What should scare you more – Ashley Madison or Your Fridge?

Pratima H

MUMBAI, INDIA: At the recent Gartner Security and Risk Management Summit, Anmol Singh perturbed enterprise IT denizens with some really uncomfortable weather forecasts.

He was fore-warning people about the implications that IAM (Identity and Access Management), the new Identity-of-Things scenario is about to unlock for enterprises.

Like: By 2020, the Internet of Things or IoT is going to redefine the concept of "identity management" to include what people own, share, and use. Or that, by 2018, 35 per cent of organizations will be delivering on strategies to incorporate the IoT into their IAM programs. Or this one: By 2020, from five per cent today, we would see 80 per cent of digital access shaped by new mobile and cloud (i.e., non-PC) architectures. This one looks the most discomfiting: By 2018, as much as 40 per cent of all digital identities interacting with enterprises could be pouring in from external identity providers through a competitive marketplace – something that is at a mere less than ten per cent today.

What kind of new world would these predictions be painting as we move forward? The idea of all-things-connected may sound bizarre at one level and a fantasy-coming-true at another level; but what about the ripples on security and control aspects that this concept would be stirring fiercely? We ask Gartner analyst Anmol Singh to spill some beans and interpret this unfamiliar shape for a CIO and also help to get a grip on the strange things throbbing in the new digital world that we have suddenly entered – you know - hacktivists, virtual lives, and a new sibling of BYOD etc. So, cups ready?

So every user becomes a consumer and that translates billions of people into tens of billions of things and further into, tens of trillions of relationships, as you pointed out. How can enterprises roll up their sleeves for this onslaught?

Firstly, critical infrastructure industries should assess IAM architecture changes to accommodate operational technology (OT) endpoints. Also, goods and services clients need to review their current IAM for the scalability that IoT will demand. They need to ask themselves ruthlessly - 10x? 1,000x? I would also suggest that IAM vendors and service providers should evaluate how IoT can generate new business opportunities.

How serious and unwieldy would this be from the security angle?

Enterprises need to take a people-centric approach to security. They would have to make controls reactive, not restrictive, with efforts aligning around education/behavior management such that they require minimal control of endpoints and apply "default to deny" and "least privilege" selectively. We could be witnessing over 40 per cent of enterprises allowing unrestricted access to noncritical assets by 2018, (this stands at less five per cent today). One would need to identify which non-critical assets are in-scope; review security vision in light of people-centric security principles and simultaneously use detective and corrective controls to help relax least privilege preventative controls.

When an enterprise starts dealing with external identities, and that too at the scale that you augured, wouldn’t it make the whole control aspect all the more chaotic?

Enterprises can always follow a proactive approach. They can investigate identity providers that match their level of identity assurance and service at the right price. They can enable social identity as an option for consumers and as they do that, they can encourage a "trust but verify" approach via adaptive access. They can also seek IAM software or services that allow them to be opportunistic —something that does not lock you into one solution for a long term. There would be the part of attribute-based access control (ABAC) into play too. By 2018, 35 per cent of all businesses could use ABAC as the dominant mechanism to protect critical assets so enterprises can insist on ABAC being present on vendor roadmaps for your critical systems, weave ABAC awareness training for developers and architects and aim at new related application sets for ABAC. So far we have managing identities in a different context but now when IoT catches on, things will change. Identifying and managing the whole lifecycle – when devices connect and talk to each other should be looked into properly. Middle-of-layer attack would be a threat that will hover around IoT as devices can become really vulnerable. Manufacturers need to embed security in the design stage with right authentication safeguards. Even security vendors need to work closely on this front. We hope that as we move forward, vendors will come up with good answers.

Does scale worsen it all, creating some multiplier effect?

Yes, some recent incidents of hacking have divulged new possibilities. With new car controls, a hacker managed to manipulate a jeep through a 4G connection, so yes, today’s vulnerabilities are different. Less human element creates new scenarios, and that changes security fronts. Enterprises have to be on alert as more smart devices enter people’s lives.

Would this IoT wave smell of some BYOD Déjà vu? Same problems that enterprise encountered with smartphones and tablets– but in a new costume?

It is about how IAM can adapt to new issues and choices. Employees need to be treated like customers. That’s the demand of the hour.

You recommend a bimodal approach to IAM. Can you elaborate?

One mode would be about fluid, risk-taking, agile layers. The other one would be about rock solid, lasting legacy but something resurrected with new IAM patterns incorporated and incremental changes to old legacy IAM. So basically, they would need to build in the next level of forces into an IAM infrastructure. The challenge today is that IAM infrastructure is not adapting to new technologies. Once the new technology is tested well, it can be part of legacy. So new IAM initiatives can come up to support digital business, prototyping new patterns and technologies, i.e. build the new legacy.

IoT instantly means device-heterogeneity, now would that not complicate security?

It is a challenge but not a paradox, as I see it. The devices are becoming more heterogeneous in nature and their processing capabilities and purposes may vary. Resource constraints can kick in and complicate the situation. Some devices are smart, some are dumb. So we have to manage class 1 devices with no capabilities, as well as class 2 ones that are more sophisticated in data analytics, storage or processing; together with class 2 kinds – servers or aggregators.

Would you say that with all the connectedness air that Cloud has brought in, security has become more vulnerable than before?

Yes, connectedness has some aspect of vulnerability. Most of the devices are directly connected to Internet so managing security in a new context becomes important. That’s why new security frameworks are significant to work upon, specially different authentication mechanisms.

Talking of hacking attacks, what’s your take on incidents like Ashley Madison?

People need to be careful about registering information on such platforms. Organised crime has always been around and everyone is vulnerable to that. Guarding personal information is a primary factor here.

But would you say that people are expecting to have the cake and eat it too. Bitcoins, Second Life, an Ashley Madison kind of involvement – are we moving towards an alter-ego lifestyle and demanding privacy at the same time?

It really boils down to persona management. When real and virtual identities come together, they can pose a problem. Managing diverse fields is a challenge. One has just to be extra careful on the Internet. Safety is not that simple anymore.

What would you recommend to CIOs as they get wary of this new scenario?

It’s simple. Just update your IAM strategic plan to reflect digital business, the Internet of Things and digital workplace goals and try to figure out where IAM creates unnecessary friction in the digital workplace. CIOs can get to know their IAM vendors' plans to support external identity providers, ABAC and so on.