Professional Documents
Culture Documents
IAM For IoT Whitepaper
IAM For IoT Whitepaper
Our intention is both to inform and to encourage feedback on the feasibility of taking an IAM solution
for IoT to the market.
Abstract on IoT
The internet of things (IoT) is a system of interrelated computing devices, mechanical and digital
machines, objects or people that are provided with unique identifiers (UIDs) and the ability to transfer
data over a network without requiring human-to-human or human-to-computer interaction.
The IoT introduces the need to manage exponentially more identities than existing Identity and Access
Management (IAM) systems are required to support. As a result, the security industry is seeing a
paradigm shift whereby IAM is no longer solely concerned with managing people, but also with
managing the hundreds of thousands of “things” that may be connected to a network. In many
instances these things are connected intermittently and may be required to communicate with other
things, mobile devices and the backend infrastructure.
Typically, IAM relationships have been between a human and a device. More recently this has evolved
to include connectivity between smart objects such as cars, houses, devices, and objects, with services
now abundant in many forms within the enterprise IT ecosystem. All IoT entities — such as people,
applications, services and devices — within a given enterprise ecosystem need an identity and managing
them efficiently will be difficult. In addition, these devices/things can act on behalf of the human beings,
adding further complexity to managing relationships between all the elements.
IoT connectivity is already making its presence felt in manufacturing. New equipment specially designed
for manufacturing often has IoT sensors pre-installed to provide smart IoT manufacturing capabilities.
1. Siemens
2. Cisco
3. Microsoft
4. IBM
5. Intel
When it comes to practical use, Siemens’ electronics provide the perfect example. One of Siemens’
manufacturing plants in Germany uses IoT for machines and computers for handling 75% of the
production efforts autonomously. Once the product’s parts are produced, they are able to communicate
with the machines through product codes that navigate the machines further in the production process.
Taking Cisco as another successful example, since it has outsourced production plants worldwide it has
developed “VMES”, or virtual manufacturing execution system platforms, to keep a close eye on the
production. The system uses a combination of technologies like the cloud, IoT, and Big Data analytics to
gather data from production machines in real time and predict quality capabilities in the outsourced
area. We are also seeing a rise in fog/edge computing for processing some of the data onsite without
having to send everything to the cloud.
Gartner research (see below) indicates that even though IoT security is consistently referenced as a
primary concern, little has been spent to secure current IoT implementations.
IoT has reached a stage where consent and control over the devices and data is critical to further
success. An IoT solution must offer a set of identity controls that properly govern who has access to
what, when and why. In the identity world, these controls are the well-known concepts of
authentication and authorization. In manufacturing especially, device-based identity management for
IoT provides a range of benefits in the form of device management, predictive failure management and
automation.
Intelligent manufacturing
Asset management
Optimized processes
Planning
Monitoring
Machine-human interaction
Cyber-physical systems
“In 1980, it took 25 jobs to generate $1 million in manufacturing output in the U.S. Today, it takes just
6.5 jobs to generate that amount” — Brookings
As we head into the future and see accelerated IoT adoption, the increases in productivity will be even
more pronounced. Tesla’s Gigafactory will be highly automated, promising a staggering $100 billion in
output with only 6,500 workers. That’s only 1.3 jobs to generate $1 million in manufacturing output.
As per the recent Gartner Research, it is forecast that over 20 billion IoT devices will be in use worldwide
by 2020.
This exponential growth brings a heightened security risk. Gartner predicts that by 2020 more than 25
percent of identified attacks in enterprises will involve IoT, although IoT will account for less than 10
percent of IT security budgets.
Network visibility remains one of the top security risks for any enterprise. It is where
organizations typically struggle the most with their security. With the disappearance of the
perimeter, it is increasingly important for organizations to know exactly what connects to their
network, who has access to it, what speaks to what ... hence the need for IAM once you know
what's on your network.
One of the key issues with IAM is that all too often current offerings do not scale to address the
complexity presented by IoT.
An IAM solution must have the ability to operate at a massive scale for IoT, handling device
registration, logins, authentications, session validation, device retirement etc. for millions of
identities.
There needs to be a way of defining and managing the identities of “entities” (people, services
and things) within a single platform.
Future IAM solutions for any IoT must be designed with the following considerations:
Providing limited access based on expected roles, as opposed to least privileged access.
Authentication from the same device may result in different access capabilities based on how
the user has been authenticated to the device.
IoT will require traditional IAM systems to include machine-to-machine (M2M) entities. This task
will be complicated since some of these communications will be based on short-lived entities,
such as virtual cloud entities.
Some of the entities will use proprietary communication and identification schemes.
Secure, integrated management of data from different devices and systems must be allowed
for. In a future IoT system, autonomous data exchanges between different entities must be
controlled based on advanced security and trust management technologies, e.g. usage control
or trustworthy device identification.
At the same time, applications in different domains need to be isolated and security boundary
technologies must ensure isolation for incident-affected subsystems.
Below is an example architecture for IoT when IAM needs to be part of the solution. There are
has be to couple of mechanisms that needs to be embedded for the device registration along
with the regular identities IAM already manages.
