In his talk at IPExpo, entitled “The Internet of Things: WTF? (Why the fuss?)”, Rik Ferguson, global VP for security research at Trend Micro, said that only with a system of universal identity can you set and enforce policies. He calls this the Internet of Identities.
Speaking to SCMagazineUK.com, Ferguson elaborated on the details of his thesis.
The Internet of Identities is about “defining characteristics for a device, service or user or an account or API that can be verified and as a result of their verification can have acceptable use policies defined against it”.
“It's going to have to be something akin to a fingerprint in a DLP solution where you look for statistically significant data points. So you might talk about something that has a constant IP address, you can use that. If something has a protocol header that can be fingerprinted, usage patterns, time of day, amounts of data transfer. It is going to be entirely device dependent so it has to be a very extensible format.”
Developing an underlying format would enable it to be applied to anything if you have that overarching framework. “Consider a Fitbit: people have fairly regular patterns of activity so you could generate a fingerprint for what's normal for that person but you suddenly started training for a marathon, that's going to go outside that fingerprint and it's worthy of raising a flag.”
Within a corporate environment, anything that's offering a gateway into the network is going to be target number one, he said. If you have IP CCTV within a business, or have wearable technology such as HUD for engineering or sensors, those are potential IoT targets.
“An internet of identities would establish what that device was allowed to do under normal conditions. If that device got compromised, then it's going to be doing things outside of what it's normally allowed to do. But in terms of being able to apply policy to a device that doesn't sit within any other management framework, that's where your identity is going to be helpful technology.”
He rejected the suggestion that putting security on the chip would solve the problem of identity.
“The problem I see with that is that you are asking everyone, whether it's the consumers or the manufactures, to standardise around a chip set and it's not going to happen.
“To embed technology in silicon is great because you have responsiveness. For certain operations like encryption, doing things in silicon offers a lot of performance advantages but then you are telling people that they have to have two separate management consoles – one to manage the compliant hardware and another to manage the other stuff that's doing the same job but can't do it in hardware. That's not going to be attractive as an interface.”
This technology has to be hardware independent.
“In an ideal world they would have an open API, but there is not a great history of openness within the IT industry,” he said with a reference to virtualisation.
With the rapid development of the IoT industry, the Internet of Identities is an approach that would allow for the identification of the myriad devices that will be vying for a position on organisations' networks.
“The IoT industry is developing so rapidly that they aren't focusing on security,” he said.
“It's about being able to have some overarching structure in place that allows you to recognise that something else is attached to my environment that I don't recognise. This is how I'm going to assign it an identity and at least be able to monitor what it is doing and enforce policy on it.”
Internet of Identities is about assigning identities to devices on the fly, he said: “If you block something that you don't know what it is, you might break it. It's about recognising it's there, what it's connecting to and what it's doing and then starting those conversations as to what it's doing there. But if you can't assign it an identity, you can't do that.”