Presentation is loading. Please wait.

Presentation is loading. Please wait.

Identities and the internet of things

Published byAlan Smith Modified over 6 years ago

Similar presentations

Presentation on theme: "Identities and the internet of things"— Presentation transcript:

1 Identities and the internet of things
By: Karen Herrington Virginia Tech September 28, 2017

2 What is (Traditional) Identity and Access Management?
Who are you and What can you do? Electronic identities and what they can access

3 Why is Identity Management important?
Interactions with users take place electronically rather than in person Provide online services to a broad audience – not just employees and students Security – We must know who is accessing our resources – safety, legal, financial, reputational ramifications

4 Virginia Tech Identities
Person Registry with approximately 1 million identities Students, employees, alumni, retirees, guests, affiliates Digital identity consists of demographic data, identifiers, credentials and affiliations ~40 affiliations – Describes an individual’s connection or association with the university

5 How Do We Manage Identities?
Provision – Issue credentials and enable access to services based on authorizations Password complexity enforcement, password expiration, 2Factor Near real-time update of affiliations and other demographic information about users Deprovision – Remove access – Mostly based on affiliation changes

6 Internet of Things The Internet of Things refers to electronic devices that are able to connect to the Internet and share data with other Internet enabled devices.

7

8 IoT Ecosystem Actors Humans Devices Software/Firmware Cloud Interactions are possible between any of the actors

9

10

11 Security as the Showstopper
Security concerns are #1 barrier to IoT adoption Attack vector is huge (and attractive) and could lead to unprecedented attacks October 2016 Dyn distributed denial-of-service cyberattack November 2013 cyberattack on Target using HVAC credentials Many IoT devices have vulnerable operating systems or firmware Most IoT devices have limited/non-existent I/O mechanisms for interaction Strong, solid Identity and Access Management processes will be essential to address security concerns

12 How does Identity Management for IoT Differ?
Device identities, not human identities Little “demographic” information will be available to uniquely identify devices Number of device identities will be overwhelming; Scales of 10x to 20x greater Timing and frequency of new identities appearing will be unpredictable – unlike beginning of semester for students and employees

13 How does Identity Management for IoT Differ?
Two types of authentication involved – Human-to- Device, Device-to-Device No (Duo-type) 2Factor in human-to-device authentication Human-to-device – physical and behavioral biometrics used Limited device I/O capabilities so password complexity, expiration will be problematic

14

15 How does Identity Management for IoT Differ?
Manage device-to-device authentication - PKI, APIs Life-cycle support for devices, not just users - deprovisioning Dynamic, fast-changing relationships between users and devices; devices and devices Must be able to link one or more human identities to device identities – Shared devices common Device relationships could be hierarchical

16 Authorization (What Can You Do?)
Human authorization considerations: Who can administratively manage devices Who can access the data that is collected by the devices Who “owns” the data – The subject? The organization? Device authorization considerations: What devices are allowed to “talk” to and exchange data with each other What actions are devices allowed to take based on data collected

17 What Will We Do? Entity registry – not just person registry
Enrollment/registration processes that are dynamic, robust – not primarily static Biometric-based processes might need to be incorporated Certificate issuance and revocation processes will need to be strong and robust

18 What Will We Do? Deprovisioning based on various triggers – For example: inactivity More robust, granular consent processes for management at the device level, device group level and organizational level Self-service processes based on Bluetooth or NFC rather than web-based

19 Identity Standards & Protocols Offer Promise
Oauth 2 and Open ID Connect OAuth 2 is an authorization framework that enables applications to obtain limited access to user accounts on an HTTP service OpenID Connect is a simple identity layer on top of the OAuth 2.0 protocol, which allows computing clients to verify the identity of an end-user and obtain basic profile information about the end-user

20 Current Provisioning Model
User gets a new NEST thermostat for home Two phases: Connecting the device to the network Establishing the relationship of the user to the device

21 Current Provisioning Model
Most common way to connect new device to wireless home network is to enter password directly into device Device interfaces are not user friendly NEST has slightly better way – Device Hotspot When user powers up the device, the device sets up a temporary hotspot

22 Current Provisioning Model
User’s cellphone or laptop can detect the wireless hotspot and connect User provisions household wireless credential into device The second half of provisioning involves binding the user to the device User will be asked to create a new NEST account

