significant vulnerabilities — an average of 25 vulnerabilities per device. According to the HP study and the OWASP Internet of Things Project, the top security problems with IoT devices include insecure interfaces, lack of transport encryption, poor physical security, and insufficient authentication.

These risks are exacerbated by the lack of basic access controls protecting IoT deployments. In fact, many organizations have failed to even change default usernames and passwords on IoT device interfaces, making it incredibly easy to gain access. As we noted in our previous post, devices infected with the Mirai malware continuously scan the Internet looking for other vulnerable IoT devices and attempt to log in to them using factory default credentials.

On the one hand, it’s difficult to excuse this lax approach to IoT security. However, when you consider that an organization’s IoT environment could involve thousands or even millions of “things,” controlling access at the device level is not very realistic. In addition, many devices are designed to communicate with one another and with software, but seldom if ever with humans. Access controls must consider all these interfaces and interdependencies — an enormously complex proposition.

Identity and access management (IAM) systems are tailor-made for managing credentials and controlling the level of access they provide. However, traditional human-focused IAM solutions cannot handle the scale and complexity of IoT environments. Gartner researchers have posited that the concept of identity must be redefined to include “entities” — devices and services as well as people — that are managed within a common framework. Gartner has even coined a term for it: the “Identity of Things” (IDoT).

The IDoT extends IAM to encompass the identities of entities of every form. Those identities are then used to define the relationships among the entities — between a device and a human, a device and another device, a device and an application/service, or, as in traditional IAM, a human and an application/service.

Since devices have not traditionally been part of IAM systems in this way, the IDoT will likely require the integration of IAM with other management tools, such as IT asset management (ITAM) and software asset management (SAM) systems. Alternatively, IAM systems could assume some functional characteristics of ITAM and SAM. The actual implementation of the IDoT will depend on IAM solution providers.

The IoT is not just about introducing various forms of networked devices into the enterprise IT environment. It is about the creation of a vast, interconnected ecosystem for processing, analyzing, storing, and sharing data. IoT security will require a new approach to IAM that effectively controls access while still enabling the free flow of data that makes the IoT so valuable. No matter how it’s implemented, the concepts and discipline of IAM have a role to play in securing the IoT.

If you would like to learn more about how the right IAM solution can transform your organization, please click here.

Leave a Comment