IoT Security: Identity of things

The more you have, the more you get: identity plays a key role in securing IoT, and the number of digital identities to manage tends to grow exponentially – many more than existing identity and access management (IAM) systems need to support, says the IoT Working Group at Cloud Security Alliance.

The security industry is changing and IAM is no longer solely concerned with managing people but also managing the hundreds of thousands of “things” that may be connected to a network. Some practitioners have begun to refer to this new identity ecosystem as the Identity of Things.

Smart Industry asked leading analyst firms about the importance of identity management, the major challenges, and the ways to implement identities for IoT.

Every device, app, service, and interface in IoT needs its own identity. Why is that?

Martin Kuppinger, KuppingerCole (KC): An IoT device will need to interact and communicate with other devices, applications, or services of some kind to be useful. It’s important to trust that these IoT devices can prove they are what they claim to be, or represent. Otherwise, hackers could use these IoT devices to attack other devices, applications, or the services they interact with, as well as the data transmitted from these devices, which could be stolen or compromised.

IoT devices communicate with core systems in countless ways.
_{Mark Child, IDC}

The first step in an IoT trust relationship is the ability of an entity to identify and prove itself through the act of authentication. Any kind of device needs a unique identifier, if only to differentiate it from another one.

For large fleets of IoT devices this is a basic operational requirement – deployment, maintenance, monitoring of IoT devices is impossible without unique identities. Data generated by IoT sensors is much less useful without identifying where it comes from. Most use cases require this data to be tamper­proof and not forged by attackers and, for most cases, these identities must be based on cryptography. Provisioning large IoT systems with reliable, unique, secure standards­-based identities is a major challenge at the moment.

Mark Child, IDC: IoT devices communicate with core systems in countless ways, whether it’s physical access systems checking credentials, warehouse scanners updating inventory, or temperature sensors communicating with industrial control systems.

These connected devices typically do not have the same robust security associated with operating systems for PCs or servers and, as a result, they may be targeted by hackers as an entry point through which to penetrate the network.

In some cases that may be the hacker’s goal: as an entry point and, possibly, as an egress route through which corporate IP may be exfiltrated. In other cases, looking at the examples above, the aim might be to allow unauthorized personnel to access a secure site or to sabotage production operations.

Bernhard Schaffrik, Forrester Research (FR): The elements of IoT systems perform a variety of actions while accessing sensitive corporate data. Therefore, they actually represent a kind of identity, albeit nonhuman.

Managing all IoT assets like identities allows the application of known administration processes to ubiquitous IoT assets. If you don’t know how many software bots, physical robots, or IoT devices are connected to your network, and how many of these devices store or interact with critical data, you expand your threat surface, leading to unmanaged zombie accounts that malicious actors will use to carry out attacks. This usually leads to reputational damage and financial loss.

What are the use cases for IoT identities in security and for IoT analytics?

IDC: Implementing IoT security, specifically device identity, allows the organization to put authentication and access controls in place, ensuring that the system recognizes the device and that communication from the device is legitimate.

Baseline behaviors can be established for each device and, through analytics, the system can seek to detect anomalous behavior. The system can then trigger an alert for a human controller to check the device or request, or it can trigger an automated response, quarantining or isolating the device to prevent the transmission of malware to the organization, or the exfiltration of data from the organization.

FR: Because most deployed IoT assets act like network ­accessing computers, the whole management life cycle has to be applied to them as well: from discovery to monitoring, compliance, and retirement. Not knowing your landscape of IoT assets carries comparable risks to not knowing your application landscape.

Beyond the operational risks, at some point you will need to clean up your IoT landscape. Who wants to embark on collecting, documenting, and consolidating all these assets? Why repeat the same old mistakes we made with IT asset, architecture, and configuration management?

What is the current situation with IoT identities? Are IoT implementations lacking identity solutions?

KC: There is a wide range of IoT types that sense or actuate something supporting personal, enterprise, and industrial use cases. Thus, there is little consensus on IoT identity standards, only a set of best practices depending on the type of IoT being used.

I would argue that many IoT projects try to use existing solutions for IoT – the obvious one is using public key infrastructure (PKI). Unfortunately, traditional PKI architectures don’t scale well for large IoT deployments. Also, provisioning each device at manufacture time is a tedious process, so some vendors are offering ways to turn physical devices into cryptographic material, like physical unclonable functions based on variations in semiconductors.

Depending on the IoT device’s type and capabilities (for example, CPU or storage type), the identifier can also range from an embedded identity, such as a serial number or certificate that is inserted in the device during manufacturing, to a hardware embedded secure element, like a Trusted Platform Module (TPM) crypto processor. For devices that can’t accommodate these embedded options, less secure methods are sometimes called for, such as analyzing environmental and behavioral characteristics, or a combination of one or more device characteristics, to coarsely identify it.

