Security before innovation in the IoT

Few technology trends have generated as much interest in recent years as the Internet of Things (IoT). As a result, many organisations are working tirelessly to bring innovative new connected devices to market.

The IoT has the potential to be the biggest innovation many of us will see in our lifetime. Similar to the dawn of the Internet, it will change the way we live and work. That is a really exciting prospect for both consumers and product companies alike. Before you know it nearly everything will be IoT enabled. Cars, kitchen appliances, medical devices, manufacturing lines – there is very little we won’t be able to control with a smartphone and an app. The possibilities are endless – but with all that opportunity also comes risk.

It’s tempting to want to be first to market with the next big gadget, but if history has taught us anything, security cannot be an afterthought. Anyone or anything that is connected to the Internet is a potential target for a hacker. The mantra of many security experts is now “it’s not if you get hacked, but when” and the same holds true for the IoT. The problem compounds when you talk about the type of devices hackers may have access to. Sure, it’s scary to think of hackers gaining access to your email or credit card information, but what if they had access to your connected car? Or your home’s security system? Or the airplane you are riding in? The everyday implications of lax security in the age of the IoT could be catastrophic if not taken seriously.

If the IoT is to take off as it is expected to, we need to raise consumer trust levels and the only way to do that is to make security a top priority in the design process of IoT devices. Security starts with access – who (or what) is accessing the network and what are they doing on there. Is the person or device legitimate? Is the activity normal? This all falls into something we call the Identity of Things (IDoT).

Managing the identities of connected devices is significantly more complicated than anything we’ve encountered before. In a recent study, Forrester found that connected devices require an average of four different entities, outside of the device owner, to have access to it, or to its data – a number that is expected to grow. When you think about a connected device – take a home lighting system for example – it’s not just the purchaser who needs access. Other family members will likely want to be able to access the system, manufacturers and service technicians may need various levels of access for remote management or customer service. Not only are you talking about managing a number of identities, but also varying levels of access for each. However, it is not just access to the device, which is important. Who has to the data generated by the device? Who gets to determine the access levels and distribution of this data?

As we are just at the beginning of the IoT phenomenon and IDoT hasn’t quite been figured out yet. To date, most companies building connected products haven’t had many options for identity management. Many are attempting to retrofit enterprise Identity Access Management (IAM), which is inherently inward facing or creating something from scratch which – unless identity management is in their core competency – has proven to be a nearly impossible task. Additionally, these systems often do not take “Device Identity” into account. The identity of the device is vitally important in establish a chain of trust between connected products and their users. By using systems purpose built for IoT, it is easy to establish trust in device, users, and the relationships between them. Without these key building blocks, managing complex IAM associations is complicated and inherently insecure.

In the same research report, Forrester also found more than 53 per cent of firms are taking a DIY approach to developing and managing these devices and operating their own software platforms to control them, despite the very real security risks they take by doing so. Many have little previous experience of the critical security management needed to run these devices safely at scale.

The good news is that mastering IDoT can be as easy as finding the right partners. Look for partners who have a strong track record in identity management and can help manage strong authentication, policy-based access control, user and device provisioning at the design phase.

By working together, an innovative and secure connected product is yours to build.

Calum Barnes, Senior Software Engineer, Xively by LogMeIn

Image source: Shutterstock/ a-image