This is the first in a series of blogposts about securing Enterprise IoT. As part of this series you will hear experts from VMware and its sister companies weigh in on the current and future possibilities for IoT security. With this series we hope to raise the level of understanding of the challenges encountered and kickstart a conversation about best practices for implementation.
In mid July security technology company BitDefender reported a vulnerability in webcams manufactured by Shenzhen Neo Electronics, saying it was the result of “an error in the way the [camera] processes the username and password information at login.” BitDefender was easily able to find some 170,000 of these cameras by using Shodan, a search engine for Internet-connected devices. “We can only imagine the impact a harvested botnet of [these] devices might have,” it said.
The demand for technologies to secure IoT is huge, and growing. According to David Konetski, Fellow and Vice President, Security and Client Solutions, Dell, “Every other booth at the RSA conference this year was a startup talking about how to secure IoT endpoints.” This is small comfort to CSOs struggling today with securing IoT implementations that businesses might be rushing to implement, spurred on by the promise of productivity gains, valuable insights or any of the other very real benefits of IoT.
Forrester says that, thanks to the increased awareness of the security vulnerabilities posed by static passwords, the market has strong awareness of the importance of authentication and there is a wide range of technologies available to provide IoT authentication, from PKI/digital certificates to other embedded options and possibly even blockchain.
Konetski believes blockchain holds strong potential for IoT security. “If you have an immutable ledger that is accessible from the open internet where you can establish and confirm and authorize identity or any other policy or compliance, that is valuable,” he says.
However, he does not seeing it making much impact on IoT for some time. “I can think of only two blockchain systems that have been deployed successful, and one of those, of course is Bitcoin.”
Identity and Access management
Konetski points out that, in the IoT world, authentication and identity differ fundamentally from the PC World. “In the IoT world it’s no longer user identity; it’s machine identity, and IoT machine-to-machine authentication is a different problem than end user to domain authentication.
“If you want to drop a sensor in a field, it has no display. It will have to be provisioned so it connects to the right network, gets back to the gateway and the back end infrastructure.
“But if you want to make those end points cost efficient and easy to deploy, how do you securely provision them and have them establish secure communications back to the gateway?”
According to Forrester IAM is emerging as an important capability to help enterprises and service providers manage and secure relationships between identities and IoT devices. It says key IoT IAM use cases include provisioning and de-provisioning devices as well as linking and managing devices and identities, and that standards might emerge to simplify the approach, but even absent such standards, IoT IAM will become broadly used by most companies across most IoT use cases.
Identity stores for IoT
An essential component of any identity and access management system is an identity store and Forrester, not surprisingly, points out that in an IoT world one of the main issues will be that of performance at scale, given that the system will need the “ability to deliver a single consolidated view of users and devices and sync attributes across many different systems of record to help give the enterprise broad insight into usage and relationships.”
It says the growth and adoption of IoT identity stores will be closely aligned to the growth of IoT and IAM in general and to the ongoing business need to have centralized consolidated view of IoT devices and their associated identities.
Either way, it is clear that traditional identity and access management will not scale to meet the needs of IoT IAM and standards and technology will have to evolve to support this new architecture.