SAML addresses a variety of IAM needs, including identity federation and SSO functionality. However,
the protocol’s complexity and the footprint of most software implementations limit its usefulness for
IoT.
OpenID-Connect is a rather young, but already established, technology for authentication in web
applications and services with large identity providers, including Google and Facebook.
OAuth 2.0 – and especially currently emerging extensions like ACE [43] addressing constrained
environments – is the industry standard protocol for authorization and fits well into IoT ecosystems.
Furthermore, the OAuth 2.0 protocol is compatible with constrained device protocols, such as CoAP [44]
and MQTT [45]. OAuth 2.0 is also highly extensible, allowing use-case centered configuration and use.
Identity and Access Management in the IoT space is in its infancy, so work is still under way to find
examples of implementation in this area. In order to identify the right way of implementing IAM for IoT
we need to understand the considerations for having a minimum set of requirements that help to take a
Currently there are almost no SIs with experience of implementing IAM for IoT. The focus is still on
building the core IoT competencies and not on IAM capabilities. With a comprehensive cybersecurity
portfolio, incorporating IAM solutions, Capgemini is evaluating the feasibility of IAM for IoT and hopes to
be one of the earlier SIs to build such competency. Input as to best practice is being sought from
industry analysts and colleagues across diverse capabilities (cybersecurity, cloud, IoT, etc.) are asked to
contribute to the feasibility debate.
What’s clear is that while IAM for IoT may still be nascent, the onward march of IoT adoption will
continue at pace. As such, there is significant first-mover opportunity for the SI that brings to market an
IAM capability and implementation approach to effectively safeguard IoT assets and their connected
ecosystems.
References
https://www.finoit.com/others/role-of-iot-in-manufacturing-industry/
https://downloads.cloudsecurityalliance.org/assets/research/internet-of-things/identity-and-access-
management-for-the-iot.pdf
https://scholar.google.co.in/scholar?q=IOT+security+in+manufacturing&hl=en&as_sdt=0&as_vis=1&oi=
scholart
https://www.secureworks.com/solutions/industries/manufacturing
https://www.ptc.com/en/product-lifecycle-report/security-tops-manufacturers-iot-concerns
https://armis.com/iot-security-manufacturing/
https://safenet.gemalto.com/data-protection/iot-secure-manufacturing/
https://www.i-scoop.eu/internet-of-things-guide/iot-security-forecasts/
https://downloads.cloudsecurityalliance.org/assets/research/internet-of-things/identity-and-access-
management-for-the-iot.pdf
https://www.techmahindra.com/industries/Enterprise/Manufacturing/Service_Offerings/automotive/IO
T-for-Manufacturing.aspx
https://www.marketsandmarkets.com/Market-Reports/iot-iam-market-67542546.html
https://www.google.co.in/search?q=best+practice+for+IAM+in+IOT&oq=best+practice+for+IAM+in+IOT
&aqs=chrome..69i57.14436j0j7&sourceid=chrome&ie=UTF-8
https://www.digicert.com/internet-of-things/device-identity-management.htm
https://www.slideshare.net/AmazonWebServices/aws-iot-security-best-practices
https://www.informationsecuritybuzz.com/articles/identity-and-access-management-for-the-internet-
of-things/
https://www.infosecurity-magazine.com/news/gartneriam-disrupted-trends/
http://ecsnamagazine.arrow.com/5-trends-shaping-future-security-iam/
https://www.iotevolutionworld.com/iot/articles/435391-iot-security-identity-access-management.htm
https://gca.net/sites/default/files/future%20of%20IAM_0.pdf
https://docs.aws.amazon.com/iot/latest/developerguide/iam-policies.html
https://securityintelligence.com/a-double-edged-sword-iam-meets-iot/
https://www.abiresearch.com/market-research/product/1029990-iam-20-identity-and-asset-
management-in-th/
https://searchsecurity.techtarget.com/feature/Identity-of-things-IAM-system-to-change-as-IoT-invades-
the-workplace
https://www.blueid.net/everything-identity-use-role-identity-access-management-iot/
https://www.ubisecure.com/category/iot/
https://www.finoit.com/others/role-of-iot-in-manufacturing-industry/
https://downloads.cloudsecurityalliance.org/assets/research/internet-of-things/identity-and-access-
management-for-the-iot.pdf
https://www.gartner.com/doc/reprints?id=1-4KQ5GVY&ct=171117&st=sb
https://go.armis.com/hubfs/Buyers%E2%80%99%20Guide%20to%20IoT%20Security%20-
Final.pdf?t=1541104049654
https://safenet.gemalto.com/data-protection/iot-secure-manufacturing/
https://www.globalsign.com/en/blog/security-elements-in-iot-manufacturing/
https://www.marketsandmarkets.com/Market-Reports/iot-iam-market-67542546.html
https://www.digicert.com/internet-of-things/device-identity-management.htm
https://www.slideshare.net/AmazonWebServices/aws-iot-security-best-practices
https://www.weidert.com/whole_brain_marketing_blog/why-marketers-should-care-about-the-iot-in-
manufacturing