Many data breaches begin with bad actors stealing legitimate user credentials — a fundamental flaw in wider security systems. Logically, by locking down user identities, you can protect against stolen credentials and insider threats. But what if that threat is no longer a person or even a physical entity?

We all know the huge opportunity the Internet of Things (IoT) represents in terms of productivity, efficiency and overall market size. IDC and Gartner predicted market opportunities of $1.7 trillion for the wider ecosystem by 2020 and $868 billion alone for enterprise in 2016, respectively.

The potential of the IoT is clear, but many pervasive questions still remain — and these require answers. One such question focuses on business impact and general operational awareness: Are enterprises fully aware of the identity and access management (IAM) challenges potentially posed by the IoT?

A New Way of Approaching the IoT

The growth of the IoT requires businesses to evolve the ways they define and manage relationships between entities to ensure secure and efficient processes. As you would imagine, more robust identity management plays a key role in managing this increasingly complex web of relationships.

Historically, the IAM relationship has been between a human and a device. More recently this has evolved to include smart objects such as cars and even houses. Devices, objects and services are now abundant in many forms within the enterprise IT ecosystem. As such, all IoT entities — such as people, applications, services and devices — within a given enterprise ecosystem need an identity.

One of the key issues with IAM in its current form is that it does not provide access management at scale to match the complexity presented by the IoT. Another issue is that many companies often overlook the measure and fail to recognize IAM’s intrinsic value and necessity.

The IoT requires the identification process to be extended for each and every participant in the IT ecosystem since these various elements all have the same requirements to interact with each other. Identities for objects might include IP addresses, embedded keys or electronic tags. For human beings, identities can include user accounts or a unique number. But where IAM was previously associated with the physical identification of individuals, the IoT has put a new spin on the things.

The Identity of Things?

The immersive nature of the IoT and its relation to IAM could be referred to as the Identity of Things (IDoT). It certainly requires new definitions of the relationships between the elements involved. An awareness and understanding of the IDoT as an essential part of a more holistic IAM discussion is key for all companies, big and small, when looking to leverage the potential business intelligence advantages of the IoT.

The last several years have seen IAM become less of a siloed, stand-alone endeavor. Rather, it brings together the multiple access management elements into a cohesive, synchronized system working toward a single goal: robust enterprise security.

The IoT has blurred the lines, making the task at hand increasingly complex. The failure to evolve IAM strategies accordingly will result in a potentially crippling inability to properly harness the intelligence and agility promised by the IoT. However, the security industry as a whole is moving in the right direction, and we’ve now reached a high-water mark.

In this age of IoT, the main point is not that connected things can access an enterprise, but rather that things can be accessed. This has the potential to be far more explosive; just look at the example of the hijacked Jeep at the Black Hat conference last year.

The IDoT is the next challenge on the horizon for IAM as we know it. More importantly, it’s the next hurdle for enterprises looking to harness the business intelligence and benefits of the IoT. If the recent advances of the last 24 months are anything to go by, however, we should simply view it as the latest in a long line of IT and business challenges to overcome rather than an impassable obstruction.

Download the 2016 Cyber Security Intelligence Index

More from Identity & Access

“Authorized” to break in: Adversaries use valid credentials to compromise cloud environments

4 min read - Overprivileged plaintext credentials left on display in 33% of X-Force adversary simulations Adversaries are constantly seeking to improve their productivity margins, but new data from IBM X-Force suggests they aren’t exclusively leaning on sophistication to do so. Simple yet reliable tactics that offer ease of use and often direct access to privileged environments are still heavily relied upon. Today X-Force released the 2023 Cloud Threat Landscape Report, detailing common trends and top threats observed against cloud environments over the past…

Artificial intelligence threats in identity management

4 min read - The 2023 Identity Security Threat Landscape Report from CyberArk identified some valuable insights. 2,300 security professionals surveyed responded with some sobering figures: 68% are concerned about insider threats from employee layoffs and churn 99% expect some type of identity compromise driven by financial cutbacks, geopolitical factors, cloud applications and hybrid work environments 74% are concerned about confidential data loss through employees, ex-employees and third-party vendors. Additionally, many feel digital identity proliferation is on the rise and the attack surface is…

X-Force certified containment: Responding to AD CS attacks

6 min read - This post was made possible through the contributions of Joseph Spero and Thanassis Diogos. In June 2023, IBM Security X-Force responded to an incident where a client had received alerts from their security tooling regarding potential malicious activity originating from a system within their network targeting a domain controller. X-Force analysis revealed that an attacker gained access to the client network through a VPN connection using a third-party IT management account. The IT management account had multi-factor authentication (MFA) disabled…

CISA, NSA issue new IAM best practice guidelines

4 min read - The Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) recently released a new 31-page document outlining best practices for identity and access management (IAM) administrators. As the industry increasingly moves towards cloud and hybrid computing environments, managing the complexities of digital identities can be challenging. Nonetheless, the importance of IAM cannot be overstated in today's world, where data security is more critical than ever. Meanwhile, IAM itself can be a source of vulnerability if not implemented…