Identity is one of the biggest challenges facing companies that are deploying products for the “Internet of Things,” as well as traditional enterprises that find IoT technologies of all types knocking at the door. The question, in short, is “how do I know that this device is legitimate, and ties back to an identity that I trust with access to my network resources and data?
Of course, identity management has always been an aching problem in the enterprise space. The problem with the IoT is scale – given the sheer size of the IoT (30 billion connected devices by 2020), you can add a few “zeros” onto the number of devices that could, potentially, be seeking access to your network at any time.
[Related read: Identity Management’s Next Frontier: The Interstate]
It makes sense that, in a distributed environment like that, the cloud may be the best place to address identity issues. And that appears to be the way things are going. On Wednesday, for example, Verizon announced what it calls a “next-generation,” cloud based managed certificate service that will authenticate and verify all manner of entities – from traditional enterprise applications, to e-commerce shopping carts, to connected vehicles, smart meters and “smart home” monitoring systems.
“With the continued explosion of the Internet of Things and the expansion of connected objects and machines, businesses require a simple, scalable and effective way to manage identity and data integrity,” said Eddie Schwartz, vice president of global security solutions for Verizon Enterprise Solutions. “Verizon’s Managed Certificate Services build upon our solid digital certificate technology and managed security services expertise with a cloud-based platform to deliver an ideal offering for the age of connected solutions.”
As an example, Verizon said the MCS service could be used to generate certificates for IoT devices such as smart meters during production or installation at client sites. “This way, devices can be authenticated when ‘talking’ to each other while also maintaining a secure connection for the traffic to traverse,” while devices that cannot authenticate will be barred, the company said in a statement.
Verizon offers a number of security services to businesses, including DDoS protection and incident response. It said its new service will be able to scale to support “billions of devices.”
Authentication is a major stumbling block in IoT deployments, with weak authentication allowing malicious actors to compromise networks of connected devices. In 2012, for example, the FBI warned of teams of scammers who were using commercially available optical converters to connect to and manipulate residential and commercial smart meters, allowing the customers to receive free or discounted electricity. At the time, experts warned that smart meters and similar devices do little to validate the credentials needed to change settings on the devices.
A recent Government Accountability Office (GAO) report found that vehicle to vehicle communications are poised to take off, but that significant security and privacy challenges must first be met, identity management top among them.Governance is quickly emerging as an area of concern and interest as companies contemplate IoT adoption within their ranks. A recent survey of 2,013 members of ISACA, a worldwide association of information security professionals, found almost unanimous agreement that the Internet of Things poses a governance problem for their networks, with increased security threats the most oft-cited governance issue raised by IoT adoption.