Internet of Things in desperate need of more robust identity and access management
The future of identity and access management in the Internet of Things will escape the confines of user-focused identity and transition toward a more inclusive model, according to a new analysis research report by ABI Research.
The new multi-faced approach will include machine and system identity along with IoT device and platform management operations.
"IAM is yet another identity and security framework that poses significant challenges when crossing from the IT realm onto the IoT," says Dimitrios Pavlakis, senior cyber security and IoT analyst at ABI Research.
"Most cloud providers regard IAM as a purely user-focused term while other IoT device management and platform providers make references to IAM in device access control," he says.
"IAM in traditional IT environment is used to streamline user digital identities and to enhance the security of user-facing front-end operations using a variety of management tools, privilege management software and automated workflows to create a user-focused authorisation framework."
Pavlakis says the explosion of IoT technologies has significantly increased the sheer volume and complexity or interconnected devices, users, systems, and platforms making traditional IT IAM insufficient, if not problematic in some cases.
"Insufficient access control options, legacy infrastructure and proprietary protocol dependencies, traditionally closed networks, the fervent increase in digitisation, albeit with lackluster security operations, are some of the most prominent challenges for IAM in IoT," he explains.
"Regardless of which IAM terminology is used, these challenges along with the highly complex IoT identity value chain point toward a more competent model of IAM, which touches upon various technologies and security protocols to be considered under the IAM umbrella including: user privilege management and on-prem access control, edge-to-cloud integration, cloud directory-as-a-service, system and machine ID, data security and governance, API management, IoT device identity, authentication and access control."
Pavlakis says the justifiable lack of a unified IoT security standardisation framework, the fact that organisations are always on a reactive approach versus proactive, the emergence of the new cyber-threat horizon and ever-present budget restrictions also forces implementers to create an approximation of IAM protocols by examining IoT applications on a case by case basis.
"No matter how you slice it, IAM in Industrial IoT obviously ought to be significantly different than IAM protocols in finance settings and further blurs the lines between access control for system, machine and user ID," he says.
Prominent IT IAM vendors include Cisco, IBM, Microsoft, Oracle, RSA, ForgeRock, Giesecke and Devrient, Ping Identity, Idaptive, Micro Focus, Okta and Ubisecure while new vendor categories under the IoT IAM umbrella can include telcos, IoT device, gateway management or platform providers including Entrust, Globalsign, Pelion, Sierra Wireless, Cradlepoint, Kerlink, and Advantech.