Identity, security and the Internet of Things
On the Internet, nobody knows you're a toaster
08 December, 2014
category: Biometrics, Corporate, Digital ID, Financial, Government, Health, Library, NFC
Standards nascent
The standards that enable all these devices to securely communicate are still developing, says Paul Madsen senior technical architect in the CTO’s office at Ping Identity.
Madsen has a FitBit scale that enables the device to communicate with the home’s WiFi network and keep track of a user’s weight. Once the scale is enabled on the home network the information is sent to the cloud. “There’s no standard to how messages are authenticated as belonging to a given user,” he explains. “There are no best practices for how you get data from the thing to the cloud, they all have different mechanisms to how the user’s identity is bound.”
Still, because the Internet of Things market is developing and changing rapidly, it’s difficult to get device manufacturers to agree upon standards. Think VHS vs. Betamax. Madsen adds that new industry groups pop up every week to tackle different issues with the Internet of Things, and coordinating efforts amongst all the various groups is a challenge.
Still he sees that challenge as fertile ground for the expansion of the ongoing work in human identity realm. “Our opportunity in the identity world is to drive the standards for the Internet of Things,” Madsen says. While the machine-to-machine and other device-centric industries are developing their own approaches to standardize communication and protection on the Internet of Things, Madsen and other human identity realm see no reason to reinvent a wheel. Instead they want to see the device realm adopt the privacy-enabling, strong authentication approaches already in place. As an example, OAuth tokens are being used to enable native apps to view and analyze the information, Madsen says.
Communication between the third-party sites is secured via OAuth because it enables permissions-based sharing between different sites, so interoperability is important, Madsen says. The cloud and native app could use OAuth as well, but because the same provider owns both pieces, there is less motivation to use a standard, Madsen explains. Communication between the devices and gateways are up for grabs when it comes to standards, Madsen says.
It can be any variety of protocols such as Bluetooth, NFC, Zigbee or other. Thankfully, OAuth is a well-suited standard for authentication. “The concepts of OAuth, namely user control over identity and attribute sharing fits in every segment,” Madsen adds. Thus, it seems it could be an ideal extension from the realm of human authentication standards to the world of devices.
Work is underway to build on top of the OAuth tokens and add more security, said Eve Maler, vice president of innovation and emerging technology at ForgeRock, during an online panel discussing identity and the Internet of Things. Authorizing access to these devices is also important and a standardized way to do that is still in the works, Maler says. “All of these need to be on boarded to a household and authorized so one or many in a family can control them from any number of devices,” she adds.
Maler is a proponent of User-Managed Access to enable this authorization and management. User-Managed Access is a specification that puts the control of these devices, along with the data they produce and receive, completely into the hands of the consumer. Wearable devices record a lot of data and the device’s owner should decide who can access that data, Maler says. “Because you’re wearing something, it’s intimate and it collects personally identifiable information,” Maler says. “Device manufacturers should be on the forefront of giving consumers robust access control.”
How the Internet of Things can enable access
Eve Maler first became concerned with the Internet of Things when she heard about an inventor creating solar roadways that can be updated to route people away from accidents.
“What about hackers gaining access and leading people off a cliff?” asked the vice president of innovation and emerging technology at ForgeRock. But then she realized that this could also be used to inform an individual and give them access. If solar roadways and driveways emerge with connected cars, a homeowner could know when someone is approaching and even grant access.
Rules can be put in place so that as the homeowner approaches the garage its door automatically opens, the house unlocks and the air conditioning kicks on. Access can also be provisioned to others, but if a stranger pulls into the driveway an automatic message can be sent back ask them for more information. With home automation, wearable devices and the Internet of Things there are endless possibilities for authentication and authorization.
A friend’s Jawbone UP could be provisioned to the front door to unlock so they can water the plants while the homeowner is on vacation. There are also a variety of products in the works that would leverage wearable devices as additional factors of authentication for access to mobile devices, laptops and web sites. While the Internet of Things is not a new phrase, it is being redefined as more devices and applications emerge.
What happens if your health insurance provider finds out you haven’t been taking the prescribed 10,000 steps a day or that your auto insurer detects unsafe driving? “There needs to be proactive control of where the data is shared,” Maler says. “People need to have the right and ability to monitor the sharing of the data.”