I just checked. I have 28 devices on my home network. Not a huge number, but a lot for my family of three. The weird thing is, I’m not even sure what they all are. Sure, I recognize my media player and my daughter’s game console, but one is just labeled “Android Device.” What’s that?
These 28 devices are just a tiny sliver of 25 billion or so Internet of Things (IoT) devices that are connected to networks worldwide. That number is expected to more than triple by 2025. That’s more than 10 devices for every man, woman, and child on the planet. With that many devices, a security problem that impacts just a tiny fraction of them can be catastrophic.
Still, as long as I don’t let anything in from outside my personal network, I feel pretty good about my security at home. Unfortunately, in the enterprise “outside” and “inside” are meaningless terms. “The firewall” stopped being the boundary years ago. We don’t fully trust the people on the network within our firewalls. We even manage and monitor their access. I would suggest that we should manage our IoT devices in a similar way.
Treating IoT devices as “identities” isn’t so odd once you think about it. Like employees and other people who interact with our enterprise, they have a lifecycle. They join the organization, change over time, and then eventually leave the organization. We have tools in place to manage the carbon-based identities that interact with our organizations. Why would we treat our robots differently?
There are three specific paradigms we can borrow from identity management in managing our robots.
- Provisioning and de-provisioning of access need to be done from a central identity management system. This ensures consistency and traceability of access. In much the same way we require basic information of every person with access to our systems, we should require and register some basic information about the robot. Manufacture, model, version is a minimum. We don’t let workers wander around without a supervisor. Likewise, every IoT device that we have on our networks should have a named owner, or even more ideally a business owner and an IT owner.
- Treating devices as identities allow us to borrow a host of management concepts from identity management. Role-based access simplifies entitlement management. Separation of duty policies ensures that IoT device access is compliant with company policy and cannot be used to circumvent business rules.
- Like carbon-based identities, robots should also be subject to regular access review. In other words, a responsible human being, most likely the business or IT owner identified earlier, should be required to periodically review the access of the device, and attest that the access is correct and a business necessity. Any inappropriate access should be removed automatically by the identity management system.
There are some challenges in using existing identity management systems to manage IoT devices. The biggest hurdle is simply that most corporate identity management systems were not planned with IoT in mind. The likelihood is that there will be several IoT device identities for every human identity. Existing deployed identity management systems may not scale to the levels required to support the number of identities they will now be managing. As organizations are making technology decisions and replacing existing solutions, it will be important to take this scale into account. When replacing existing solutions, ensure that your vendor’s solutions are considering IoT identities and are prepared to support this new paradigm.
The rise of IoT has introduced new challenges to security in the enterprise. Like most security challenges, protecting against threats is the basic work of good IT hygiene. Organizations can adopt existing identity management best practices to meet this new challenge. And organizations should look to their vendors to support the new “robot” paradigm in their solutions.