Everyone is talking about IoT these days and for good reason – there are already billions of devices connected to the global Internet and some researchers are predicting 50 billion by 2020. This alone will make CISOs' jobs more difficult, but security executives face many other associated challenges as well:
- Employees are mobile and tend to access corporate applications using various devices.
- Applications, workloads, and containers may reside on private or public clouds or event ping pong between the two.
- The addition of more devices, cloud applications, and mobile users greatly increases the attack surface. CISOs are forced to try to secure this growing pool of IT assets with an understaffed and under-skilled cybersecurity team.
As they say down south, “that dog don’t hunt.” In other words, traditional security processes, controls, and technologies can’t scale to meet the security challenges of an IoT mobile world.
This is exactly where identity (i.e., device identity, user identity, asset identity, etc.) comes into play. Connecting sources and destinations must move beyond Layer 2/3 protocols and usernames and passwords. Moving forward, everything on the Internet must have a trustworthy identity. These trustworthy identities can then be used to guide and monitor secure connections.
My colleague Mark Bowker has dubbed this trend the "Internet of Identities," and it fits with many security trends we are tracking. For example, trustworthy identities are at the center of networking trends like micro-segmentation and software-defined perimeters (SDPs). Once I know the identity of a device or person and the identity of the application or service they want to connect to, I can authenticate each entity, check a policy engine to ensure that this is an authorized connection, segment and encrypt the traffic between source and destination, and maintain an audit log of connections and even all packets exchanged between the two nodes.
In essence, the big global Internet gets carved up into billions of fixed-function and personal virtual network segments—all driven by identities at either end of the pipe.
In my humble opinion, Mark’s theory is spot on as we need to use identity, software-defined networking technologies, and big data analytics to decrease the network attack surface and monitor what’s going on across billions of nodes. On the business side, IoI will also help organizations provide high-performance services to critical network traffic and high-value customers.
While IoI seems logical, it’s success over the next few years depends on many factors including:
- Strong authentication of IoT devices. Every IoT device must have a strong and unique identity based upon biometric technologies, fingerprinting techniques, or tried-and-true X.509 digital certificates.
- Broad use of standards and baked-in technologies. I’m thinking of some type of rationalization around standards like FIDO, OAuth, OpenID, SAML, etc., while increasing the use of common biometrics like fingerprint readers on phones.
- Cloud oversight of identities. Facebook, Google, and Microsoft have identity scale in the cloud and are already fighting for identity control but IoI must evolve into a cooperative ecosystem. Industry bigwigs have to work together and agree on an identity ecosystem similar to the model provided by the Trusted Identity Group and NSTIC from the National Institute of Standards and Technology (NIST).
- Greater use of software-defined networking technologies. As I mentioned above, I’m thinking about greater use of micro-segmentation and a migration from VPN technology to software-defined perimeters that provide any-to-any network access based upon user, identity, location, risk, and strict business-driven policies.
- Mature user and entity behavior analysis (UEBA) tools. There will be far too much happening for security analysts to keep track of connections or spot anomalous behavior. Mature behavior-based security analytics tools based upon machine learning and artificial intelligence must continue to evolve to bridge this gap.
Large organizations must plan for IoI in several ways:
- Move from tactical identity management to a comprehensive IAM strategy.
- Give CISOs more IAM oversight while getting business managers more involved in policy definition and risk management.
- Strive for more collaboration between security, IT, and operational technology groups.