Identity and access management (IAM) is the cornerstone of cyber security when it comes to people and systems. It ensures that only approved people can access certain resources and systems. But what happens when you add the myriad of devices that are set to become connected to the internet with the growth of the Internet of Things (IoT). Can IAM handle it?

The-Relevance-Or-Not-Of-I-AMAccording to Gartner, the answer is yes. It has published an article titled “Gartner Says Managing Identities and Access Will Be Critical to the Success of the Internet of Things“, but in the analysis, it says there is a long way to go.

It quotes Ant Allan, a research vice president at Gartner. He said traditional IAM systems that are people focused have not kept up with the proliferation of internet devices as a result of the internet of things. He goes on to describe the new taxonomy for the industry: the Identity of Things (IDoT).

“People, software that makes up systems, applications and services, and devices will all be defined as entities and all entities will have the same requirements to interact,” he said.

The Identity of Things

The IDoT is a new extension to identity management. It does not care about the type of entity, whether that is a person, an application or a device. What it does is handle the relationships between those identities, whatever form this takes. Often this will not involve a human at all, such as the relationship between one device in the IoT and another device, or the relationship between a device and an application.

This presents a number of complexities. Lifecycle is an example, as it will vary greatly between different entities. A package that is sharing data with a sender, parcel delivery company and a receiver is part of the Internet of Things, but it has a very short lifecycle when compared with something like the building it is being delivered to – its lifecycle will be decades in length.

Another complexity is context awareness. There will be situations where an entity in the internet of things will need to communicate with or access another entity or application, but only in certain circumstances. All entities involved will have to understand the context in order to determine whether access or communication is allowed or not.

Gartner predicts that the IDoT will integrate other management systems with IAM in the near future. This includes IT asset management and software asset management.

But there is a warning to IAM leaders: the influence of IAM will depend on the actions taken now. Those actions will determine whether IAM is part of the foundation of IDoT, or merely a contributing component.

The security principles set forth in industry standard ISO/IEC 27002 provide a framework for effective security, built around the cycle of Plan, Do, Check, and Act (PDCA). Many good security products are on the market, but all are designed to meet specific threats – and will not block other threats. At GRT Corp. our security philosophy is built around these words by noted security expert Dr. Bruce Schneier: “Security is not a product, but a process.”

Comments are closed.