PKI vs Shared Secret as authentication mechanism in IoT/SmartHome/Smart Business solutions
IoT\Smart Home solution are being used already for some time but still not really understood in the aspect of security.
We have So many IOT devices around us — The wisdom is to discover them
The main Focus when talked about IOT was on usability, Experience and making our life easier. Now days we are starting to talk more and more about the hidden dangers, about the risk and the trade off’s we need to do with our privacy VS our comfort when using smart devices.
My Goal is explaining to the reader that the Choice is not between a method of authentication — the challenge is to make it suitable to your current environment. Back to the Topic — Authentication in IoT Before we start evaluating and choosing the Authentication solution\Scheme \Technology we need to divide the IOT environment into tiers:
The Internet of Things (IoT) introduces huge opportunities for businesses and consumers, especially in the areas of healthcare, warehousing, transportation, and logistics. Along with this widespread adoption, developers face new challenges to make sure that IoT applications are sufficiently secure because these applications handle a lot of sensitive data. Many security breaches have already been reported for IoT solutions, so developers must focus on building security into their IoT applications when they design and implement such solutions.
If we are talking business wise IOT solutions — following the below guidelines will be the most effective:
Example IoT Protocols and Authentication Options
- Integrate your IoT implementation into existing IAM and GRC governance frameworks.
- Do not deploy IoT resources without changing default passwords for administrative access.
- Evaluate a move to Identity Relationship Management (IRM) in place of traditional IAM.
- Design your authentication and authorization schemes based on your system-level threat models.
- Create reference architectures for your IoT implementations using ITU-T Y.2060 as a starting point.
- Plan for the introduction of IPv6
- Consider design updates to your Public Key Infrastructure (PKI) environment to support provisioning of certificates to IoT devices in your organization.
- Establish a plan for sharing IoT-related data with device manufacturers.
- Implement an AAA server that allow consumers to define preferences and provide services’ consent for access to consumerprofile data
- Consider integrating the identity management system with a building’s Physical Access Control System (PACS),
- Implement more restrictive logic in your identity management workflows.
- Mandate “Killswitch” functionality
- Customer education.
- Provide a secure default configuration.
- Ensure IoT users awareness.
- Implement a privileged user management system to ensure that administrators can access and monitor systems and devices.
- Extend where possible the use of your current asset management to inventory and document IoT devices.
- Invest in a well-documented plan for how you would respond to failures and breaches when they occur.
- Leverage the security controls built into standards-based IoT protocols.
Chief Healthcare Cyber security Policy Adviser
Originally published at https://www.linkedin.com on July 26, 2017.
