[podcast] IAM for IoT
In this episode, Jeff and Jim talk about a topic suggested by listener Kerem B.: How to approach IAM for IoT (Internet of Things).
For more IoT Security info, visit www.iotsecurityfoundation.org.
We hope you enjoy this episode and please subscribe to our podcast for updates on new episodes!
LISTEN HERE or read the full transcript below.
*Disclaimer from Identropy: These transcripts are produced using automated tools, so may not be an exact word-for-word transcription. (i.e. - if you read something that sounds wrong, it's the tool's fault!) As always, for a better experience, please listen to the actual podcast.
Podcast #33 Full Transcript:
Identity At The Center #33 - IAM for IoT
Jeff: Welcome to the Identity at the Center podcast. I'm Jeff and that's Jim. Hey, Jim.
Jim: Hey, Jeff. It's Friday.
Jeff: It's Friday for us, for sure.
We are recording this one early because we're both on the road next week. And you're out visiting a client in New York City area. I'll be out at the RSA Conference in San Francisco. So I'm anticipating my weather will be better than yours, I hope.
Jim: I'll tell you what I mean. It can be worse. It's a I mean, the Southeast United States. And it has been raining pretty much nonstop or getting a bit of a break today. I was thinking about going and getting some lumber and building an ark because I was really starting to get depressed and worried.
Jeff: I should get the right permits. I run afoul of the law.
Jim: Oh, yeah. Such a criminal.
Jeff: So today's topic comes from listener Karem. I hope I pronounce that correctly about IoT and IAM or basically Internet of Things And IAM. Jim , I know you've run a few projects on this. Why don't we start with what is a thing? And that's a loaded question. I know.
Jim: What is the thing? Well, thingamabob. No, I yeah, I have been in the focus on the space at various points throughout my IAM career. And I think it's one of the most fascinating and fast moving areas of IAM. To answer your question a thing. So normally we think of a thing as a device, but more broadly, it could be a service, a system, an application or a data source. But, usually when people are talking about the Internet of Things, they're talking about devices that are IP aware or network aware and can provide information over the Internet. So it's just kind of some common things that I can think of as common things, things are their core as much as using a generic word things because I can't think of anything better, but things that I can think of would be things like thermostats. I've had a smart thermostat. And one of the things I want to say is it's not just the nest thermostat that we all think of when we talk about things. But it's even basic sensors that are installed in areas that need to take temperature and report them back to the mother-ship. Webcams, smart appliances like refrigerators, healthcare, wearables. So things like, either diabetes testing kids or devices or smart watches and handheld scanners. So you think of like a warehouse environment or a big box store where they have scanners and they can scan bar codes and plug in information through a user interface. Obviously, a big one now is connected cars and smart TV's portals, aestheticism portals and home security systems, industrial machines that have, very they're collecting various metrics, things like temperature, but other things as well, and recording those back to some kind of big data system.
So you can use words from others coming to mind for you.
Jeff: And think of like I mean, you covered for much everything it may say anything that's taking data. Right. And transmit it to somewhere else. Yes. A lot of consumer devices out there, Alexa. Right. The Google, Google devices and little pucks that you put around your house that tell it to turn on and off the lights, the light is off, isn't it? Everything, the light bulb itself. So I think it got that part. So how is managing the identity of a thing different than managing a human identity?
Jim: Let me add a little bit more to just thought of another dimension of this or the things just that, not all things are created equal. So we talk about like panels. One of the IoT projects I was involved with was around the use of panels in office settings where they were basically connected to the fire system, the emergency or emergency management panels. Those were things that were connected to the Internet, connected back to main application. Those are pretty smart devices. They were essentially computers that had a screen on them. But also, like I mentioned, there could be, really dumb sensors within a machine in a factory. So just taking the temperature, reporting temperature back maybe every second or every five seconds or every minute. It doesn't have an operating system, doesn't has have a user interface. It's got, very basic capabilities and. Most IoT devices use lightweight protocols, but most of them rely on ACTP, so especially the panels. There are basically Internet connected devices. Yet some of those real basic devices aren't even enabled over ACTP, which, as obviously we get into this conversation, there's going to lead back to, well, how do they use some of the protocols like O of 2 and things like that might be getting a little bit ahead of myself. But what I really wanted to say is that there's this kind of broad spectrum of what we consider IoT, the panel in your Tesla is much more enabled and much more Internet aware than the sensor built in to a machine or the factory.
