With the wide adoption of 5G, it’s no secret that the Internet of Things (IoT) is coming at us at a much faster pace than first anticipated. This significant growth will undeniably have an impact on how interactions between humans, devices and systems will be managed. This article explains how these interactions will be managed in an interactive environment.

Today, for every person connected to the internet there are 4 connected devices. Estimates show that by 2025, this number will grow to 10.

– Laurens Verhoeven

More than just hype?

As a concept, IoT offers a way to connect devices wirelessly to a network. It transfers data without human-to-human or human-to-computer interaction and allows us to automate day-to-day tasks by controlling and monitoring devices remotely. That’s why it has become so popular with both consumers and industry. Today, for every person connected to the internet there are 4 connected devices. Estimates show that by 2025, this number will grow to 10. To ensure a successful and secure implementation of IoT, it is crucial that the roles and access rights of individual "Things" are clearly defined and managed. Originally, Identity and Access Management (IAM) dealt with the relationship between people and devices, but with the rise of the IoT, it must now deal with the relationships between people and devices, devices and devices, and systems and devices - the Identity of Things (IDoT). This raises the question of how we can identify, authenticate, authorize and securely connect billions of “things”.

Knowledge is power

IoT solutions are often deployed in large numbers - sometimes in hard-to-reach locations, but still in reach of potentially malicious actors. In order to maintain the integrity of IoT applications, it is essential to strategically plan in advance.  As security standards and procedures are still lacking for the majority of IoT devices, they are easy and popular targets for hackers. Device lifecycle management is thus critical for a strong security strategy but is often overlooked by companies. Many organizations do not have a complete view of all of the connected devices on their network and are not able to appropriately protect them. Whilst devices should be secure by design and avoid having default passwords or insecure communication protocols, this is often not the case. Instead, devices have little-to-no possibility to update the firmware and often contain default credentials configured by the manufacturer. When it comes to buying new devices, putting security requirements into vendor agreements is key. 

Which ‘thing’ are you?

“Identity” is a fundamental building block in security. Besides human identities and system identities, we must also deal with device identities, or the Identity of Things. With this identity, the trustworthiness of a device can be validated, and malicious devices kept out of the network. Authentication in Identity of Things is different from the usernames and passwords we see in workforce identity and access management. One device can be accessed by multiple users and can interact with multiple systems and devices itself. This proves the complexity of managing the Identity of Things. It is an integration of devices, services and data, together with one or more users, which should result in the establishment of trust relationships between all these actors.

Imagine a car sharing scenario. One car, the “thing”, is shared by many users and sends diagnostic data to the car manufacturer as well as the leasing company. The leasing company needs to have an overview of which user used the car, for how long and at which time, for billing purposes. The car will need to send error messages to the car manufacturer, maintenance info to the dealership or location to the leasing company. Until now, we have already established interaction with three different systems. All three are collecting data from the car. Therefore, it is key that the connection between the car and the different systems is secure, and that the integrity of the data is ensured.

This can be achieved by thinking about device lifecycle, authentication and authorization. Device lifecycle management will ensure that the car can no longer send or receive data once it is decommissioned. Authentication will ensure that all users are who they claim to be, but also that the car can prove that it is who it claims to be. Finally, authorization will ensure that the users, the car, and the systems connected to both can only access the data and data sources they really need, and they are allowed to access.

IoT devices are here to stay and will only grow in number and capabilities. Managing their identity and information gathering capabilities must be key considerations in order to successfully design and deploy your IoT infrastructure.

This article is part of a larger narrative with regards to identities and their behaviors. Whereas the Identity of Things is spotlighted in this case, a sharper focus will be put on the workforce, as well as on the customer. These articles can be found here.

 

Authors: Karel Dekyvere, Laurens Verhoeven, Alessio Musone