Whether you’re buying into IoT technologies or building apps or services around them, here are 9 key takeaways to give you guidance.
Last month's webinar, The Pitfalls and Promises of Authentiation in the IoT, was a huge success. For those of you who couldn't join us, here is a quick recap of the 9 key takeaways we covered regarding authentication in the IoT, based on guidance from three recent pieces of research.
From the Cloud Security Alliance (CSA)
1. Identity relationship management – not IAM – is key
IRM frames a new identity ecosystem as the Identity of Things (IDoT). The IDoT refers to the relationships between devices and humans, devices and devices, devices and application/services or a human and an application/services. All of these relationships need to be understood and accounted for throughout the product workflow, whether humans are involved or just devices.
2. Smartphones will be the primary means of authentication in the IoT
The vast majority of consumer interaction with IoT devices will be through their smartphones. As the guidance says, “The next generation smartphones would drive different types of authentication mechanisms like facial recognition using the front-facing camera, voice recognition, gesture dynamics and handling dynamics in addition to traditional biometrics such as fingerprints. These smart phones could even be used for enterprise level local authentication to IoT devices.” This requires us to have high assurance in identifying and authentication the user’s smartphone.
3. Leverage built-in security controls
Leveraging controls such as CoAP, DDS and REST to allow for interoperable authentication and authorization transactions between different manufacturers’ IoT devices is key. These are tried and true protocols that already exist, and developers should leverage them before trying to create new standards.
“No single method for peer authentication and end-to-end data protection meets the Internet of Things (IoT) device security and operational requirements.”
4. Mobile devices fill multiple roles in the IoT scheme
Remember that mobile devices aren’t just an endpoint or an appendage. They can also serve as aggregators and gateways, making them the linchpin of an extended authentication network.
5. Domains & classes drive delegation of trust models
Critical to security is understanding the Gartner delegation of trust model. Not just Class 1, Class 2 and Class 3 devices, but understanding that a Class 3 device, for example, will set the authentication requirements for associated Class 1 devices
6. Build your trust model based on “hops”
Make sure you understand the different security (and authentication) needs based on when and where a device communicates. If it goes beyond one hop, the authentication game will likely change.
From the Open Web Application Security Project (OWASP)
7. Multiple perspectives matter
OWASP provides guidance for everyone involved in building, buying and deploying IoT devices: manufacturers, developers, and customers. Each perspective lens a unique set of needs.
8. Provides a comprehensive framework
OWASP is one of the only sources for a comprehensive framework covering all aspects of IoT security, for both industrial and consumer uses. Frameworks make sure all bases are covered, reveal gaps, and keep developers and implementers from having to “reinvent the wheel” each time.
9. Provides a unique authentication focus
OWASP is the only security framework we’ve seen that specifically addresses the unique needs of authenticating devices and actors in the consumer IoT. A complete guide on how to assess the overall security and efficiency of authentication methods is included.
For details on each of these points, I encourage you to watch the webinar recording.
To learn more about iovation Customer Authentication and the role it can play in your organization, please visit our website to request a demo.