Over the last two decades enterprise IT has matured to handle identity, authentication and authorization of endpoints and users. Today it is common to find technologies such as SAML and OAuth that provide single sign on (SSO) capabilities to both internal and external users. Various techniques including antivirus and antimalware combined with proven endpoint management tools are used to protect desktops, laptops, networking devices, servers and other IT assets. Identity and Access Management (IAM) frameworks not only connect users with the IT assets securely but also provide centralized visibility and control to enterprise IT teams.
Enter IoT, and the world looks very different. Unfortunately, none of the existing security mechanisms work in the environment that is a mix of IT and IoT assets. That’s because the security frameworks are designed to deal with IT devices like laptops and servers with sufficient computing power, memory and storage. Also, these frameworks are designed with interactive users in mind. When an employee accesses a printer connected to the corporate network, he is challenged to prove his identity, which is mapped to an access control system that decides an action. While the current IAM systems work very well with users and IT assets, they fall short to deal with IoT devices.
Unlike IT assets, which are typically in a few thousand within an enterprise, there may be tens of thousands of IoT devices deployed in an industrial environment. These devices are not powerful enough to run the same security tools used in traditional IT organizations. They are deployed in remote locations where maintenance and manual upgrades are expensive. Unlike users, they cannot be interactively challenged for a password or a biometric identity.
Enterprise IT teams and security professionals are under pressure to secure IoT devices. Recent attacks such as Mirai malware that targeted IP-cameras remind us the risk involved with non-secure IoT devices.
IoT platform companies such as AWS, Google, IBM, Microsoft, Oracle and PTC provide robust device management that offers scalable connectivity and M2M communication. But enterprise-grade security is not the focus of these device cloud platforms. For example, AWS IoT mandates the use of certificates in devices connected to the cloud. But it doesn’t automatically, and securely, provision these certificates at scale, and manage them for the lifetime of the devices. It is challenging to rotate these certificates deployed in remote devices.
Read the entire article at Forbes