Enforcing IAM on IoT Devices
How can one enforce identity and access management on IoT devices that are less capable than typical compute devices, and yet render their network vulnerable?
Determining the right device identity is fundamental to enforcing identity and access management in IoT devices. For instance, some devices may be identified on the basis of their IP or Mac address and others may have certificates provisioned to them. Additionally, new age-machine learning techniques do not just use these static identities but identify their behavior on the network – what are the APIs, services, workloads they interact with, which databases do they typically communicate with to augment our understanding of these devices’ identities. Adaptive access control policies that govern access to the network and access to backend services based on this concept of identity and behavior would be one way to enforce IAM on devices that have less than typical compute resources.
Network fine-grained access control and micro-segmentation may also help, to the extent that it does not introduce unmanageable policy complexity in the environment. These capabilities can not only ensure that only the authenticated and authorized devices get access to the right services, but they also ensure that even if a specific device gets compromised, the exposed surface area is limited, and lateral movement is kept in check.
API Access Management is another important consideration for devices as they communicate with back-end services. Leveraging standards like OAuth 2.0 is one effective way of enforcing authorization for these back-end services.
Another important consideration is to understand and establish a governance model around the lifecycle of identity for the devices in your IoT ecosystem. For instance, if certificates are used for authentication, ensuring that the certificates are provisioned and de-provisioned appropriately, access rights are only provisioned to devices that are updated (operating systems, firmware), etc. is critical.
Finally, many of these devices often have root accounts that administrators use for their maintenance. Having shared root accounts between multiple individuals is a big security and compliance nightmare. In such cases, leverage privileged access management capabilities such as password vaults that enable accounts check-in, check-out and rotation of passwords.
You can keep access to devices in your IoT ecosystem secure by deploying Idaptive’s Next-Gen Access Platform today. Take the first step towards Zero Trust security, and learn more here.
This post originally appeared in a Quora Q&A session hosted in January 2020. Our CPO Archit Lohokare was asked to discuss the state of cybersecurity, Zero Trust, artificial technology and machine learning and working in the security field, among other things. Stay tuned as we share more of his answers in our blog!