Cybersecurity opportunities in a new world of IoT
Evolving identity access management in the internet of things
April 24, 2020 | By Kory Patrick
Identity—it’s who you are. When you think about identity and access management (IAM), it’s really the identity of the people, systems and processes in the organization. And oftentimes, it’s through the lens of a business continuity or disaster recovery standpoint: How do we recover our identity systems? How do we protect the confidentiality, integrity and accessibility of our data?
It’s never been more important to have a plan on how to respond if those identities or systems are compromised. And it’s even more challenging when the data and identities you’re trying to protect are fluid across an enormous scale of IoT devices. This age of IoT presents increasing risks in cybersecurity and identity access management—and it’s partly because of the historical way we’re used to thinking about security and devices.
Permissions and access are the cornerstone of the IoT evolution
The whole IoT boom is actually an expansion of ideas that began decades—even centuries—ago, where technological advancements made in our military were transcended into the private sector and across industries.
Take railroads, as they were one of the key drivers of the industrial revolution. They efficiently moved goods across the country and ultimately across the world through intermodal means. As the technology evolved, so have the control systems and signals to make sure trains are on the right tracks and moving in the right direction, as well as control systems over the environmental impact, like wastewater systems.
Fast forward to today, and society has taken that premise and expanded it from the industrial world into the consumer, digital world. Now, we have thermostats, door locks, refrigerators, temperature sensors, home assistants and other automated devices that we talk to. But the premise of industrial control systems back in the 50s and 60s weren’t built with identity, security or access controls in mind. Rather, they were built under the premise of physical access controls. If you were present, with your hand on the physical switch or button, then you must have access to it. And if you’re able to do that, those devices assume you are authorized to control them however which way.
Managing identity amidst a changing threat landscape
Today’s security and identity access management isn’t as physical—it’s essentially digitally outsourced in IoT—but our consumer industry still looks at devices in a very granular way. Take a refrigerator—if you’re able to access it, it’s because you have access to the network or the home, and the fridge itself is dependent on a secure perimeter controlling and maintaining that access management. Yet, those assumptions are maybe not as good as we hope they are, like the assumption that the microwave doesn’t have to worry about having security because the door lock, perimeter of the home or broadband provider is already secure. The result is a security posture not much different than the 1950s.
As we carry those assumptions into today’s everchanging landscape, new IAM vulnerabilities are being created as IoT devices are exposed to greater risks. For example, organizations need to consider the measures needed to protect sensitive information and data when employees take work outside of the office to home environments, personal IoT devices and networks. Focusing on securing hardware, like work laptops, with stronger passwords and updated software, as well as monitoring home networks for vulnerabilities before connecting, can help limit issues and threat exposures. Additionally, implementing multifactor authentication will help ensure your company network and systems are accessed only by authorized individuals.
IoT needs to expand the identity access management role
There’s a huge opportunity in the world of IoT by identifying the holistic system and strategically securing the edge. Don’t look at each individual device in the home, but actually look at the home. And then look at the neighborhood. It all comes back to governance—what control structures do we have? How are we mandating that governance is happening from a best practice or secure design? Those guidelines have started to form now, especially with the emergence of smart buildings, but as we’ve seen the threat landscape evolve—there’s still tremendous opportunity for improvement.
Kory Patrick is the risk and security practice leader at TEKsystems. He leads advisory and consulting services for the enterprise environment focused on reducing risk to the business by addressing security, privacy and compliance challenges through effective governance, identity and operations management in cloud, on-premise and remote environments.