The technology industry has always been characterised by rapid change. In turn, business has reaped the benefit of these changes, in terms of both productivity gains and increased innovation. The problem with change, though, is that it brings risk. Risk that you could fail to adapt, pursue the wrong approach or even be left behind completely. As the next big revolution in technology occurs - the emergence of the Internet of Things - huge risk has become obvious in terms of the significant security challenge that the proliferation in connected ‘things’ represents. Simply put, responding to these risks in the right way will be the difference between winning or losing in the IoT revolution.
The IoT has brought billions of new users, and devices online and in communication with new cloud services. Legacy identity systems were not designed to manage digital relationships at such a large scale, leaving new IoT initiatives vulnerable to malicious attacks. We’ve only just scratched the surface of what the IoT can do. Connected devices are already helping businesses and governments to securely bridge the physical and digital worlds. Governments can use smart sensors to manage the flow of traffic while businesses can create IoT devices to connect with smart homes, for example. So far, so good… But here’s the issue: the Internet of Things (IoT) is, from a security perspective, broken.
Let’s start with the much publicised DDoS attack on Domain Name Server (DNS) infrastructure provider, Dyn in October, which left Internet giants such as Amazon, Facebook and Twitter all suffering major outages simultaneously. Hackers used Mirai botnet malware (which was recently made public) to infect tens of millions of IoT devices. These devices then delivered a massive DDoS attack against Dyn’s servers, pumping over 1TB of data into them every second until they buckled. Dyn is a major DNS infrastructure provider that counts many of the biggest brands on the Internet amongst its customers, all of which went down when Dyn was hit. Unfortunately, the growing proliferation of cheap, connected IoT devices – webcams, wifi speakers, wearables, etc. – is making it far easier for cyber-criminals to launch attacks such as the one on Dyn. Why? Because many of these devices are shipped with numerous vulnerabilities, such as outdated and un-updatable firmware, non-essential services and ports opened, and default usernames and passwords, which are never changed by the end user, and so are easily taken over.
It’s not just cheap domestic IoT devices being easily compromised either. This past July, a hacker reportedly took control of a journalist’s Jeep Cherokee and cut the car’s transmission while it was in motion. Even more worrying, Medical devices have also been hacked. In August, the FDA warned that an Internet-connected Hospira Symbiq Infusion Pump was vulnerable to attack and recommended discontinuing its use. This was because a compromised device could enable an attacker to remotely alter the dosage being delivered.
If you’re a leader in an organisation that’s trying to adopt IoT devices as a means to offer new services to customers, you should be seriously concerned by these reports. According to industry analyst firm Gartner, by the end of 2015, 4.9 billion of these connected “things” will be in use. That number is expected to rise to 25 billion by 2020. So, to coin a phrase, “Houston, we have a problem.” The good news is that there is a way to navigate to the promised land that IoT can deliver. But you have to take five steps to get there.
Step one – start with a ‘fit for purpose’ identity platform
Businesses and governments looking to add the IoT to their digital ecosystems as part of a digital transformation must consider if their identity platform can handle the challenges that come with the IoT. The only way to secure the billions of connected devices and manage billions of digital relationships that come with digital transformation is with a digital identity management platform built for IoT scale. A modern identity platform is the foundation for success with IoT and will help ensure you also get steps two, three, four and five right.
Step two - secure the IoT!
The fix is for digital organisations to select an identity platform that’s flexible, scalable and capable of connecting the identities of users, devices, and cloud services in a digital ecosystem. The ability to manage these myriad relationships within a digital identity ecosystem enables organisations to register users, cloud services, and connected devices, authorise and “de-authorise” their access to data, and apply policies for security and personalisation.
Step three - Understand context
Continued hacks of corporate and government systems highlight the enormous threat of digital attacks and data breaches. Organisations face significant financial, reputational and legal consequences if personal user data is leaked to the public or is hacked by cyber criminals. Relationships cultivated for years are lost in seconds when customer or citizen trust is compromised. Security for digital organisations must go beyond simply checking username and password. The IoT is particularly vulnerable as security and identity standards for connected devices are still being established.
Businesses and governments must be able to extend digital identity to all IoT devices in order to secure their digital ecosystems. Here’s where the right digital identity platform will provide continuous security across all users, devices and cloud services. Credentials are no longer enough to ensure security. Now, context is required to understand the true nature of the digital interaction. Does the customer usually log in from Norway? Do they have a wearable device that is allowed to access their health data? Around what time does this login usually occur, and what kind of system do they use? Customer and citizen digital interactions must be constantly monitored.
In addition to using contextual cues to evaluate user behaviour, user identity and access rights must be verifiable via SMS, email, security questions, or biometrics. If suspicious behaviour is detected, user data can be secured. Protecting personal data is essential for retaining customer and citizen trust. With billions of IoT devices going online and countless digital relationships developing, all identities in the digital ecosystem must be continuously authenticated.
Step four - continuously assess risk
For increased security, businesses and governments must constantly consider the context of user interactions within their digital ecosystems. By continuously monitoring context, organisations can build adaptive risk profiles for users, rating the risk of an IP address, location, sign-in time, and other contextual cues about the user to generate a risk score. Higher risk scores will trigger increased security measures like step-up or multi-factor authentication. Risk-scoring can also make it easier for verified users to access digital services by reducing security when risk is low. If the user has a low risk score because they are signing on from a recognised location on a corporate IP address, they may not even be required to enter a password. Advanced knowledge-based learning technology can also be applied to create a more complete user risk profile over time, by analysing user behaviour like keystrokes to gain a better understanding of user habits and patterns. With this knowledge of typical user behaviour, businesses are better able to respond with increased or decreased user security measures in real-time. To protect businesses and governments from hacks and breaches, continuous security provides adaptive ways to mitigate risk – a requirement in today’s digital ecosystem.
Step five - promote privacy
Businesses and governments are racing to protect privacy as increasing numbers of users, cloud services and connected devices go online. The IoT has led to an explosion of user data, and securely collecting and sharing this information is a fundamental component of successful digital organisations. However, if the relationship between organisation and user is not trusted and secure, customers and citizens will not share their information. Organisations will lose valuable insight into user history, tastes and preferences, which is critical for creating personalised experiences that customers and citizens demand.
Organisations must build a trusted digital relationship with their users which prioritises privacy and consent when sharing personal data. As previously mentioned, a breach of customer or citizen data can lead to a loss of revenue and a damaged reputation. Businesses and governments that successfully build digital ecosystems that empower customers and citizens to share data will, in turn, gain important user intelligence. Again, the right identity platform will help establish secure, trusted, and transparent digital relationships between users, cloud services and connected devices. And this platform should give customers and citizens fine-grained control over their personal data. In turn, this gives customers and citizens the ability to determine what users, cloud services, and connected devices can access their data, for how long, and under what conditions. Citizens can authorise data sharing from their connected home to utility companies, while consumers can give their connected car access to their music preferences, for example.
As we stand on the threshold of the IoT revolution, it’s clear that the future could deliver huge change and opportunity. Certainly, the scale of the challenge in front of many organisations in terms of the shift in strategy that IoT will demand is daunting, but with the correct identity foundation the IoT will deliver great personalisation and productivity gains.
Simon Moffatt, Senior Product Manager, ForgeRock
Image source: Shutterstock/a-image