In my previous blog I explained the switch from traditional IAM to Consumer IAM (CIAM). As the Internet of Things (IoT) becomes unavoidable in daily usage, managing identities for consumers and all the ‘things’ they are related to, will be essential to successfully leveraging the shifting landscape.
IoT: the present and the future
The landscaping of IAM keeps changing. Smart (IoT) devices are entering this landscape with a lot of things (like devices), for example smart-doorbells, smart thermostats, connected cars, sensors, etc. And all these things must be related to an actual identity, just like we’re used to regarding employee and consumer identities.
Managing devices via the internet is not new at all. For years we’ve been able to remotely control our devices at home, like washing machines, kettles, refrigerators, coffee machines, etc. Some devices can be controlled with our voice by using Amazon Alexa or Google Assistant. Think about the lightning systems provided by Ikea. All of these devices are ‘smart’.
More smart devices will result in a much broader attacking surface
We are all connected! We will connect everyone with everything and everything with everyone. Cars are talking to cars, as well as to traffic lights and traffic signs. The world becomes a large network of devices that exchange data with each other and make automated decisions.
How can you know for sure that a signal from a traffic light ('I am green') really comes from the traffic light at the intersection where your autonomous car is heading for? How can you be sure it does not come from a different traffic light or – even worse – from the laptop of a hacker who pretends to be the traffic light at the intersection?
Introducing millions of connected devices requires repeatable, standards-based processes for registering, provisioning, pairing, maintaining, and de-provisioning devices. IoT device lifecycle management should be easy, automated, and scalable. A simple approach to device-to-identity registration and pairing is to use standards like OAuth2. This allows for a device to gain the necessary permissions it needs to represent the user to internal and 3rd party APIs and cloud services. Simple revocation, by invalidating the assigned OAuth2 access and refresh tokens provides a simple “kill-switch” style approach to removing access if the device is sold, stolen or lost.
Use modern (C)IAM to secure your future
The very core of Identity & Access Management is to securely connect different people to the right information and services. With the rise of smart (IoT) devices, people will need to be connected to ‘things’ as well. And if the amount of these ‘things’ rise to 20 billion in 2020, one can image this poses serious challenges to an organisation’s IT landscape.
In order to meet the requirements set by IoT, IAM solutions must be flexible to support adaptive authentication for different devices in different scenarios and varying levels of complexity and security requirements. With billions of relationships being made between connected devices and users, IAM platforms for IoT need to provide administrators with a simple way to manage connections and data at scale. Identity relationship visualisation is a great way to quickly notice irregular relationships, eliminate potential issues, and provide updates to identities.
One thing is for sure: (C)IAM solutions need to be able to handle the complexity of managing the massive amounts of smart IoT devices. This means organisations will need to re-examine their existing IAM solutions and make sure these are on par with IoT requirements, both for serving consumers and employees.
I am looking forward to the coming years! Are you?
With more than 10 years of experience on the technical elements of Identity & Access Management, Mesut brings to the table all knowledge and expertise required to manage complex client implementation projects.
Feel free to repost this blog on your website or social channels! But when you do so, please be so kind to mention the source and give us a notice via firstname.lastname@example.org.