A Double-Edged Sword: IAM Meets IoT
Many data breaches begin with bad actors stealing legitimate user credentials — a fundamental flaw in wider security systems. Logically, by locking down user identities, you can protect against stolen credentials and insider threats. But what if that threat is no longer a person or even a physical entity?
We all know the huge opportunity the Internet of Things (IoT) represents in terms of productivity, efficiency and overall market size. IDC and Gartner predicted market opportunities of $1.7 trillion for the wider ecosystem by 2020 and $868 billion alone for enterprise in 2016, respectively.
The potential of the IoT is clear, but many pervasive questions still remain — and these require answers. One such question focuses on business impact and general operational awareness: Are enterprises fully aware of the identity and access management (IAM) challenges potentially posed by the IoT?
A New Way of Approaching the IoT
The growth of the IoT requires businesses to evolve the ways they define and manage relationships between entities to ensure secure and efficient processes. As you would imagine, more robust identity management plays a key role in managing this increasingly complex web of relationships.
Historically, the IAM relationship has been between a human and a device. More recently this has evolved to include smart objects such as cars and even houses. Devices, objects and services are now abundant in many forms within the enterprise IT ecosystem. As such, all IoT entities — such as people, applications, services and devices — within a given enterprise ecosystem need an identity.
One of the key issues with IAM in its current form is that it does not provide access management at scale to match the complexity presented by the IoT. Another issue is that many companies often overlook the measure and fail to recognize IAM’s intrinsic value and necessity.
The IoT requires the identification process to be extended for each and every participant in the IT ecosystem since these various elements all have the same requirements to interact with each other. Identities for objects might include IP addresses, embedded keys or electronic tags. For human beings, identities can include user accounts or a unique number. But where IAM was previously associated with the physical identification of individuals, the IoT has put a new spin on the things.
The Identity of Things?
The immersive nature of the IoT and its relation to IAM could be referred to as the Identity of Things (IDoT). It certainly requires new definitions of the relationships between the elements involved. An awareness and understanding of the IDoT as an essential part of a more holistic IAM discussion is key for all companies, big and small, when looking to leverage the potential business intelligence advantages of the IoT.
The last several years have seen IAM become less of a siloed, stand-alone endeavor. Rather, it brings together the multiple access management elements into a cohesive, synchronized system working toward a single goal: robust enterprise security.
The IoT has blurred the lines, making the task at hand increasingly complex. The failure to evolve IAM strategies accordingly will result in a potentially crippling inability to properly harness the intelligence and agility promised by the IoT. However, the security industry as a whole is moving in the right direction, and we’ve now reached a high-water mark.
In this age of IoT, the main point is not that connected things can access an enterprise, but rather that things can be accessed. This has the potential to be far more explosive; just look at the example of the hijacked Jeep at the Black Hat conference last year.
The IDoT is the next challenge on the horizon for IAM as we know it. More importantly, it’s the next hurdle for enterprises looking to harness the business intelligence and benefits of the IoT. If the recent advances of the last 24 months are anything to go by, however, we should simply view it as the latest in a long line of IT and business challenges to overcome rather than an impassable obstruction.