This enormous growth in the number of connected ‘things’ out there has also introduced a raft of new security challenges. After all, every one of those ‘things’ is a potential point of vulnerability, precisely because of its connectivity. If a malicious party can compromise one such device, it can theoretically move out into the wider network.
Of course, this isn’t a new threat as far as enterprises are concerned. Corporate devices such as smartphones, tablets, laptops and desktop computers have always needed protecting from malicious intrusion. Traditionally, much of this protection was achieved using Identity and Access Management (IAM) solutions, which ensure that the right users have the right privileges in terms of accessing devices, data and applications, and monitoring their usage.
However, most IoT devices were not designed with individual users in mind in the same way that those corporate devices were. The kind of robust password management which most of us are used to deploying on our smartphones or computers is often simply not possible on, say, a connected thermometer measuring the temperature in a building. Furthermore, many IoT devices come with default password or PIN protection, which are rarely changed before they are installed.
Additional identity and access management problems can arise when IoT devices are linked to virtual personal assistants which are constantly listening and collecting information. If organisations do not have strict policies in place regarding what they ‘share’ with the devices, and how they plan to use the information collected, then further security vulnerabilities can open up.
How, then, can organisations deploying vast infrastructures of connected devices best validate the identity of those devices? And how can they ensure that their identity management strategy will continue to work even as their IoT ecosystems continue to expand in scale and complexity?
The core challenge is to ensure that each individual IoT device has its own unique identity. This might sound like a monumental task, but in fact can be achieved relatively straightforwardly, by issuing a digital certificate for each device. These are far more secure than those default passwords, or using shared keys for symmetric encryption which cannot distinguish between various devices.
Furthermore, unique digital certificates can enable the manufacturers of IoT devices to share critical data and updates with those devices, whilst they are in live deployment. This can keep them protected from emerging and evolving threats. And they also confirm the authenticity of any information transmitted from that device, whether data for central analysis and business intelligence, or automatic instructions to another device within the organisation.
Tern is always happy to advise on identity management for your own IoT ecosystem, and ways to maximise the benefits of the IoT whilst minimising the security risks.