Enforcing IAM on IoT Devices
How can one enforce identity and access management on IoT devices that are less capable than typical compute devices, and yet render their network vulnerable?
Determining the right device identity is fundamental to enforcing identity and access management in IoT devices. For instance, some devices may be identified on the basis of their IP or Mac address and others may have certificates provisioned to them. Additionally, new age-machine learning techniques do not just use these static identities but identify their behavior on the network – what are the APIs, services, workloads they interact with, which databases do they typically communicate with to augment our understanding of these devices’ identities. Adaptive access control policies that govern access to the network and access to backend services based on this concept of identity and behavior would be one way to enforce IAM on devices that have less than typical compute resources.
Network fine-grained access control and micro-segmentation may also help, to the extent that it does not introduce unmanageable policy complexity in the environment. These capabilities can not only ensure that only the authenticated and authorized devices get access to the right services, but they also ensure that even if a specific device gets compromised, the exposed surface area is limited, and lateral movement is kept in check.
API Access Management is another important consideration for devices as they communicate with back-end services. Leveraging standards like OAuth 2.0 is one effective way of enforcing authorization for these back-end services.
Another important consideration is to understand and establish a governance model around the lifecycle of identity for the devices in your IoT ecosystem. For instance, if certificates are used for authentication, ensuring that the certificates are provisioned and de-provisioned appropriately, access rights are only provisioned to devices that are updated (operating systems, firmware), etc. is critical.
Finally, many of these devices often have root accounts that administrators use for their maintenance. Having shared root accounts between multiple individuals is a big security and compliance nightmare. In such cases, leverage privileged access management capabilities such as password vaults that enable accounts check-in, check-out and rotation of passwords.
You can keep access to devices in your IoT ecosystem secure by deploying Idaptive’s Next-Gen Access Platform today. Take the first step towards Zero Trust security, and learn more here.
This post originally appeared in a Quora Q&A session hosted in January 2020. Our CPO Archit Lohokare was asked to discuss the state of cybersecurity, Zero Trust, artificial technology and machine learning and working in the security field, among other things. Stay tuned as we share more of his answers in our blog!
Archit Lohokare
Archit Lohokare is Chief Product Officer at Idaptive, where he is responsible for product strategy, driving innovation, and bringing new products and services to market. He transitioned over to Idaptive as it was spun-out from Centrify, where—as Vice President of Product Management—he led the Identity-as-a-Service (IDaaS) and Unified Endpoint Management product portfolio. Prior to Centrify, Archit was Vice President of Products at Optymyze, where he led the product management team responsible for the company’s Sales Performance Management and Sales Platform-as-a-Service SaaS and PaaS solutions, securing a Leadership position in the first Gartner Magic Quadrant report on Sales Performance Management along the way.
Earlier in his career, Archit led Symantec's Cloud Information Protection Security-as-a-Service offering, and IBM's Access Management product line, comprised of Web Access Management, Identity Federation, Enterprise Single Sign-On, and Risk-based Access and Entitlements Management products. Archit joined IBM through the acquisition of Encentuate, a leading Bay Area start-up in the security software space; as an early employee, he had the opportunity to contribute to its successful exit.
Archit has an MBA from UC Berkeley-Haas School of Business, and a bachelor’s degree in Computer Engineering from NTU, Singapore, where he was awarded the SIA-NOL undergraduate scholarship by the Ministry of Education, Singapore.
Archit is an avid history buff, enjoys reading in his spare time and running breathlessly after his one-year-old, hyperactive son.
CHAMELEON-LIKE SUPERPOWER
If Archit could have any Chameleon-like superpower, it would be the ability to change colors quickly and adapt. “Actually, it would be like the ability of our IAM solutions to adapt instantaneously to a customer’s environment and user behavior. Anomalous user access? A snap! Presto, change-o – like a chameleon from green to red in an instant, adapt to the change in user behavior and request user to assure their identities using multi-factor authentication...”