The Internet of Identities


10 September 2015
Internet of Identities

Rik Ferguson, vice president of Security Research at Trend Micro, was speaking on the impact of digital disruption on cybersecurity at a recent CloudSec event when the Internet of Things (IoT) came up for the inevitable mention.

“IoT could be the ‘network of all networks’ in the future,” he said. And the flip side of this is that “anything that can be connected can be compromised”.

According to a conservative Gartner estimate, there will be about 25 billion connected things by 2020. The “things” in the IoT world, as Ferguson explained, do not have a traditional user interface, so they would not be your laptop or iphone or Fitbit, but black boxes with routines that users have no control over, like an appliance or a soil sensor. 

But one thing that they will need to have, if the IoT security conversation is to get anywhere, is an identity. “Right now, identities are associated with individuals for access management, for signing rights. We need to get past these concepts and start assigning identities to things,” said Ferguson. “Things have to be assigned access rights – what can they access, what can they process, when can they process it – they need to have a manageable identity.”

The concept of identity in the context of IoT was also explored by Gartner in its report on "The Identity of Things for the Internet of Things", which was released earlier this year. Gartner noted that managing identities and access is critical to the success of the IoT. However, in its current form identity and access management (IAM) cannot provide the scale or manage the complexity that the IoT brings to the enterprise.

Traditional, people-focused IAM systems have been unable to accommodate the propagation of devices and things to give a broad and integrated view for IAM leaders. According to Ant Allan, research vice president at Gartner, "The Identity of Things requires a new taxonomy for the participants in IAM systems. People, software that makes up systems, applications and services, and devices will all be defined as entities and all entities will have the same requirements to interact."

Some of the more fundamental difficulties in doing this were outlined by the Kantara Initiative in its paper on “Concepts of Identity within the Internet of Things”.

The concept of a “thing” for example, may not be so clear-cut when multiple sensing components are found on a single device. For example, a smart phone may have a webcam, a microphone, touch screen, camera and other sensors, each of which may be accessed separately to provide disparate services and yet the smart phone itself would tend to have a single IP address. Identities, therefore, may (or will probably) have to be dealt with separately from addresses in the Internet of Identities.

Another consideration in the discussion surrounding identities is the lifecycle of things in IoT, and the different ownership relations at different stages of the lifecycle. As the Kantara report pointed out, objects in IoT have lifetimes which may range from years or decades down to days or minutes. A parcel that is being shipped from one country to another, for example, may be identified by its RFID tag, but soon as the delivery is complete, the identity of the parcel disappears. The “ownership” of the object also changes, for example, from manufacturer to customer, and this will have an impact on identity-related processes such as authentication and authorisation.

Proving identities to verify relationships can also be a challenge. Tradition IAM involves authentication mechanisms (what you have, what you know, what you are) and the secure transmission and encryption of credentials. However, in an IoT world, many sensors or actuators may not be able to handle these mechanisms with their restricted energy, bandwidth and connectivity resources. Also, if “things” in IoT are understood to be objects which do not have a traditional user interface, mechanisms such as login/password (what you know) and biometry (what you are) may not be applicable.

The good and bad news is that at this point in time, the “Internet of things” is still some distance from being fully “Internet”. Many objects in the IoT world speak their own domain language (for example, in building management or manufacturing automation) and may not be conversant in HTTP. Connecting IoT solutions from different vendors and standards bodies remains a challenge.

But therein also lies the opportunity. As work progresses on IoT harmonisation, it is an opportune time to think through the security ramifications and bring the “Identity of Things” into the standards conversation.