Data is the fuel and currency of the Internet of Things (IoT). An IoT ecosystem’s value might lie in capturing data which previously went untapped, or putting to work data which was previously too costly or cumbersome to analyse. It might lie in generating new forms of intelligence throughout an organisation, or developing new insights from a series of products ‘in the field’.
However, none of these examples are worth anything if that data is not trusted – and the data cannot be trusted if the devices that are collecting it – the connected ‘things’ which make up the IoT ecosystem – are not trusted themselves.
This is why your IoT platform, no matter what kind of IoT ecosystem you are operating, needs an Identity and Access Management (IAM) system.
What is IoT IAM?
Simply put, an IoT IAM system is one that assures the identity of devices, and the actions they are permitted to undertake, throughout an entire IoT ecosystem. This might comprise many thousands of individual devices, each of which needs to be individually identified and trusted. A single untrusted device could, after all, compromise the integrity of the entire system. Endpoint IoT devices have become tempting targets for cybercriminals in recent years.
The degree of sophistication required from IoT IAM varies across different contexts. Internet banking, for example, requires particularly robust levels of security, and individual devices will require multi-factor authentication (MFA), consent and authorisation.
Principles for deploying an IoT IAM system
All this variety might sound overwhelming, particularly if your organisation is only at an early stage in its IoT journey. However, there are some useful principles to bear in mind no matter what sector you operate in.
First of all, traditional IAM is not suitable for IoT deployments. You need a specialist IoT system, rather than a repurposed system from a different kind of environment. The security challenges of IoT ecosystems are very different from other contexts, and require far greater agility and flexibility from IAM.
Secondly, your IoT IAM should take a device-centric approach. The various factors an IoT IAM system protects – authentication credentials, crypto keys, private keys and so on) should be bound and protected to the devices.
Thirdly, scalability is critical. The ability to rapidly and cost-effectively add new devices is central to most IoT ecosystems – but if you are going to be regularly adding new connected ‘things’, then you need to be able to protect them just as quickly and efficiently. An IoT IAM system which is overly time-consuming or complex to rollout onto new devices will quickly become a brake on innovation.
Fourthly, think about the wider partner ecosystem around your IoT deployment. Myriad different organisations are likely to be involved, including the provider of your IoT platform, cloud providers and other security vendors. It is crucial that your IoT IAM can integrate smoothly with all of these.
Above all, IoT IM should not be something you layer on afterwards to an IoT deployment – rather it should be an integral part of that deployment from the beginning. It is a critical feature of IoT security and, as such, it should be central factor in your choice of IoT platform and partners.