You ask me a question, and I totally went another direction.
Jeff: The train keeps rolling. Yeah. I was just curious, a from identities standpoint, how is it different to manage a things identity versus a human identity?
Jim: Right. Well, I think there's, a couple of things. One is that, you think about relationships. So those devices for the most part, especially when they're in the commercial. So this is the thing is really where I was going with that earlier point is that there's such a broad spectrum of what a thing could be if you are concerned with the connected car. It's a totally different use case than if you're just collecting temperature settings from a machine that is mixing better or something like that in reporting the temperature just to make sure that the temperature is not getting out of whack. Those are two totally different use cases, but they're both in this bucket of Internet of Things, a kind of in the commercial sense. One of the things that I think is fascinating to think about when it comes to IoT.
All of these devices I mentioned, like health care, wearables. Those are something now that you long to me as a person. So if I want to use that health care wearable that gets connected to the Internet and I also want that data to be connected to me and not be available to anybody else, I have to have a relationship between my human identity and the wearable identity or the wearable however you want to look at the thing. So I've got to build that relationship somehow.
I've got a model, that relationship. And I think that's one of the key things to keep in mind as you're developing your system is how are you going to create that relationship between a human or if it's a customer might be an organization, the relationship between the device and the organization of the device and the person, they've also, even if it's a device to an organization or organization, doesn't know how to manage things. People have to go in there. So there's then the relationship between the person, the organization and the device. So that's really where I think a lot of the complexity from an IAM perspective can get involved. So I think when we think of IoT to start with, the first thing that comes to mind is the authentication. How do we ensure that the person logging in to Jeff's test is truly Jeff? Right. And that's an important part. But how does that relationship between Jeff Stessel and Jeff get established? And a lot of times, as Jeff needs to create an identity and then the test needs to also have an identity and then the two need to be linked. And then also think about when you know, where IAM people so worry singing about full lifecycle with Jeff sell successfully the Jim at a very good price.
Well, I would just relationship with the test as a break.
And now Jim established a relationship. The test and Jeff shouldn't be the role. Log into the portal at a at any point in the future. Now in and change settings or things like that. So that's one of the really fascinating aspects of IoT, and again, this is, one of the things I think is really important is that a lot of times in IAM if you're focused on enterprise IAM it's a lot of things are like the company really should change to adopt and embrace best practices, where things are going with identity and access governance, single sign on, access reviews and things like that, how somebody gets imported from HR system, all those kind of we should we everybody should move toward best practice. There's a whole other I still IAM, just kind of following the best practice model isn't necessarily the answer. You really need to think about your particular use case and how you're going to solve it. At the same time, there are some underlying technologies and standards that you do want to follow.
Jeff: So, I can see the human the human aspect of right. It's really about relationships. You've got your device, you've got the device owner and then you've got whatever the control plane is for that device.
So there's this kind of three way relationship that easily figured out. And at any point in the device can shift ownership. And that's where we have things like pairing and so forth. So I would imagine when you talk about best practices, a lot of best practices for IAM , some of them may apply. Some of them might be different when it comes to IoT. Specifically, what would be some of the differences maybe between a standard IAM process versus maybe some of his more IoT focused?
Jim: OK. Here's a good one. So, registration would be a process where I could see things being quite different. So normally when I have to go and register as a human being, there is some identity verification that, they send me an email to pick on the email to prove that I have that email address. So I plugged in similar but different with a device. There's often times a requirement to prove that the device is authentic. So not only so that we can stop hackers. You know that people aren't just going and trying to create a bunch of fictitious devices, but that also cheaper knockoff versions of those devices can't use all the technology that a company invest. So we're talking about. Well, Fitbit or smartwatch, the ability to have that device register with the portal and now be associated to my identity so that I can log into the portal. I need some way to prove that the registration from that device is authentic. And a lot of times those are going to be hard coded or certificates on the device itself that can be sent to the mother-ship and verified in some way. So that's kind of one thing I can think of as being quite different.
Jeff: So where would you track the identity of those devices from our registration standpoint?
Would you have like a separate directory or something that you would keep for devices versus humans or co-mingle them? What do you think?
Jim: It really would depend on the underlying technology that you're managing all this. And so, a lot of cloud based solutions. You don't really have to worry about the storage of the data. You have kind of on premises solution. You say, for example, of the relational database or an elder app is your back and you probably want to have some kind of logical separation between the devices and the people because you're very likely to have a different schema for the data that you saw about a human versus a device. But I guess I really would say that would depend on the technology that you're using to manage all this.