Organizations focus today on human instead of on machine identity. this needs to change!
_{Martin Kuppinger, KuppingerCole}

Although these methods are mostly proprietary, vendors do often offer a standardization layer on top of them, for example through the use of public key infrastructure mechanisms to provide a strong, unique, and immutable identity. Other vendors focus on creating their own cryptographic architectures better suited for largescale deployments or on offering more fine ­grained access management through cryptography.

Organizations focus today more on human identity than IoT/machine identities. This needs to change. 5G will be a major driver for much wider deployments. The slow­ but growing list of platforms or IoT­ as a ­Service solutions will help with the management of IoT fleets. Unfortunately, there doesn’t seem to be a lot of effort in standardization and interoperability across different platforms. Perhaps we should look at organizations like Kantara for interesting developments, rather than Amazon Web Services or Microsoft.

IDC: We see a huge spectrum [of identity solutions]. Rising numbers of attacks, often widely reported in the media, have driven many IoT device manufacturers to implement more robust security controls in their products.

Organizations, particularly those in critical infrastructure sectors that have frequently been targeted, are much more aware of the security risks and vet their suppliers more closely, often including security criteria in their requests for proposal. There is a push for standards, particularly on mature western markets. This may represent the thin end of the wedge, however.

Connected consumer devices, everything from headphones and baby monitors to fridges, TVs, and even sex toys, are frequently shipped without any significant security built into them. For manufacturers, production costs, time to market, and proft margins are the business imperatives and, to them, security represents a cost.

Three things can change this. First, the implementation of strict standards and certifications. However, this is very challenging to roll out universally, particularly given the huge spectrum of devices being developed with Internet connectivity. Second, pushback from customers impacting demand but, when it comes to the consumer market, there is typically insufficient awareness to drive a sufficiently robust response to impact a manufacturer and cause it to improve its product. Third, the widespread reporting of hacked devices in the media – however, by then, in most cases it’s already too late.

Conduct annual security training for IoT asset owners and operators.
_{Bernhard Schaffrik, Forrester Research}

FR: We are observing the whole spectrum from very sophisticated identity solutions implemented for IoT systems, to not even considering leveraging them for a company’s IoT system.

One frequent question is if an existing IAM solution can be reused to secure IoT assets. The answer is that, while you can leverage your existing IAM platforms where possible, new tools and approaches will be required to bridge the gap between human and nonhuman identities. For example, in contrast to humans, machines never sleep and high volume, high­ velocity cryptographic key management becomes overwhelming; ID platforms or ID­ as ­a Service might not be optimized for IoT identities.

How can we build IoT identities? What are the major challenges?

IDC: Network access control (NAC) that enables organizations to gain visibility of devices, manage authentication and authorization, and enforce policies on users and devices. PKI can be a solution, it is based on existing standards and can work for many use cases.

Going further in identity, PKI provides secure and encrypted communications and authentication between devices, services, and users. Every device or thing can be given a unique identifier. Solutions exist from many vendors like Thales, DigiCert, nCipher (now known as Entrust), PrimeKey, and GlobalSign.

As with other security solutions, challenges come from different angles – from the lack of existing or available skills in managing PKI, to a lack of ownership in identifying who is responsible for deployments or, more generally, the lack of investment in IoT security.

According to IDC’s 2020 European survey, only 42 percent of organizations embed security during the planning of a new initiative (including IoT deployments), the rest bringing it either as an afterthought or not at all (9 percent).

FR: Extend your existing IAM platforms and use purpose ­built tools to secure IoT identities, while aligning to a zero ­trust model. Gain visibility into your IoT identities. Take inventory of the types of machine identities in your organization: where they reside, what they have access to, what permissions they have, and how they are managed and secured (or not). Understand the scope of your exposure, determine your maturity levels, and begin work on a remediation plan.

How to Know Who’s Who

Use cases for IoT Identities

• IoT identity visibility (for example, IoT discovery on networks or PKI certificate management)
• Device management life cycle, from device registration to end-of-life or removal
• Device and platform security – encryption of communications and data, authentication to other IoT devices, applications, or services, validation/authorization (from access key information to identifying device permissions)
• Integration protocols and standards (including real-time APIs, representational state transfer, MQ telemetry transport)
• Monitoring of devices
• Compliance (data privacy and other standards or regulations)
• IoT analytics and reporting (real-time analytics, risk profiling, anomaly detection, artificial intelligence, and machine-learning-related services and tools)
• Connecting IoT identities with existing identity and access management systems

Assess your current IAM solutions and providers, extend where possible. Traditional IAM controls may not work for the high­ velocity, complex nature of new machine identities with human operators. However, centralize the directory or identity governance or privileged access vaults of both human and machine identities whenever possible, but be prepared that specific performance, usability, or protocol support requirements may mean you need added purpose­ built tools and approaches.

Conduct annual security training for IoT asset owners and operators. All users working with IoT assets should go through cybersecurity training to understand how to manage their environments. Staying up to date on security protocols and risks will help companies avoid breaches resulting from user error.

Align your long­ term strategy on the zero ­trust founding principles. Focus on some of the main tenets of zero trust, including assumed breach and least principle.

READ MORE ARTICLES