Although identity and access management has traditionally revolved around people, we must prepare to manage Identity of Things as we start to deal with Internet of Things within our business environments and increasingly in our personal lives in a complex universe consisting of various entities such as smart devices, machines, programs, robots, and other “things” which are interconnected to share information and perform tasks.
As we embrace the Internet of Things (IoT) which refers to all Internet enabled devices including smart cars, drones, and household appliances which communicate with each other and share data, we have to define a universally acceptable framework for identity and relationship management to identify and connect entities, approve their rights to transact, and address the growing risks around Identity of Things or IDoT.
One of the challenges that we face as security and identity management professionals is whether our current processes and technologies are able to manage the growing risks of IDoT or we need to update our existing solutions or deploy completely new solutions.
In a self-managed, smart, and connected world, the most important risk will be around the relationship of IoT which will force us to look beyond identity and access management to include the level of relationships that exist among identities, and their authorization for sharing data and making transactions. As you may guess, smart cars and devices will in a not so distant future make transactions on behalf of their owners which must be controlled to manage risks including transaction repudiation. For example, self driving and smart cars will be enabled to make purchases without their owners being present. How would businesses validate the authenticity of the transaction and successfully fight repudiation?
The Identity of Things Management
Managing the Identity of Things (IDoT) involves assigning unique identifiers to devices and objects (Things) as well as authorization to communicate, share data, and transact in pre-approved relationships.
As we allow “Things” to find each other, communicate, and complete transactions, security and entity relationship management which includes identity, access, and right management, will be crucial. In a universe with a growing number of smart and automated entities or identities beyond humans such as devices or programs, the rules of engagement are different as owners of smart devices will be on the hook for transactions completed by devices, and, critical tasks such as data collection and sharing will be automated which will make continuous monitoring even more critical beyond what we have in place today as part of our routine identity and access management processes.
Technology advancement and data proliferation in an automated and connected world such as sensors that collect and share data, self-managed cameras, windows that share data on outside and inside temperatures to control the heating and cooling systems, home appliances, self-driving and self-managed cars, and other networked devices are making the management of Identity of Things (IDoT) very challenging. According to Henry Bagdasarian, “data privacy and security concerns with IoT identities and data will continue to be of utmost concerns, especially, the definition of identity theft will be expanded to include device identity takeover by another device”. Furthermore, identity and ownership validation along with access controls will be critical for defense in the court of law.
As an industry, we have begun to identify the IoT identity management risks and the identity management experts are working hard to introduce solutions whether technical or otherwise to address the risks. Obviously, effective identity management and governance will be key to making sure that IoT entities are able to communicate with one another, perform approved tasks, and demonstrate ownership for accountability purposes.