I just checked. I have 28 devices on my home network. Not a huge number, but a lot for my family of three. The weird thing is, I’m not even sure what they all are. Sure, I recognize my media player and my daughter’s game console, but one is just labeled “Android Device.” What’s that?
These 28 devices are just a tiny sliver of 25 billion or so Internet of Things (IoT) devices that are connected to networks worldwide. That number is expected to more than triple by 2025. That’s more than 10 devices for every man, woman, and child on the planet. With that many devices, a security problem that impacts just a tiny fraction of them can be catastrophic.
Still, as long as I don’t let anything in from outside my personal network, I feel pretty good about my security at home. Unfortunately, in the enterprise “outside” and “inside” are meaningless terms. “The firewall” stopped being the boundary years ago. We don’t fully trust the people on the network within our firewalls. We even manage and monitor their access. I would suggest that we should manage our IoT devices in a similar way.
Treating IoT devices as “identities” isn’t so odd once you think about it. Like employees and other people who interact with our enterprise, they have a lifecycle. They join the organization, change over time, and then eventually leave the organization. We have tools in place to manage the carbon-based identities that interact with our organizations. Why would we treat our robots differently?
There are three specific paradigms we can borrow from identity management in managing our robots.
There are some challenges in using existing identity management systems to manage IoT devices. The biggest hurdle is simply that most corporate identity management systems were not planned with IoT in mind. The likelihood is that there will be several IoT device identities for every human identity. Existing deployed identity management systems may not scale to the levels required to support the number of identities they will now be managing. As organizations are making technology decisions and replacing existing solutions, it will be important to take this scale into account. When replacing existing solutions, ensure that your vendor’s solutions are considering IoT identities and are prepared to support this new paradigm.
The rise of IoT has introduced new challenges to security in the enterprise. Like most security challenges, protecting against threats is the basic work of good IT hygiene. Organizations can adopt existing identity management best practices to meet this new challenge. And organizations should look to their vendors to support the new “robot” paradigm in their solutions.
Interested in learning more about topics like this and others? Mark your calendars for the upcoming InfoSec World Conference & Expo. Click here for more information on the event.