Once a buzzword thrown around by computer geeks, the Internet of Things (IoT) is now a household name, sparking excitement and visions of futuristic living among even the most conservative of technology users. While the foundations for our new, connected world are being laid, experts see the current developments only as the beginning. A new Gartner report predicts a 30-fold increase in internet-connected devices, set to reach 26 billion by 2020, up from 0.9 billion in 2009.
However, the fast pace at which technologies are evolving means there are varying levels of maturity – devices like those used in commercial telematics in trucking fleets to improve logistics efficiency are already well established. Others, such as smart fabrics that use sensors within clothing and industrial fabrics to monitor human health or manufacturing processes, are just emerging.
As we increasingly rely on devices to carry out tasks for us and even act as our ‘eyes and ears’ a lack of maturity when it comes to cyber security could be detrimental. The IoT is a vast, complex and increasingly independent network of devices and systems that communicate huge amounts of sometimes sensitive information – and given the predicted growth, managing these devices will not only pose logistical but also security challenges. How can we ensure the right devices respond to the right orders from the right actor? Whether intentional or unintentional – a single glitch could have serious consequences as we increasingly relinquish control for everything from pacemakers to self-driving cars.
As businesses prepare to design the infrastructure that will lie at the heart of the IoT, a foundational element in this has to be an ‘identity layer’ that will allow the secure deployment of a large number of connected devices. Identity, or ‘the collective aspect of the set of characteristics by which a thing is definitively recognisable or known’ has traditionally been easy to prove from one human to another, through factors such as unique appearance, knowledge and official documentation.
The IoT has uprooted these traditional authentication models, rendering the processes we have trusted for millennia ineffective. The sheer variety of different applications and devices makes it impossible to directly and personally authenticate every part of the network. Equally, with much of the authentication happening between devices much of the human element – and judgement – is cut out altogether.
To plug this security gap, different authentication models have evolved alongside new technologies to suit the specific needs and capabilities of devices. While machines may not be able to ‘feel’ trust they do have their advantages over humans – a ‘thing’ will have no problem remembering passwords like ‘jHGt57!xL@20’. However, as networks grew larger, the password began to struggle – even if used by a device. Not only does the scale of the IoT make it challenging for a ‘thing’ to establish and store a different password for every single party it interacts with – the very collection of passwords used to protect information and processes now constitutes a ticking time bomb, waiting to be discovered by cyber criminals.
The latest technological developments tackle this problem by reducing the number of passwords needed to authenticate across different applications and trust domains. They allow users to directly authenticate – through means such as an authentication authority in the cloud – with an existing credential and be issued with a token that allows it to authenticate to other actors.
Federated Single Sign On (SSO) technology, for example, allows for passwords to be replaced with standardised security tokens for everyday tasks such as work and social media apps. These tokens are issued by a website the user has logged into directly but simultaneously give access to a range of other applications – mitigating a password explosion and simplifying the process for the user.
This type of technology also allows the authentication of a specific device to be tied to a particular user by issuing tokens specific to a ‘relationship’. As the IoT will likely result in many devices operating on a behalf of a particular human, or set of human beings, this kind of distinction will be crucial.
No one knows for certain to what extent the Internet of Things will affect our lives in the future– but it looks certain that – whether we want to or not – we will likely hand over a substantial part of our decision-making to machines. As such it is vital that we have solid and secure mechanisms in place that are capable of evolving alongside and in symbiosis with technological advances – authentication tools have to be simple, reliable and universal. Most of all though, we need to tread carefully when deciding which tasks to hand over to the IoT – once we have given up control it may be hard to regain it.
By Hans Zandbelt, Senior Architect, Office of the CTO, Ping Identity
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.