The possibilities to lead organizations and governments towards a successful digital transformation
Daniel Raskin, senior vice president, ForgeRock
To be frank, the Internet of Things (IoT) is, from a security perspective, broken. High profile examples of huge IoT security failures include:
Cars: This past July, a hacker reportedly took control of a journalist’s Jeep Cherokee and cut the car’s transmission while it was in motion.
Home Appliances: In January 2014, Proofpoint published a report revealing what some say was the first IoT attack involving Internet-connected home appliances. The global campaign, which enlisted roughly 100,000 connected consumer devices — including home routers, televisions, and at least one refrigerator — sent out more than 750,000 malicious emails that targeted enterprises and individuals around the world. In many instances, hackers were able to corral these devices because their owners used default passwords that left the devices exposed on public networks.
Medical devices: In August, the FDA warned that an Internet-connected Hospira Symbiq Infusion Pump was vulnerable to attack and recommended discontinuing its use, because a compromised device could enable an attacker to control the device and alter the dosage delivered.
Home video cameras: In November, a web site went live that gave viewers access to more than 70,000 unsecured security cameras in 256 countries. Anyone in the world could take a real time look into peoples’ offices and homes—even bedrooms. What made this particular hack so easy to execute was that, like the home appliance attack referenced above, no one had bothered to change the default passwords when they installed their “security” camera units.
Targets of additional IoT hacks include smart phones and TVs, thermostats, refrigerators, home routers, and printers. Rather than source each of these hacks, simply enter the words “IoT” and “Hack” into Google, and you’ll find close to a million results that include these examples and more. If you’re a leader in an organization that’s trying to adopt IoT devices as a means to offer new services to customers, you should be seriously concerned by these statistics. According to industry analyst firm Gartner, by the end of 2015, 4.9 billion of these oft-unsecured connected “things” will be in use. And that number is expected to rise to 25 billion by 2020.
Businesses and governments looking to add the IoT to their digital ecosystems as part of a digital transformation must consider if their identity platform can handle the challenges that come with the IoT. The only way to secure the billions of connected devices and manage billions of digital relationships that come with digital transformation is with a digital identity management platform built for IoT scale. : Secure the IoT, Understand Context and Promote Privacy.
Secure the IoT
The IoT has brought billions of new users, cloud services, and connected devices online. Legacy identity systems were not designed to manage digital relationships at such a large scale, leaving new IoT initiatives vulnerable to malicious attacks.
The fix is for digital organizations to select an identity platform that’s flexible, scalable and capable of connecting the identities of users, devices and cloud services in a digital ecosystem. The ability to manage these myriad relationships within a digital identity ecosystem enables organizations to register users, cloud services, and connected devices, authorize and “de-authorize” their access to data and apply policies for security and personalization.
We’ve only just scratched the surface of what the IoT can do. Connected devices are already helping businesses and governments to securely bridge the physical and digital worlds. Governments can use smart sensors to manage the flow of traffic while businesses can create IoT devices to connect with smart homes, for example. Identity is the driving force behind using the IoT to improve lives at a personal, organizational and civic level. In all, the right identity platform will enable organizations to deliver services to billions of connected devices and things in a secure, scalable way.
Continued hacks of corporate and government systems highlight the enormous threat of digital attacks and data breaches. Organizations face significant financial, reputational and legal consequences if personal user data is leaked to the public or is hacked by cyber criminals. Relationships cultivated for years are lost in seconds when customer or citizen trust is compromised. Security for digital organizations must go beyond simply checking username and password. The IoT is particularly vulnerable as security and identity standards for connected devices are still being established.
Businesses and governments must be able to extend digital identity to all IoT devices in order to secure their digital ecosystems. The right digital identity platform provides continuous security across all users, devices and cloud services. Credentials are no longer enough to ensure security. Now, context is required to understand the true nature of the digital interaction. Does the customer usually log in from Norway? Do they have a wearable device that is allowed to access their health data? Around what time does this login usually occur, and what kind of system do they use? Customer and citizen digital interactions must be constantly monitored.
In addition to using contextual cues to evaluate user behavior, user identity and access rights must be verifiable via SMS, email, security questions, or biometrics. If suspicious behavior is detected, user data can be secured.
Protecting personal data is essential for retaining customer and citizen trust. With billions of IoT devices going online and countless digital relationships developing, all identities in the digital ecosystem must be continuously authenticated.
Continuously Assess Risk
For increased security, businesses and governments must constantly consider the context of user interactions within their digital ecosystems. By continuously monitoring context, organizations can build adaptive risk profiles for users, rating the risk of an IP address, location, sign-in time, and other contextual cues about the user to generate a risk score.
Higher risk scores will trigger increased security measures and require multi-factor authentication. Risk-scoring can also make it easier for verified users to access digital services by reducing security when risk is low. If the user has a low risk score because they are signing on from a recognized location on a corporate IP address, they may not even be required to enter a password.
Advanced knowledge-based learning technology can also be applied to create a more complete user risk profile over time, by analyzing user behavior like keystrokes to gain a better understanding of user habits and patterns. With this knowledge of typical user behavior, businesses are better able to respond with increased or decreased user security measures in real-time. To protect businesses and governments from hacks and breaches, continuous security provides adaptive ways to mitigate risk – a requirement in today’s digital ecosystem.
Businesses and governments are racing to protect privacy as increasing numbers of users, cloud services and connected devices go online. The IoT has led to an explosion of user data, and securely collecting and sharing this information is a fundamental component of successful digital organizations. However, if the relationship between organization and user is not trusted and secure, customers and citizens will not share their information. Organizations will lose valuable insight into user history, tastes and preferences, which is critical for creating personalized experiences that customers and citizens demand.
Organizations must build a trusted digital relationship with their users that prioritizes privacy and consent when sharing personal data. As previously mentioned, a breach of customer or citizen data can lead to a loss of revenue and a damaged reputation. Businesses and governments that successfully build digital ecosystems that empower customers and citizens to share data will, in turn, gain important user intelligence. Digital organizations should select an identity platform that’s able to establish secure, trusted, and transparent digital relationships between users, cloud services and connected devices.
This platform should give customers and citizens control over their personal data with user-managed access. This gives customers and citizens the ability to determine what users, cloud services, and connected devices can access their data, for how long, and under what conditions. Citizens can authorize data sharing from their connected home to utility companies, while consumers can give their connected car access to their music preferences, for example. Identity enables organizations to undergo a digital transformation and develop new, innovative products and services involving the IoT.
It’s critical for organizations adopting the IoT to develop a digital identity platform that is built for the challenges that come with extending digital ecosystems to billions of connected devices. Identity is the key to a successful digital transformation that enables businesses and governments to securely leverage the IoT.