IAM for IoT

Author: Malli Sai Itha & Sachin Sawant

Date: 9th Apr 2019

© 2019 Capgemini. All rights reserved.

Objective
The main objective of this whitepaper is to understand the basics of Identity and Access Management
(IAM) in relation to the internet of things (IoT). It considers IAM implementation for IoT, factors that
need to be considered while designing IAM for IoT solutions, issues in the IoT environment, market
leaders in IAM implementation for IoT, case studies and important domains for IAM IoT. While this
paper has its main focus on the manufacturing sector, the uses cases for IoT IAM extend across multiple
industries.

Our intention is both to inform and to encourage feedback on the feasibility of taking an IAM solution
for IoT to the market.

Abstract on IoT
The internet of things (IoT) is a system of interrelated computing devices, mechanical and digital
machines, objects or people that are provided with unique identifiers (UIDs) and the ability to transfer
data over a network without requiring human-to-human or human-to-computer interaction.

The IoT introduces the need to manage exponentially more identities than existing Identity and Access
Management (IAM) systems are required to support. As a result, the security industry is seeing a
paradigm shift whereby IAM is no longer solely concerned with managing people, but also with
managing the hundreds of thousands of “things” that may be connected to a network. In many
instances these things are connected intermittently and may be required to communicate with other
things, mobile devices and the backend infrastructure.

Typically, IAM relationships have been between a human and a device. More recently this has evolved
to include connectivity between smart objects such as cars, houses, devices, and objects, with services
now abundant in many forms within the enterprise IT ecosystem. All IoT entities — such as people,
applications, services and devices — within a given enterprise ecosystem need an identity and managing
them efficiently will be difficult. In addition, these devices/things can act on behalf of the human beings,
adding further complexity to managing relationships between all the elements.

IoT connectivity is already making its presence felt in manufacturing. New equipment specially designed
for manufacturing often has IoT sensors pre-installed to provide smart IoT manufacturing capabilities.

Among the successful companies using IoT devices are:

1. Siemens
2. Cisco
3. Microsoft
4. IBM
5. Intel

© 2019 Capgemini. All rights reserved.

 6. SAP

When it comes to practical use, Siemens’ electronics provide the perfect example. One of Siemens’
manufacturing plants in Germany uses IoT for machines and computers for handling 75% of the
production efforts autonomously. Once the product’s parts are produced, they are able to communicate
with the machines through product codes that navigate the machines further in the production process.

Taking Cisco as another successful example, since it has outsourced production plants worldwide it has
developed “VMES”, or virtual manufacturing execution system platforms, to keep a close eye on the
production. The system uses a combination of technologies like the cloud, IoT, and Big Data analytics to
gather data from production machines in real time and predict quality capabilities in the outsourced
area. We are also seeing a rise in fog/edge computing for processing some of the data onsite without
having to send everything to the cloud.

Current & Future trends of IAM in IoT

The internet of things requires the identification process to be extended for each and every participant
in the IoT ecosystem. That’s because these various elements have the same requirements to interact
with each other. Identities for objects might leverage IP addresses, embedded keys or electronic tags.
For human beings, identities leverage unique identifiers such as user accounts or a unique number. Until
the emergence of IoT, IAM was only associated with managing identities and access for individuals, but
now IoT has put a new spin on the things. IAM will play a key role in managing all the identities in IoT.

Gartner research (see below) indicates that even though IoT security is consistently referenced as a
primary concern, little has been spent to secure current IoT implementations.

© 2019 Capgemini. All rights reserved.

 Why IoT requires IAM

IoT has reached a stage where consent and control over the devices and data is critical to further
success. An IoT solution must offer a set of identity controls that properly govern who has access to
what, when and why. In the identity world, these controls are the well-known concepts of
authentication and authorization. In manufacturing especially, device-based identity management for
IoT provides a range of benefits in the form of device management, predictive failure management and
automation.

Basic IoT manufacturing operations include:

 Intelligent manufacturing
 Asset management
 Optimized processes
 Planning
 Monitoring
 Machine-human interaction
 Cyber-physical systems

© 2019 Capgemini. All rights reserved.

The above graph shows an incredible increase in U.S. productivity over the last few decades due to IoT.

“In 1980, it took 25 jobs to generate $1 million in manufacturing output in the U.S. Today, it takes just
6.5 jobs to generate that amount” — Brookings

As we head into the future and see accelerated IoT adoption, the increases in productivity will be even
more pronounced. Tesla’s Gigafactory will be highly automated, promising a staggering $100 billion in
output with only 6,500 workers. That’s only 1.3 jobs to generate $1 million in manufacturing output.

