Access control is becoming a greater and greater challenge. Traditionally, access control consists of managing access, authentication and authorisation. The challenges get greater when we consider the Internet of Things because many of the “things” don't have an easy way to manage these functions. When we look across the internet and consider that today there is far more inter-device and inter-application access control needed, we see that the traditional issues of managing access, authentication and authorisation are complicated by disparities in the things to which we are managing access.
Certificates have, in the past, been the key to achieving management of access to disparate systems, but certificate hijacking is a common practice of the bad guys today. So, we go back to the beginning. The problem that certificates were intended to solve still is with us. Then we look at massive denial-of-service attacks such as the one in late October that knocked offline dozens of popular websites – including Twitter and Netflix – and ask how that could have happened. Although that attack was pretty simplistic, it had some features of interest.
For example, what if it hadn't been a DDoS but, rather, a massive data theft – credit cards, trade secrets, whatever – attack? It depended heavily on the IoT to get its job done. In order to turn your toaster into a ravaging zombie computer you need to gain access to it. Access control again. And a very difficult problem at that. What if there is no place in your toaster to install access control? Perhaps, you go for a toaster that does not live on the internet.
This may seem like a trivial example but the idea is solid. Many IoT devices simply do not have the ability to have a sophisticated access control system installed or managed. (Do you really want to be the system administrator of your toaster, refrigerator, baby monitor and TV set-top device?) As you will see from our Innovator in this section we are not faced with an unsolvable problem. But it's no cakewalk, either. Our Innovator in this section is well on the way to meeting tomorrow's challenges in the IoT arena.
Our Innovator in this space addresses big DDoS by addressing six elements that must be part of a scheme to secure the Internet of Things. First, the most fundamental issue is secure update delivery capability without keys pre-provisioned on the device. The second element is integrity validation followed by preventing devices from participating in DDoS attacks by using whitelists defining to what the devices are allowed to talk. This is followed by rate metering and authentication management. Doing all of these things is a huge challenge at scale. For example, you need to automate password updates and kill password defaults along with managing when individual devices are made publicly accessible.
Vendor Device Authority
Flagship product KeyScaler
Price Starts at £20 per device per year. Base licence is £39,000 per year.
Innovation Access control specifically for the Internet of Things.
Greatest strength Vision to see the emergence of IoT as an important access management market, repurposing two already successful technologies into a new and creative product to solve the problem and then getting it to market.
This Innovator spun off Cryptosoft technology, a tool that had considerable market success since 2010. The new entity acquired DeviceAuthority and became Device Authority Ltd. The Device Authority platform was merged with the Cryptosoft technology and KeyScaler 5.0 hit the streets.
Next they added certificate and key provisioning. That allows them to deploy certificates to IoT devices during their registration process. Prior to deploying KeyScaler 5.0 technology the state of the practice was device manufacturer security policy. KeyScaler shifts from device manufacturer security policy to owner security policy independent of the manufacturer. This allows the addressing of the six elements at IoT scale.
There was a lot to like about this Innovator. First, they have identified an important niche that has not been at all well-served. This in light of the significant emergence of the IoT. They are no giants but through innovative go-to-market strategies they have made their presence known. Spinning an already successful technology into an emerging – and troublesome – market space took some doing and was the type of risky move that, eventually, makes giants. We look for very interesting things from this Innovator – things that will impact the Internet of Things.
Today, they are concentrating on initial deployment of the KeyScaler 5.0 to protect such tools as medical devices, IoT gateways, surveillance cameras, etc. They address, very capably, the key issue of deployment of credentials securely and at scale. This new capability is hot off the griddle since the merged product was rolled out in September of this year.