Druing last month’s Siemens cybersecurity press meetings, journalists had the opportunity to get the perspective of researchers at IBM Watson’s Munich IoT operations center. The Center brings together developers, consultants, researchers and designers to drive state-of-the-art collaborative innovation with SMEs and start-ups, as well as governments, schools and universities and investors. Dr. Angelika Steinaker, CTO Identity & Access Management, IBM Security Europe, discussed the importance of identity and access management.
According to Steinaker,”everything in security is related to identity” and this is of critical importance to everyone involved in cybersecurity. “If you talk about network segregation, and point security, CM, targets, everything is related to identity,” she stressed.
She gave the example of a smart bulb located in a building. Whose bulb is it? Who can access it online to control it? While this seems innocuous enough, think of all of thestakeholders involved. Maybe one company owns the building. Another one has leased that building and its employees are working there. A third company is the facility manager. And yet another provides applications for building insights.
So, let’s say that the building is equipped with an application to get insights on energy consumption, which has reduced costs considerably. Everyone’s happy. Until the leasing company’s CISO detects that someone has hacked their database through a smart bulb in a conference room. This brings to light (no pun intended) multiple questions — ones that aren’t necessarily so easy to answer:
- Who is the owner of security?
- How could this situation have happened?
- Did the bulb have a Digital Identity?
- How could it have been prevented?
- How are stakeholders to be supported?
Steinaker referenced the famous Peter Steiner New Yorker cartoon from 1993 that featured the caption, “On the internet, nobody knows you are a dog.” She said that today, she might instead caption it, “On the internet, nobody knows you are a bulb.”
According to Steinaker, the principles in the Charter of Trust initiative can help to determine the owner and answer these questions. She said that the Watson IoT center in Munich is working with partner companies like Siemens to plan out best practices to avoid these sorts of scenarios.
In her estimation, the first step a company should take is to establish Identity Assurance Requirements for device classes before setting up an IAM framework for IoT. Additionally, Identity Assurance may vary on the device class, type of application, strength of network, sensitivity of data, criticality of operations and impact of a potential compromise through unauthorized access.
Other keys that a company should focus on, according to Steinaker, are:
- Define an enterprise security and IAM architecture
- Use a recognized method for an enterprise security and IAM architecture
- Adopt a graded trust model for IAM capabilities
- Design authentication and authorization schemes, based on risk models
- Establish an appropriate organization by working across the business units
- Integrate IoT implementation into an existing IAM framework
- Establish an extensible identity lifecycle for all categories of Digital Identities, especially for on- boarding/registration
- Create relationship mappings between all categories of Digital Identities
- Implement more restrictive logic in identity management workflows
- Integrate IAM with asset management repositories
- Establish authentication and authorization procedures for local access or when only intermittently connected to the network
- Install a privileged user management system so administrators accessing systems and devices are under control
- Define privacy protections are required for different data categories
- Integrate with an analytics solution
“We think it’s very important to get these things in some sort of standard,” she said. “And this is why we here in Europe at IBM are also working together with ENISA, the European Network and Information Security Agency, which is similar to the NIS in the U.S.”
“We still have organizational issues; process issues and technical issues, but this is a start … standardization, framework, this is all needed. As far as the industry base, we can work in an organization like the Charter of Trust, and we need to get that in some sort of standardization. This will not happen tomorrow, it may be a 5- to 10-year process.”