As per the recent Gartner Research, it is forecast that over 20 billion IoT devices will be in use worldwide
by 2020.

This exponential growth brings a heightened security risk. Gartner predicts that by 2020 more than 25
percent of identified attacks in enterprises will involve IoT, although IoT will account for less than 10
percent of IT security budgets.

Challenges and Impacts

 Network visibility remains one of the top security risks for any enterprise. It is where
organizations typically struggle the most with their security. With the disappearance of the
perimeter, it is increasingly important for organizations to know exactly what connects to their
network, who has access to it, what speaks to what ... hence the need for IAM once you know
what's on your network.
 One of the key issues with IAM is that all too often current offerings do not scale to address the
complexity presented by IoT.
 An IAM solution must have the ability to operate at a massive scale for IoT, handling device
registration, logins, authentications, session validation, device retirement etc. for millions of
identities.
 There needs to be a way of defining and managing the identities of “entities” (people, services
and things) within a single platform.

© 2019 Capgemini. All rights reserved.

  Not all IoT devices will remain in the same network or with the same owner throughout their
lifecycle. For example, a robot might be resold, or a connected car could be taken for repair at a
garage, or more simply sold, leading to a change in the user's rights. This needs to be taken into
consideration for access management purposes.
 Like the Identity Lifecycle, a device lifecycle will include everything from device creation,
updating and deletion, through to device authentication and authorization. A common method
is required to interact with those services, to increase integration time and reduce the cost of
learning any new technology/platform.
 Lack of interoperability and lack of standards between IoT sensors, devices, and connectivity
and communication protocols can hinder the process of connecting everything.

Future IAM solutions for any IoT must be designed with the following considerations:

 Providing limited access based on expected roles, as opposed to least privileged access.
Authentication from the same device may result in different access capabilities based on how
the user has been authenticated to the device.
 IoT will require traditional IAM systems to include machine-to-machine (M2M) entities. This task
will be complicated since some of these communications will be based on short-lived entities,
such as virtual cloud entities.
 Some of the entities will use proprietary communication and identification schemes.
 Secure, integrated management of data from different devices and systems must be allowed
for. In a future IoT system, autonomous data exchanges between different entities must be
controlled based on advanced security and trust management technologies, e.g. usage control
or trustworthy device identification.
 At the same time, applications in different domains need to be isolated and security boundary
technologies must ensure isolation for incident-affected subsystems.

High Level Architecture of IAM for IoT

Below is an example architecture for IoT when IAM needs to be part of the solution. There are
has be to couple of mechanisms that needs to be embedded for the device registration along
with the regular identities IAM already manages.

© 2019 Capgemini. All rights reserved.

IAM technologies/protocols for IAM IoT

The modern IAM technology stack in the web consists of:

 SAML (Security Assertion Markup Language)

 OpenID-Connect (OIDC)
 OAuth 2.0
 SCIM (System for Cross-domain Identity Management)
 UMA – User Managed Access

SAML addresses a variety of IAM needs, including identity federation and SSO functionality. However,
the protocol’s complexity and the footprint of most software implementations limit its usefulness for
IoT.

OpenID-Connect is a rather young, but already established, technology for authentication in web
applications and services with large identity providers, including Google and Facebook.

OAuth 2.0 – and especially currently emerging extensions like ACE [43] addressing constrained
environments – is the industry standard protocol for authorization and fits well into IoT ecosystems.
Furthermore, the OAuth 2.0 protocol is compatible with constrained device protocols, such as CoAP [44]
and MQTT [45]. OAuth 2.0 is also highly extensible, allowing use-case centered configuration and use.

Example IAM Implementation IoT and how lifecycle needs to be managed

Identity and Access Management in the IoT space is in its infancy, so work is still under way to find
examples of implementation in this area. In order to identify the right way of implementing IAM for IoT
we need to understand the considerations for having a minimum set of requirements that help to take a

© 2019 Capgemini. All rights reserved.

decision on suggesting whether IAM is needed for the existing infrastructure and, if it is still needed,
what would be the improvements and inclusions that have to be addressed.

Conclusion – what next?