Jeff: And I'm actually keep it separate because then that also may help from an authentication standpoint, these devices are constantly connecting, disconnecting to different services and callbacks and ping backs and whatever, things are going on behind the scenes that may make it easier to manage from the authentication standpoint as well.
Jim: Right. I mean, when you think about this, every time the devices are caught data back to a server or an API, I keep calling it the mother-ship. Now, it's kind of a cloudy term for an API or an old service that's waiting for this communication. What's the temperature of the house, for example? Each time it does that, you don't want to have to have the human being go over it and punch in a code or punch in their password. It's got to be machine to machine. It's got to be able to communicate. At the same time, it needs to authenticate in a secure way and everybody wants to get away from hard coded usernames and passwords. So it's just not secure enough. So you wouldn't want to go into the panel and just have it be a username and password. And then that's what actually gets passed to the server. You want to use something like a token based architecture or something like up to where it might take that username password the first time, but it's going to exchange those for a token or a set of tokens. And from that point forward, those tokens will be used to authenticate to the API and that will enable the data exchange.
Jeff: And you probably establish some sort of token life writer or something on those lines because you don't want those tokens potential to be out there forever.
Because when I sell you my test at a good price if my token isn't invalidated. Right. You know what? However, that would work from an ownership change perspective. Then you don't want to have that reporting back to the person that doesn't no longer own the device.
Jim: That's right. I think probably rather than getting into trying to give guidelines for what those timeouts should be, it's I really think you should work with your technology vendor to understand what their recommended best practices are. Of course, depending on your use case, you'd mentioned a really interesting use case there. You may want to adjust, you mentioned the test so we wouldn't want it to timeout. If our device was something that was likely to never change hands, we might be able to use less network communications or authentication. If we were able to stretch out that timeline. But I think it's a matter of kind of working with their vendor, understanding what they recommend.
Jeff: Right. This is security versus the usability conundrum. Which side does going to air and some that maybe requires more security has a shorter time, life or maybe death on a case each time. Something that is less than this case and more on the usability side would go the other way. So, yeah, yeah, there is no one size fits all. From that perspective. I wouldn't ask a question around the Identities themselves.
So if we're playing together in IAM system. You typically have an identity source for humans, right? Maybe like an HR system, something like that, you typically have an identity source or you hopefully you'll create one for non-employees, let's say. So let me there's something else. But would you treat an identity source for things differently? Because I'm thinking here is, you know, pull in all the sources of identity into your IAM platform and then treat maybe, how would you treat the thing relationship with the humans that it would be associated with as is like an entitlement assignment or something on those lines.
But I'm curious to see what your thoughts are on.
How would you handle the identity aspect within an IAM system, for example?
Jim: Right. So partially enough. Some of the projects I'd done in the past, which were on a particular platform, my platform used on the access management side is an app that as the datastore. And in that, there were there was a schema for human beings on the schema for things and they were treated like objects within the directory. Now, if you're going to a different system and you're convince, obviously made the decision, you've you kick the tires and you feel like it can handle your IoT use case. I recommend that you would follow this solution that they've outlined in terms of maybe it is an entitlement. Maybe that's how they're going to store the things within their system, my experience has been that if things were objects, that things had a life of things to themselves. In other words, they have option views associated with them. So one thing might be, a nest thermometer within my house, but it has a serial number. It has some other attributes that are maybe a manufactured date. There's some other things that are more dynamic and other things that are more fixed. But, one of the things true within the App making now that you have an extensible schema, you can source much information about that, about that particular object or device as you want.
Jeff: How that tackle that specific use case?
Jim: what I would say is that, more and more of the IAM projects that I've been involved with anyway are moving to cloud based solutions.
So in other words, people are less and less installing their own old up and coming up with their own configuration. Most companies don't want to have to deal with that at the same time. if you take on a cloud based solution the back end of how they're putting it together is either probably a relational database or app Potentially it's a, a no sequel like a Mongo DB type of database.
But, even some of the most common household name access management vendors are built on relational databases.
Jeff: So that relationship is important, too, because, it really seems like it from IoT perspective, it really comes back to relationship between owner and thing and making sure that is core is in the state that it needs to be, not smothered like non-functional things like scale and reliability, things like that.
