IDENTITY AND ACCESS MANAGEMENT is hard enough when it’s mostly users you have to worry about. When large volumes of vulnerable IoT devices are involved as well, the challenges only get greater.
"IAM is already a complex subject, and the addition of IoT devices makes the entire process much more complex," says Larry Trowell, principal consultant at NetSPI, a penetration testing-as-a-service security company in Minneapolis.
In IT, IAM “is used to streamline user digital identities, and to enhance the security of user-facing front-end operations," says Dimitrios Pavlakis, a senior analyst at ABI Research. Policies for passwords, email, accounts, and more can be automated, like onboarding, to meet security requirements and compliance rules. These advantages apply to IoT devices as well as users, but there are numerous hurdles.
For instance, domain controllers used by many companies often have trouble supporting IoT devices with limited client intelligence, according to Trowell. Even cloud solutions prepared for IoT devices "may not be able to operate with the level of access businesses feel they should," he notes. Multiple IoT devices may need to maintain identities and roles between various accounts, leading to security gaps within this complex environment.
Additional challenges include access control protocols in IoT applications that don't resemble standard IAM tracking used in IT environments, and devices designed for a closed intranet with no expected interaction with external resources, according to Pavlakis. Further, many IoT devices still rely heavily on legacy technologies with security too weak for modern use, including communications protocols, or use one of the many proprietary hardware or software standards that hinder access control security. "There is little consensus regarding what should be the proper way to tackle IoT security in general," Pavlakis says.
However, there are steps you can take to improve IAM for IoT, according to Trowell. "Start by gaining a true understanding of your IoT devices," he recommends, by creating an asset inventory, determining what level of access they have, and checking if there's a way to safely reduce that access without preventing them from doing their job.
Both Azure and AWS have well-documented strategies for handling IAM with IoT-based devices, Trowell continues. If the company devices run on a single cloud infrastructure, get familiar with the IAM configurations offered by that cloud provider. It may seem obvious, but remember that the fewer external roles and permission settings that a company is responsible for, the easier it is to manage and maintain all devices in the same controlled area.
It may also seem obvious to ensure that physical devices aren't using default passwords, but Trowell says that’s still an issue. Set passwords at least equal in complexity to what you’d require humans to use. If the device uses some sort of a virtual token for authentication, rather than a username/password combination, make sure that its access is as limited as possible and that it can be quickly and easily invalidated if the need arises, Trowell adds.
Pavlakis advises integrators to craft their own custom parameters for their IoT strategy as opposed to "falling prey to certain hit-and-miss or poorly marketed IoT security services." He also suggests designing more inclusive IAM agendas and policy frameworks to coincide with existing rules for users, devices, systems, and cloud platform access control guidelines for internal and external entities.
Finally, Trowell advises, "Follow the principle of least privilege as with everything in IAM." Use multifactor authentication if possible and determine if you can deprovision specific uses for devices. If feasible, settle on a single cloud infrastructure and get familiar with everything in IAM for that cloud.
Unfortunately, though, there isn't a common set of rules or a magic bullet that solves all the complexities of IAM for IoT, says Trowell. "Many devices have to be considered on a case by case basis to determine how they can best be secured."