Many businesses use enterprise-level IoT devices to help workers get things done more efficiently or to assist with meeting facilities management needs. But, there’s one area where enterprise IoT falls short — Identity management.
Also known as identity and access management (IAM), identity management ensures that the right people have access to the systems and information needed to do their jobs and nothing more. But, one of the pervasive concerns regarding the IoT is that many of the associated technologies were not built with IAM in mind.
The trouble with enterprise IoT and its identity management problem
Credential abuse is already problematic
Credential abuse or misuse happens when people attempt to access or successfully access systems by circumventing the access control systems that are in place. Sometimes this happens when people innocently do things to try and help their colleagues, such as sharing passwords with them to avoid delays while those people wait for IT department personnel to give them their own passwords.
But, in other cases, malicious intent is the driver, and people take advantage of a lack of IAM to get access they shouldn’t have. A recently released BeyondTrust global survey found that 64% of respondents believe they’ve had either direct or indirect breaches as a result of employees misusing or abusing access privileges.
Then, to bring this discussion back to the IoT, it’s essential to realize that many IoT devices don’t come with the kind of robust password management needed at the corporate level. The lack thereof represents a lucrative opportunity, according to analysts at ABI Research. A report from that company mentions that revenues related to IAM for IoT devices could reach $21.5 billion by 2022.
Identity and access management –– mitigating password-related cyber security risks
Some IoT devices have default passwords
One of the known problems with identity management and IoT devices is that some of those gadgets come with default passwords that users are supposed to change — but never do. Sometimes, the problem originates at the router level. Findings from Positive Technologies indicated that about 15% of device passwords never get changed from their default values.
Moreover, problems arise when people use frequently chosen username/password pairs. More specifically, the Positive Technologies research indicated that using the five most popular such pairs allows access to 1 in 10 devices.
On a positive note, the use of default passwords will become a thing of the past in less than a year. California legislators passed a law that comes into effect on January 1, 2020, and requires all connected devices to come with unique passwords if those products get sold or produced in California.
That’s a step in the right direction considering that most companies likely won’t want to create some devices only for Californians and others for the rest of the U.S. But, if everyone at a business knows the dedicated password for a device and uses it, identity management still doesn’t work. There may be some people who shouldn’t have access to the IoT device, but by knowing the password and using it, they have unnecessary privileges.
The role of the CTO in the identity verification industry
Personal assistants are always listening
Another problem associated with IoT gadgets and IAM is that most IoT devices with a personal assistant component are always listening for their wake words. However, some companies that sell those products are not clear about how they use the information collected when a device listens. As such, there’s an understandable worry that the virtual personal assistants in many IoT devices might unintentionally divulge company secrets.
The potential enterprise security risks for IoT devices came into the spotlight again when a court requested data from an Amazon Echo smart speaker in conjunction with a 2015 murder case. Analysts weighed in and pointed out that in civil matters concerning enterprises, all data possessed by the business could become evidence viewed by a court— including whatever information an IoT gadget like a smart speaker contains.
So, to return to the matter of IAM, the way that always-on IoT gadgets work means that any parties authorized to use IoT devices at work should also ideally get training about avoiding discussing sensitive company material in any room containing an IoT device. That’s because even if an IoT gadget is appropriately locked down so that only authorized people can use it, the device could still record confidential information.
Companies stepping up to the challenge
Thankfully, some companies recognize the IAM issues posed by IoT devices and have technologies to fix this security gap. One of them is Aerohive, which has a product called Aerohive A3. It has features that recognize each IoT device used on a company network and assign the appropriate access controls to those devices.
There are a variety of access controls within Aerohive’s product that companies can tweak to meet needs. Plus, the available guest solutions are ideal for people who require short-term network access for an IoT device.
Rethinking identity management in the IoT era
The traditional view of IAM is that it relates to whether or not certain people can access particular resources. That aspect still applies, especially regarding the access given to the interfaces that control IoT devices. However, it’s also necessary to start thinking of identity management in terms of the devices used on a network.
A company likely wouldn’t give generous access privileges to a person with a history of carrying out questionable acts at past workplaces. Instead, that individual would have to prove themselves worthy of getting more access and could do that by demonstrating their reliability and trustworthiness over time.
Similarly, a company should not assume that an enterprise-level IoT device is free from security flaws that could put the business at risk. Identity management, in this case, means investigating IoT devices for issues before allowing network access and, even then, granting them a limited amount of it. In other words, the company views an enterprise IoT device like an unproven person.
Then, the likelihood goes down that an IoT device or the people using it pose preventable and dangerous risks to the organization. IoT devices used at the enterprise level can indeed be convenient. Being mindful of identity management while using them helps ensure companies don’t get so wowed by the technology that they let access controls lapse.
Carbon Black on the Dark Web: Identity theft as a service continues to take shape
Digital identity debate resurfaces following Windrush scandal
will.i.am on artificial intelligence and data independence