Currently there are almost no SIs with experience of implementing IAM for IoT. The focus is still on
building the core IoT competencies and not on IAM capabilities. With a comprehensive cybersecurity
portfolio, incorporating IAM solutions, Capgemini is evaluating the feasibility of IAM for IoT and hopes to
be one of the earlier SIs to build such competency. Input as to best practice is being sought from
industry analysts and colleagues across diverse capabilities (cybersecurity, cloud, IoT, etc.) are asked to
contribute to the feasibility debate.

What’s clear is that while IAM for IoT may still be nascent, the onward march of IoT adoption will
continue at pace. As such, there is significant first-mover opportunity for the SI that brings to market an
IAM capability and implementation approach to effectively safeguard IoT assets and their connected
ecosystems.

References

https://www.finoit.com/others/role-of-iot-in-manufacturing-industry/

https://downloads.cloudsecurityalliance.org/assets/research/internet-of-things/identity-and-access-
management-for-the-iot.pdf

https://scholar.google.co.in/scholar?q=IOT+security+in+manufacturing&hl=en&as_sdt=0&as_vis=1&oi=
scholart

https://www.secureworks.com/solutions/industries/manufacturing

https://www.ptc.com/en/product-lifecycle-report/security-tops-manufacturers-iot-concerns

https://armis.com/iot-security-manufacturing/

https://safenet.gemalto.com/data-protection/iot-secure-manufacturing/

https://www.i-scoop.eu/internet-of-things-guide/iot-security-forecasts/

https://downloads.cloudsecurityalliance.org/assets/research/internet-of-things/identity-and-access-
management-for-the-iot.pdf

https://www.techmahindra.com/industries/Enterprise/Manufacturing/Service_Offerings/automotive/IO
T-for-Manufacturing.aspx

© 2019 Capgemini. All rights reserved.

https://www.globalsign.com/en/blog/security-elements-in-iot-manufacturing/

https://www.marketsandmarkets.com/Market-Reports/iot-iam-market-67542546.html

https://www.google.co.in/search?q=best+practice+for+IAM+in+IOT&oq=best+practice+for+IAM+in+IOT
&aqs=chrome..69i57.14436j0j7&sourceid=chrome&ie=UTF-8

https://www.digicert.com/internet-of-things/device-identity-management.htm

https://www.slideshare.net/AmazonWebServices/aws-iot-security-best-practices

https://www.informationsecuritybuzz.com/articles/identity-and-access-management-for-the-internet-
of-things/

https://www.infosecurity-magazine.com/news/gartneriam-disrupted-trends/

http://ecsnamagazine.arrow.com/5-trends-shaping-future-security-iam/

https://www.iotevolutionworld.com/iot/articles/435391-iot-security-identity-access-management.htm

https://gca.net/sites/default/files/future%20of%20IAM_0.pdf

https://docs.aws.amazon.com/iot/latest/developerguide/iam-policies.html

https://securityintelligence.com/a-double-edged-sword-iam-meets-iot/

https://www.abiresearch.com/market-research/product/1029990-iam-20-identity-and-asset-
management-in-th/

https://searchsecurity.techtarget.com/feature/Identity-of-things-IAM-system-to-change-as-IoT-invades-
the-workplace

https://www.blueid.net/everything-identity-use-role-identity-access-management-iot/

https://www.ubisecure.com/category/iot/

https://www.finoit.com/others/role-of-iot-in-manufacturing-industry/

https://downloads.cloudsecurityalliance.org/assets/research/internet-of-things/identity-and-access-
management-for-the-iot.pdf

https://www.gartner.com/doc/reprints?id=1-4KQ5GVY&ct=171117&st=sb

https://go.armis.com/hubfs/Buyers%E2%80%99%20Guide%20to%20IoT%20Security%20-
Final.pdf?t=1541104049654

https://safenet.gemalto.com/data-protection/iot-secure-manufacturing/

© 2019 Capgemini. All rights reserved.

https://www.techmahindra.com/industries/Enterprise/Manufacturing/Service_Offerings/automotive/IO
T-for-Manufacturing.aspx

https://www.globalsign.com/en/blog/security-elements-in-iot-manufacturing/

https://www.marketsandmarkets.com/Market-Reports/iot-iam-market-67542546.html

https://www.digicert.com/internet-of-things/device-identity-management.htm

https://www.slideshare.net/AmazonWebServices/aws-iot-security-best-practices

https://www.weidert.com/whole_brain_marketing_blog/why-marketers-should-care-about-the-iot-in-
manufacturing

© 2019 Capgemini. All rights reserved.