The internet of things (IoT) will not necessarily introduce new cyber threats, but it will amplify those we are already facing, according to NetIQ solutions consulting director David Mount.
To deal with these “explosions in the attack surface”, organisations will have to focus on identity, he told the 2015 European Identity & Cloud conference in Munich.
“We cannot leave it up to the manufacturers because they will be focused on making devices easy to use, connecting and exchanging data, and some might say they do that at the expense of security,” said Mount.
While the IoT is likely to deliver many benefits, including better traffic management in smart cities such as Hamburg, there is also a darker side to the IoT, he added. “We need to think about how we can control our data once it is collected to address concerns about how it is stored, who can access it and how it is used.”
According to Mount, there also need to be assurances that unauthorised parties are not able to hack into IoT communications to steal or manipulate data.
“Researchers have shown that at least one fitness tracking device is vulnerable to hacking, and while that data may seem unimportant, it could be used to access much more sensitive data through social engineering,” he said.
Identity key to managing IoT risks
Mount believes identity is the key to managing the risks of millions of devices or “things” being able to access too much information.
“Identity is the one thing that is still under the control of the organisation and the individual, and it can help balance the needs of users with the needs of risk managers,” he said.
Attacks are inevitable, therefore there is a need to work to mitigate the effects of attacks, and key to this is getting the basics right when it comes to identity and access, said Mount.
“We need to minimise the access rights of individuals, devices and things to ensure they are appropriate, and then we need to enforce the access controls and monitor user activity to ensure that it is appropriate and normal,” he said.
But Mount said the answer is not more data because there are already too many tools that generate too much data.
“In the Target breach, the signs were there, but it was difficult to understand and pinpoint what was really going on because of the sheer volume of data. There is too much noise, but not enough insight,” he said.
Security requires context
Security needs context, said Mount, which means security and identity can no longer be separate silos within organisations.
Read more about security and the internet of things
- There are key areas where the industry supporting the internet of things (IoT) needs to provide better security
- As the number of IoT devices in the enterprise grows, so do the potential risks
- It is possible to mitigate theprivacy and security risks of the IoT without losing its benefits
- Research firm Gartner claims managing identities and access is critical to the success of the IoT
“The key to delivering context is identity: verifying actors are who they claim to be, seeing how they are using their entitlements, and evaluating whether that use is normal and appropriate,” he said.
Mount added that in building the internet of things, it is essential to adopt “identity-centric” thinking to ensure there is an adequate level of control.
“With the internet of everything, we need a parallel identity of everything to be able to ascribe behaviour to things, track that behaviour, and then decide if it is normal or not,” he said.
It is only by establishing identity of everything, Mount said, that it will be possible to manage how people and devices interact.
“This will become increasingly important as we move from three or four devices each to 20 or 30 devices each that want to connect and share data,” he said.
This means information security professionals need to understand the identity stored in their organisations and examine how identity information is currently used.
“Then they should look for ways to integrate identity context so that they can begin to understand the behaviour of the things in their organisation and how they are going to interact,” said Mount.
He believes information security professionals should also build a framework that can handle more sophisticated and aggregate identity information, and a framework that can scale.
“We need an extensible identity framework that can encompass the people, products, devices and services that will make up the internet of things,” said Mount.