Outsmarting the Internet of Everything Before It Outsmarts Us
The “Internet of Everything” is being touted as the largest technology market in history, with over $14 trillion at stake. It’s expected to usher in automation in nearly all fields with Big Data analysis revealing insights that businesses can harness in countless and exciting new ways. We hear about smart homes, smart grids, smart cities, smart healthcare, and even smart cows, as farmers are now equipping their herds with sensors that alert them if a cow gets lost or becomes sick. Cisco reported over 12.5 billion devices were connected to the Internet in 2010, with the Internet of Everything driving that figure to over 50 billion connected devices by 2020.
Yet securing the “Internet of Everything,” (IoE) as we prefer to call it, is rather like the Wild West right now when it comes to identity and access management (IAM) standards. News reports of refrigerators being used as spam relays, and air-conditioning systems allowing entry into corporate IT networks, already exist. A recent study from Hewlett-Packard estimated that approximately 70 percent of IoT-ready devices are potentially hackable. The average device featured 25 vulnerable points of contact. Considering the multiple IoT devices in an interconnected home or business, just a few vulnerable points on a mobile phone can quickly turn into 50 or 60 security issues, the report explained.
The key to outsmarting potential malfeasance from interactions among these sources will be allowing access only to trusted entities. And that means that every device will need a unique identity that can be trusted. If you want to allow your home thermostat to send data out to fuel providers so they might bid on your oil contract, you’ll want just the vendors you select to be able to access that data.
Automating this level of IoE identity and access controls at this type of scale becomes challenging not only because of the sheer number of devices and access points – but because the nature of the dialogue itself has changed.
Identities for the Internet of Everything
We are seeing a transition of interactions in the Internet of Everything from initiated by people, to initiated by machine. At the same time there is a transition of control and intelligence, as the mid- and end-points are becoming more responsible due to individual or collective “power.” There exists a continuum of capabilities in these end- and mid-points ranging from “dumb”data collection sensor nodes with limited onboard memory, to smart gateways, bridges and control elements. Yet connected Internet interactions share the same need for authentication, confidentiality, authorization and integrity.
Four must-have capabilities are evolving for establishing a trust framework in the evolving IoE world:
1. Identity services – including verification, credentialing and assurance. Knowing which devices to trust, at what juncture, in real-time, will be critical. A new category of IAM offerings will emerge to support the massive scale required for the IoE. The concept is that a thing has an identity, but so does the owner. In fact the owner of one thing can own dozens of things.
We’ll see new paradigms for generating trusted identities based on social networks, registries of personal data, government-issued IDs, technology embedded by manufacturers and established via other known relationships.
Manufacturers or their service providers, offering Identity as a Service (IDaaS), will play a strategic role in this new Internet paradigm, serving as both issuers and trusted gatekeepers of identities, mediating transactions and providing federation services. They will create ownership, support various different credentials to create this ownership and authenticate it, and handle the transfer of ownership.
Numerous industry experts have identified the existing Public Key Infrastructure (PKI) as being today’s most viable solution to the demands of providing identities for the IoE because of its proven history of public trust, ubiquity and encryption. PKI already provides an identity framework underlying many IoE transactions. Right now there’s no alternative to reliably authenticate a thing/person/entity–period. Latest generation microcontrollers are incorporating hardware crypto capabilities and mobile phones have incorporate PKI for ages.
2. Federated identities. The ability to share data and trusted identities from one ecosystem to another will require federation services so that multiple independent domains and their identity information can be seamlessly accessed without unnecessary reauthorizations. When your smart washing machine needs service, you won’t be locked into the manufacturer’s service provider. The washing machine itself will be able to “shop” for a local technician because you have opted to share information with trusted providers.
Right now SAML 2.0 is the most adopted standard for device federation. Other such as Oath for social identities, and older standards such as ETSI MSS protocol, and WS-Federation protocol for Microsoft products also exist and may play a select role. So too will major APIs such as REST and the entire “API economy.” Industry groups such as the Kantara Initiative, a US consortia to further digital identities for connected living, and STORK, an equivalent in Europe, undoubtedly will help drive new standards.
3. Scalability – The IoE requires a scale that we have not seen before, the rate of enrollment/issuance coupled with the load of ongoing validation. Issuance moves from a step time process to a real time, production line capable, delegated registration authority model. As the number of interconnects increases so does the validation load. Things pose new challenges in the validation process, hardware will always “exist”–it can’t be revoked directly. The associated identity mapping will need to model this regardless of implementation. PKI as mentioned earlier is the only appropriate solution on the market today for the task. While Quantum Key Exchange shows promise, it’s not ready for widespread deployment. Undoubtedly other modalities we have yet to foresee will arise, too.
4. SSO and self-service capabilities. I heard of a user who had to register to three different services just to update his new Sony action cam. And that’s just one of his “things” – from one vendor! Single sign on (SSO) capabilities, password resets, and the ability to authorize access will bridge disparate environments making it easy for consumers to manage the dozens of smart devices in their homes, and the applications they use. Self-service registration and administration will be essential. Most probably it will happen so that each individual manufacturer will issue identities to their devices, but they will have no idea where the device is going or who will own it. If the manufacturer embeds an identity in the device, and later once some buys it, the customer can use a self-service interface to “acquire” the thing, the “thing” becomes their own.
However the pervasive application of SSO will require that ecosystem vendors trust each other, and conform to standards. There’s going to be a ton of vendors who are creating APIs user interfaces to connected devices from different vendors to satisfy the needs of advanced users.
Will we be able to outsmart the IoE and its myriad touch points, or will it outsmart us? Businesses need to invest in identity and access management solutions that feature authentication and other, more robust levels of security to ensure their devices are tuned for the IoE. Then we can more fully harness its potential to create new capabilities, richer experiences, and unprecedented economic opportunity — knowing that only the right people/systems/machines/applications have access to the right information, at the right time.
About the author: Joan Lockhart is chief marketing officer at GlobalSign, the security division of the Tokyo-based GMO Internet Group (TSE: 9449) and a provider of identity services for the Internet of everything, mediating trust to enable safe commerce, communications, content delivery and community interactions for billions of online transactions occurring around the world at every moment. Its identity and access management portfolio includes access controlSSO, federation and delegation services to help organizations and service providers create new business models for customer and partner interactions.