The Internet of Things (IoT) is transforming industries and the way the world around us lives and works. When we say ‘IoT’, we picture different forms of networked devices or machines (both called ‘Things’) in digital business scenarios. But it is not just that. It is a transformational pursuit to perceiving and carrying out analytics, communications, processing and storage. This new way transforms IT and operational technology (OT) infrastructure.
According to Gartner “The global economic impact of the IoT is estimated to be $2 trillion by 2020, with more than 20 billion connected ‘things’”. (Rise of Identity and Access Management in the IoT Era, 24 October 2016) This however, inevitably increases the number of malignant activities, physical harms and business disruptions. Users, applications, mobile devices, ‘things’, IoT gateways, platforms and services all have a part to play in IoT solutions and they need identities to form a trusted ecosystem, beyond the scope of any single organization. IoT demands trusted identities and trusted communication to and from any mobile device and ‘things’ as well as between the ‘things’. Simply put, IoT demands trusted machine identities.
IoT platform providers and ‘thing’ makers are traditionally good at implementations related to data, telematics and analytics for the enterprise. They commonly have a solid device and gateway approach but limited central IAM capabilities. IoT platform vendors, in general, focus less on maintaining privacy and providing required authentication as well as managing user identities using a central IAM. However this trend is changing. Several IoT platform providers like Amazon and Microsoft Azure have started to incorporate various device identity and access technologies into IoT platforms to simplify security designs in IoT deployments.
As the trend of IAM in the IoT era is becoming more popular, Gartner confirms that “IAM will soon become, if not already, an integral part of each and every IoT solution. By year-end 2020, 40% of identity and access management (IAM) vendors will require complete redesigns of their IAM solution to work with the Internet of Things, up from 5% today.” (Rise of Identity and Access Management in the IoT Era, 24 October 2016)
The objective here is to handle the life cycle management of individual identities and credentials across people, applications, mobile devices and ‘things’ – from factory to recycle bin.
Market Trends: Rise of Identity and Access Management in the IoT Era, 24 October 2016
In order to secure the communication between IoT machines, effective machine authentication functions are required. Effective authentication empowers machines to securely link with other devices, applications, machines and people to deliver data from the device and to accept commands to the machine. Secure authentication ensures smooth data flow to and from an IoT device, and device integrity as well.
There is an increasing demand for the IoT ‘thing’ manufacturers and platform providers to design and embed security controls, including machine authentication, to the device and ‘thing’ firmware. Furthermore, there is an ever-growing requirement for IoT use cases to apply risk-adaptive authentication methods that not only are adaptive to varied levels of security risks emerging throughout a hardware life span, but additionally are supportive of performance, scalability and availability requirements of the hardware product itself but also of IoT.
Unfortunately, traditional IAM platforms were not created to support the high volumes and varied types of consumer and machine identities, the increasing number of interactions, the enormous amount of collected data, and the new relationships that are created dynamically when a new unknown mobile device is connected to a ‘thing’ or an IoT network. They experience challenges when competing in the IoT market due to the need for scale, diversity, dynamic management and orchestration of IoT entities. The ability to dynamically and scalably support storage and management of all involved entities – such as users, devices, ’things’, services and the relationship between them – is an absolute must for IoT.
We feel the importance of this is again mentioned by Gartner in their “Predicts 2017: Identity and Access Management” from November 2016 where the IAM Analysts present the following key findings:
- “The expansion of Internet of Things (IoT) technologies is spurring changes in digital business, and forcing identity and access management (IAM) markets to adjust to common governance and technology interdependencies in the IT, operational technology (OT) and physical security areas.”
- “IAM requirements and solutions are becoming more diverse as IAM programs span multiple digital platforms and tools, including devices and user-entity relationships. “
- “Replacing traditional physical access cards with smartphones enables widely sought-after cost reductions and user experience (UX) benefits. “
IoT authentication providers are partnering with hardware manufacturers in specialised industry segments to offer on-chip or machine embedded authentication and, thus, gain early market expertise and potential. While new machine authentication methods will be adopted as they emerge, Public-Key-Infrastructure (PKI) and its variations for IoT are generally accepted as the most relevant methods started by conventional PKI vendors to foster early entry into the market. Billions of devices and machines from various manufacturers will have to communicate and interact with each other. Therefore identity and trust amongst them are essential elements in this communication. Without identity there is no trust and without trust, there cannot be secure communication and interaction. Public-Key-Infrastructure (PKI) is a well-known security concept for large IT networks working quietly behind the scenes. It has also shown significant uptake i.e. in digital passports of more than 100 countries around the world, for device identity and authentication. PKI is based on yet unbroken security standards and has also been proven to scale across billions of devices. In the IoT, PKI can be used to authenticate mobile devices to real ‘things’, real ‘things’ to cloud services, cloud services to cloud services etc. – in fact any entity to any entity.
The current IoT authentication providers are advised to consider extending their authentication and access management solutions to meet the increased demand of agility and cloud adoption for IoT platforms. They should ideally offer authentication APIs and micro services that provide easy integration points for embedded development teams at hardware manufacturers – and application providers. In a typical IoT network configuration where there are multiple domains, federation of trust models allows interoperability between different domains and the devices that use different trust models.
One of the current innovative IoT authentication providers is baimos technologies with its BlueID Trusted Service Platform. It combines the concept of a phone-as-a-token with PKI that, within a second, runs heavy cryptography even in smallest devices and machines. Certificates from the central BlueID TrustCenter secure access rights for specific machine identities allocated to users and ‘things’ by the IoT service provider. Access rights coming from the service provider are turned into certificate secured tokens by the BlueID TrustCenter and sent to a dedicated user’s mobile device. A true mutual PKI based authentication is established directly between the user’s mobile device and the thing in local range, each mobile device and each thing having its own individual private key as the root of its identity. Local communication can be provided with Bluetooth LE, NFC or WiFi. Access is granted when documented machine identities, time and communication channel in the token is properly verified by the thing itself. This process can be compared with a traveller crossing a country border. The border control guard checks the user’s passport and visa. Only if both are valid and matching, the traveller is allowed to cross the border. Baimos Technologies provides software development kits (SDKs) to easily integrate its IoT identity and authentication management solution into mobile devices and ‘things’. A standard REST API allows IoT service providers to quickly connect with the BlueID TrustCenter. A real strength of the BlueID Trusted Service is its offline functionality. Authentication and authorization of the machine identities directly between mobile devices and ‘things’ never require Internet connectivity which means that this connection can take place anywhere. It is robust and ultra-fast everywhere in the world which meets the already mentioned earlier scalability and diversity requirements of IoT platforms. Additionally, it fully conforms to the hardware manufacturers’ power consumption and software footprint requirements.