Securing People In An IoT World

Once a farfetched concept thrown around by technology enthusiasts, the Internet of Things (IoT) is now becoming a reality. Consumer adoption of network connected technology is on the rise, with 69 percent of consumers planning to buy an in-home device in the next five years, according to the 2014 State of the Internet of Things Study. By the end of this year, 13 percent of consumers will already own an in-home IoT device such as a thermostat or in-home security camera.

IoT has officially hit peak hype. At every major tech conference this year so far – from CES to MWC to SXSW – IoT has been the most anticipated and talked-about topic. Recent tech launches have put everything from your toothbrush to your car online. Some of these devices allow users to track everything from fitness levels, to room temperature, fridge stock levels and pets in need of feeding.

Samsung’s CEO, Boo-Keun Yoon called not only for greater collaboration between tech companies to facilitate the IoT ‘explosion’ in our lives, but he also raised an interesting point about protecting ‘people’ rather than ‘things’.  As with any new technology, there is the potential for significant challenges too. In the case of IoT, data breaches and privacy have the greatest potential for causing harm. As devices and ‘things’ increasingly carry out our tasks for us, becoming our ‘eyes and ears’, there is more sensitive consumer information at stake. Just one breach could have detrimental consequences for those affected.

A foundational element at the heart of any IoT device has to be an ‘identity layer’ that will allow the secure deployment of a large number of connected devices and allow access and service to the right individuals. Identity – in other words, ‘the collective aspect of the set of characteristics by which a thing is definitively recognisable or known’ – can be proved through sophisticated and complex set of authentication techniques, most prominently led by the password. While interconnectivity between different networks has been traditionally limited, continuous upgrades to the underlying, invisible infrastructure grew to allow an ever-greater stream of information to flow.

As networks continue to grow larger, the password increasingly loses effectiveness – even if used by a device. The large variety of different applications and devices makes it impossible to securely authenticate every part of the network. Could a device establish and store a different password for every single access point? And if so, wouldn’t this collection of passwords be a time bomb waiting to be discovered by hackers?

The latest technological developments tackle this problem by reducing the number of passwords required to authenticate different applications and trust domains. They allow users to authenticate once with an existing credential to a trusted domain and be issued with a token that allows it to authenticate to other actors and other domains.

Federated Single Sign On (SSO) technology, for example, allows passwords to be replaced with standardised security tokens for everyday tools and services such as social media apps or emails. These tokens are issued by a website the user has logged into directly but simultaneously gives access to a range of other applications – mitigating a password explosion and simplifying the process for the user.

SSO technology also allows the authentication of a specific device to be tied to a particular user by issuing tokens specific to a ‘relationship’. The growing prevalence of IoT will result in many devices operating on a behalf of a particular person, or set of people, this kind of distinction will be crucial.

It’s not clear to what extent IoT will be embedded into our daily lives, but it looks certain that – whether we want to or not – we will likely hand over a substantial part of our decision-making to our connected devices. As such it is vital that we have solid and secure infrastructures in place that are capable of evolving alongside and in symbiosis with technological advances – authentication tools have to be simple, reliable and universal.

Hans Zandbelt is senior architect, office of the CTO, at Ping Identity.

What do you know about the Internet of Things? Take our quiz!