01.24.2017

iot-has-identity-management-problem

Forgive us for sounding like a lawyer, but the question “does IoT have identity management?” can only be answered by saying: It depends.

There are a wide range of consumer devices that have no identity management — they’re just sitting out there providing data to a local network and are easily accessible by just about anyone who is willing to take the time to find them.

You can do this yourself by simply going to a search engine and looking for unsecured security cameras. Not only can you browse tens of thousands of completely unsecured security cameras, but you can also browse through nearly 100,000 cameras that use default passwords — some of which autofill when you access the cameras because they’re designed to be replaced as soon as the camera is installed.

Many of these IP cameras show the inside of homes and stores, which can create significant threats for your person and your property.

Business applications sometimes have a better policy on user authentication in their Internet of Things rollouts, but this isn’t a guarantee. The most likely identity management paradigm covers devices that require consistent interaction, such as keyboard and touchscreen input, or that must be unlocked through passwords and facial recognition.

Where Can We Introduce Identity Management?

Mobile devices have risen as the chief place where IoT, both commercial and consumer, can incorporate identity management measures. They tend always to be on our person and can have multiple authentication options from apps that provide time-sensitive keys and mobile alerts to signing on through both devices at the same time.

Phones are something most users already have, so they present a simple bridge between user authentication and the Internet of Things.

The concern of these devices is that they’ll consistently require the user to log in through both factors, and they are often a place where we store information about the access point. So, users have the potential to be frustrated by consistent check-ins, or if they lose the device, a bad actor could pick it up and have access to the apps, services or website information plus the authentication points.

Are There Privacy Gaps in IoT?

Privacy in IoT is all over the map. Amazon’s Alexa devices were the big hit of the holiday shopping season, even after it was revealed that small children and news stories could cause the devices to make purchases that the owners weren’t authorizing.

These devices — and almost anything else with a personal assistant — are also always listening to you, recording small snippets of the world around them in order to search for their wake-up phrase. Depending on the device, this data is saved and used to improve voice recognition, is sent to servers for data insights to deliver a better experience or is deleted as soon as it is found not to have the wake phrase.

But we’re not exactly sure where each company and each device lies on that spectrum because many of these personal assistants don’t directly answer questions like “Alexa, are you always recording?”

Voice-activated devices that control warehouse lights, the coffee pot or other business needs present an even greater challenge because they could be listening to you and your operations when company secrets and advantages are discussed.

These risks are compounded by every IoT authentication protocol that uses a smartphone or other personal device because the system potentially has access to all that personal data. Privacy gaps in identity management can be significant, but there are different paths you can take that will include a combination of multi-factor authentication and single sign-on that use systems to authenticate the user for each request.

Are You Ready to Build Easy Authentication in Your IoT Work?

User authentication and the Internet of Things are extremely important in private and public federated cloud services because they ensure your protection actually targets malicious access attempts.

We believe you can give your company full support and address many of the privacy concerns and security gaps in IoT when you take a multi-layered approach that offers flexible authentication and identity management with a robust security check on the server level.

Optimal IdM pairs our Virtual Identity Service with The OptimalCloud to deliver proper authentication on any device with multiple tokens and authentication options designed specifically for safety and security of your business. Whether it’s a specific device or an online portal, we’re able to build out an option across your operations and meet today’s leading security standards.

Learn more about our holistic approach to cloud-based solutions that cover self-service passwords and registrations, comprehensive identity management, one-click workflow approvals and multiple ways to solve the concerns that arise over user authentication and the Internet of Things.

Tags

  • The database in which all of your organization’s sensitive identity data is stored.
  • A digital ledger in which digital transactions are recorded chronologically and publicly.
  • Securely managing customer identity and profile data, and controlling customer access to applications and services.
  • The means of linking a person's electronic identity and attributes, stored across multiple distinct identity management systems.
  • A legal framework that sets guidelines for the collection and processing of personal information of individuals within the EU.
  • The policy-based centralized orchestration of user identity management and access control.
  • An authentication infrastructure that is built, hosted and managed by a third-party service provider.
  • A security system that requires more than one method of authentication from independent categories of credentials to verify the user's identity for a login or other transaction.
  • A global provider of innovative and affordable identity access management solutions. 
  • Managing and auditing account and data access by privileged users.
  • Tools and technologies for controlling user access to critical information within an organization.
  • An authentication process that allows a user to access multiple applications with one set of login credentials.