Jim: Yeah, I think that the skills are really important aspect is that you have to imagine that the ability the IoT is blowing up. It's happening all around from like smart TV's. Everybody's got a smart TV today, in the past we've talked about large enterprises being one hundred thousand people or a couple hundred thousand people talk about big customer IAM implementations being, 20 million people, 50 million people specially get to the scale with IoT where you're talking multitudes of that.
And so and not only that, when you think about people accessing a Web site to book a hotel or to check their points or things like that, they're not doing it every day, several times a day IoT Devices are going out and hitting your services all day, every day. And you have hundreds of millions of devices hitting your services all day, every day. Wow. You can really see how you need to have a solution that's going to scale. And I still think even if you're going toward to cloud service, you have to do your due diligence in terms of doing proper load and performance assessing because you definitely don't want to run it. If you at that scale and things come down, you're probably going to end up on the nightly news and it's just going to be embarrassing for your company. So I think it's behooves us all to do our due diligence and not just accept blanket answers. Usually people who are responsible for these types of solutions, the scale, they know that. Right. They've got their battle scars in terms of reliability, it's the same thing. It's like you really just can't have your services go down, if your Web site goes down for an hour or something, sometimes that's fine. If you've got some kind of medical device like diabetes, blood sugar tracking system or, things that obviously have to do with people's life and death situations. But even not even if it's temperature control systems in a warehouse or in a factory that's running 24 hours a day, those systems need to be up and available. So reliable is extremely important.
Jeff: Yeah. What about the security aspect of it?
Jim: I think from a security. This is the beginning. There's everybody out there, I should say. Everybody's out there. But for a lot of people out there trying to break into systems all the time and a lot of times the Internet of Things devices are the targets because of things like, they're not being updated, so they have firmware that never gets updated, they've got an old system that maybe has security flaws, they might use default or weak passwords. They also might be able to if they're sitting on a corporate network or even or a home network, peoples or bridge traffic within the network. So one of the things that I had heard this a while back and just kind of thinking through it out loud was that a lot of corporate printers that are now all can have Wi-Fi capabilities as well as they can be like a a Wi-Fi hub. And so one of the ways that hackers were starting actually trying to break into corporate networks was they were using drones landing on top of corporate buildings and trying to scan for Wi-Fi, which would be on, say, a printer and then be able to bridge through. So, you can obviously see that's a huge security flaw.
Jeff: The Wi-Fi pineapple, it's an interesting story to talk about. OK. I know that there is a Web site it's iotsecurityfoundation.org and they have a lot of kind of more information behind the scenes on some of the things to consider as well. So I'll be sure to put that as a link in the show notes. Is there anything else from an IoT IAM perspective that you want to talk about?
Jim: No. I just was thinking about something I just said there around firmware.
Firmware is really seems to be like the potential downfall. I mean, you get a printer scanner or anything that has firmware. It feels like every time you go and check, there's new firmware. There is. Right. And making sure I can get out of date very quickly. And a lot of times security is driven through, updates of firmware. And I think, if you're an IAM practitioner kind of getting into an IoT project, here's maybe a non-functional requirement. Can your IAM system check the level of firmware of the device that's connecting and make sure it's at the appropriate level and then take action. It does not necessarily block the authentication, maybe block your authentication depending on the use case or maybe it's some level triggers an alert back to an administrator or to some kind of workflow to make sure that the issue gets addressed. I get it. So depending on the use case, you're talking about enterprise I.T. and you're finding out the firmware of certain devices is out of date or not up to standard. Now you can start to catalog which ones are out of date, not during a big B2C type of solution. Or maybe you want to block the authentication or send an email to the person who has a relationship with the device and let them know firmware is out of date. There have been security patches made to this firmware since then. So please update.
Jeff: Firmware is important. I know that's one of the areas that like for mobile devices, cell phones, for example.
Is an area that you had to be kind of careful around. So IOS has their certificates and they stop signing old versions of their OSS and firmware updates that are associated with that to try and combat that, because that used to be, I'm sure. So as a way to kind of backdoor your way into a device, if you're trying to do to get access something maybe you don't have normal access to.
Ok. What else?
Jim: All of this on my mind at the moment.
Jeff: All right. Well, then let's leave it there for now. Want to thank Karem again for that email and that question. Hopefully that helps if you've got questions for yourself and you want to send them to us. You can send them firstname.lastname@example.org. And with that, we're going to go ahead and close. This went out and we'll talk to you on the next one.