23 Current Provisioning Model What’s Wrong With It?
Discourages strong wi-fi passwords – user doesn’t want to enter long, complicated password into many devices No ability to reuse an existing account No ability for the user to incorporate 2Factor User’s password may also be used to authenticate the device to the cloud

24 Current Provisioning Model What’s Wrong With It?
No granularity of authorizations Usually no ability for the user to define constrained permissions for the device Difficult to revoke permissions

25 Provisioning Using OAuth And Open ID Connect
User gets a new NEST thermostat for home Homeowner, via app on phone (or voice commands?) facilitates issuance of access token for the device from centralized Authorization Server Token can express granular authorizations such as restricting time of day

26 Provisioning Using OAuth And Open ID Connect
Token communicated to device via Bluetooth or NFC (Near Field radio Communications) Device uses token to authenticate to router and access network Eliminates sharing of wifi password

27 Provisioning Using OAuth And Open ID Connect
Enables SSO when establishing user binding to device Can reuse existing identity by directing user to appropriate Identity Provider Can also use tokens in user-to-device interactions

28 Provisioning Using OAuth And Open ID Connect
Eliminates provisioning user password to the device for authenticating to the cloud by issuing a token to the device Enables delegated authorizations everywhere – for API access, for device accessing network, for device calling cloud endpoints Tokens can be revoked when needed

29 Comments? Karen Herrington Virginia Tech kmherrin@vt.edu
Source: Andras Cser and Merritt Maxim, “Vendor Landscape: Identity And Access Management Solutions For The Internet Of Things; Scale, Real-Time Performance, And Data Protection Differentiate IAM IoT Solutions” Forrester Research, May 31, 2016. Source: Paul Madsen, “Webinar Replay: Authenticating Devices and Users in the IoT”, Comments? Karen Herrington Virginia Tech

Download ppt "Identities and the internet of things"

Similar presentations

Key Management And Key Distribution The essential problems addressed by all cryptosystems is how to safely exchange keys and how to easily manage the.

Key Management And Key Distribution The essential problems addressed by all cryptosystems is how to safely exchange keys and how to easily manage the.
Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.

Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.
Understanding Active Directory

Understanding Active Directory
Dr. Sarbari Gupta Electrosoft Services Tel: (703)757-9096 Security Characteristics of Cryptographic.

Dr. Sarbari Gupta Electrosoft Services Tel: (703) Security Characteristics of Cryptographic.
Copyright B. Wilkinson, 2008. This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.

Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.
Identity and Access Management IAM. 2 Definition Identity and Access Management provide the following: – Mechanisms for identifying, creating, updating.

Identity and Access Management IAM. 2 Definition Identity and Access Management provide the following: – Mechanisms for identifying, creating, updating.
Identity and Access Management IAM A Preview. 2 Goal To design and implement an identity and access management (IAM) middleware infrastructure that –

Identity and Access Management IAM A Preview. 2 Goal To design and implement an identity and access management (IAM) middleware infrastructure that –
4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.

4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
A centralized system.  Active Directory is Microsoft's trademarked directory service, an integral part of the Windows architecture. Like other directory.

A centralized system.  Active Directory is Microsoft's trademarked directory service, an integral part of the Windows architecture. Like other directory.
Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.

Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.
Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.

Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.
Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.

Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.
RSA Security Validating Users and Devices to Protect Network Assets Endpoint Solutions for Cisco Environments.

RSA Security Validating Users and Devices to Protect Network Assets Endpoint Solutions for Cisco Environments.
Access and Identity Management System (AIMS) Federal Student Aid PESC Fall 2009 Data Summit October 20, 2009 Balu Balasubramanyam.

Access and Identity Management System (AIMS) Federal Student Aid PESC Fall 2009 Data Summit October 20, 2009 Balu Balasubramanyam.
Chapter 20 20-1 © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
WIRELESS LAN SECURITY Using

WIRELESS LAN SECURITY Using
Identity Management Report By Jean Carreon and Marlon Gonzales.

Identity Management Report By Jean Carreon and Marlon Gonzales.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
The Internet Identity Layer OpenID Connect Update for HIT Standards Committee’s Privacy and Security Workgroup Wednesday, March 12th from 10:00-2:45 PM.

The Internet Identity Layer OpenID Connect Update for HIT Standards Committee’s Privacy and Security Workgroup Wednesday, March 12th from 10:00-2:45 PM.
Identity on Force.com & Benefits of SSO Nick Simha.

Identity on Force.com & Benefits of SSO Nick Simha.

Similar presentations

Ads by Google