IoT in desperate need of more robust identity and access management
Dimitrios Pavlakis of ABI Research
The future of Identity and Access Management (IAM) in the Internet of Things (IoT) will escape the confines of user-focused identity and transition toward a more inclusive model. The new multi-faced approach will include machine and system identity along with IoT device and platform management operations, according to a new analysis research report by global tech market advisory firm ABI Research.
IAM is yet another identity and security framework that poses significant challenges when crossing from the IT realm onto the IoT. Most cloud providers regard IAM as a purely user-focused term while other IoT device management and platform providers make references to IAM in device access control.
“IAM in traditional IT environment is used to streamline user digital identities and to enhance the security of user-facing front-end operations using a variety of management tools, privilege management software and automated workflows to create a user-focused authorisation framework,” says Dimitrios Pavlakis, senior cyber security and IoT analyst at ABI Research.
The explosion of IoT technologies has significantly increased the sheer volume and complexity or interconnected devices, users, systems, and platforms making traditional IT IAM insufficient, if not problematic in some cases.
“Insufficient access control options, legacy infrastructure and proprietary protocol dependencies, traditionally closed networks, the fervent increase in digitisation, albeit with lackluster security operations, are some of the most prominent challenges for IAM in IoT,” Pavlakis explains.
Regardless of which IAM terminology is used, these challenges along with the highly complex IoT identity value chain point toward a more competent model of IAM, which touches upon various technologies and security protocols to be considered under the IAM umbrella including, user privilege management and on-prem access control, edge-to-cloud integration, cloud directory-as-a-service, system and machine ID, data security and governance, API management, IoT device identity, authentication and access control.
“The justifiable lack of a unified IoT security standardisation framework, the fact that organisations are always on a reactive approach versus proactive, the emergence of the new cyber-threat horizon and the ever-present budget restrictions also forces implementers to create an ‘approximation’ of IAM protocols by examining IoT applications on a case by case basis,“ Pavlakis adds. “No matter how you slice it, IAM in Industrial IoT obviously ought to be significantly different than IAM protocols in finance settings and further blurs the lines between access control for system, machine and user ID.”
Prominent IT IAM vendors include Cisco, IBM, Microsoft, Oracle, RSA, ForgeRock, Giesecke and Devrient, Ping Identity, Idaptive, Micro Focus, Okta and Ubisecure while new vendor categories under the IoT IAM umbrella can include telcos, IoT device, gateway management or platform providers including Entrust, Globalsign, Pelion, Sierra Wireless, Cradlepoint, Kerlink, and Advantech.
These findings are from ABI Research’s Identity and Access Management Solutions for the IoT application analysis report. This report is part of the company’s Digital Security research service, which includes research, data, and analyst insights. Application Analysis reports present an in-depth analysis of key market trends and factors for a specific technology.
Comment on this article below or via Twitter @IoTGN