Why does the coffee machine have an account?

Last year's loud news about a coffee machine that infected computers of one of the European petrochemical plants with an extortion virus, as well as other frequent cases involving home appliances, robotic devices, drones and other smart devices and systems used in the city, office, enterprises, production and other areas about which we hear more and more often from the media, for example:

• home cleaner robot, independently turned on, climbed on the included electric stove, pushed the pan on the burner and burned itself, almost burning the apartment of their masters;
• a robot security guard drowned in the fountain of a business center;
• Robot-lawnmower, who escaped from the workplace and cut a hose with fuel along the way;
• a robot surgeon who beats up patients during operations and holds tissue of internal organs with his hand;
• interception control unmanned aerial vehicles;
• cases of disconnection of industrial devices responsible for control, heating and cooling systems;
• hacking smart children's toys, watches, fitness bracelets and other wearable personal and office devices,

All this makes us have long to think about the security level of smart systems and devices that we face in everyday life ...

Some of these cases can be a simple failure of smart devices, but most are still planned malicious actions aimed at obtaining various benefits for score of committed actions.

In the era of a huge number of hacker attacks and other cyber threats, you need to increase the security of your own and corporate devices. And companies should think about the security of using smart systems in their business processes, in industry, manufacturing, medicine, etc., primarily to reduce the risks of simple equipment failure due to third-party interventions and of course protecting transferred, stored corporate and personal data.

Smart things are already accompanying us everywhere: in the city, at home, in the office, as well as in medicine, transport, manufacturing, industry, agriculture, logistics, power engineering and other areas, and every year this list is growing, and we are getting closer and closer We are approaching a “smart”, but not yet safe environment.



In the fast-growing market of the Internet of Things, as one of the most promising technologies of the next years, developers devote little time and not very important safety of devices, focus on developing the systems themselves, so as not to lose their niche in the market and be one of the innovators in this area of ​​products and services.

Such a race in the development and release of new and new smart devices gives attackers how to turn around in their guises.

Today I will not focus on the types of IoT devices and their security in general, but I will try to pay a little attention to the issue of managing accounts and user access to these devices and to the functionality that IDM systems need to go from applications to things.

So what is IDM for IoT? What will need to be considered when building IDM systems? What awaits us in the near future?

The implementation of IoT implies a complex interaction between people, things and services, from which the need for ensuring the continuous verification of accounts and the relevance of access rights between applications, systems, devices / things rationally follows.

The fact of transparent interaction between devices and transmitted data, control over them will be crucial for the success of IoT, both in the consumer and in the industrial space. IoT solutions must offer a set of controls for user accounts and access rights that can correctly determine who has access to what, be able to authenticate users, check authorization policies and access rights.

According to leading analyst agency Gartner, by the end of 2020, 40% of IDM solution providers will have to upgrade their solutions for working with the Internet of Things (IoT), compared to 5% today.

WHAT IS IMPORTANT?

Applying user accounts to devices You

will need to identify attributes that may constitute, so to say, the identity of the device. It will be necessary to create a general scheme or data model that IoT manufacturers could use to make the registration, verification and authentication process simple and repeatable. When a set of attributes is defined and assembled from a device, they must be used during the device registration process. For some devices, registration may require some additional unique verification, for example, to confirm that the device itself is legal.

Interaction

Interaction between people (person-person) will no longer be enough, it will be necessary to establish other relationships between devices, things, people, services and data), it will be necessary to use the principle of many-to-many interaction.

Some of the relationships will be used for temporary access to data, while others will be permanent / long-lasting, such as "man-smart device" or "smart device-smart production." These interactions should be recorded, verified, and then canceled, if necessary.

Authentication and Authorization

The authentication and authorization components will have to be applied at every stage of the IoT data flow. The following protocols are currently supported: OAuth2, OpenID Connect, UMA, ACE and FIDO.

Management of access rights

Creation and / or management of attributes: user and device - will have to occur, both at the stage of loading, initialization of the device, and at the stage of user registration. Standards developed in this area: LWM2M, OpenICF and SCIM.

As we know, the traditional IDM class systems are designed to issue access rights to the company's internal systems in the network perimeter. The evolving technology of the Internet of Things requires more dynamic IDM class solutions that are capable of servicing and connecting not only internal users, customers and partners, but also devices and smart systems, regardless of their location, thereby expanding the possibilities of providing protection in the conditions of digital transformation.