It’s no secret that with the Internet of Things (IoTs) comes a whole new set of security challenges. To help identify and address some of these scenarios, the Cloud Security Alliance has released new guidance for handling identity and access management when connecting myriad devices over a wireless sensor network.
The IoT Working Group of the CSA—established to provide relevant guidance for industry stakeholders in the IoT food chain—has released a new guidance report titled, "Identity and Access Management for the Internet of Things." The report is available as a free download on the CSA website. The CSA is an industry association aimed at promoting best practices for security within cloud computing environments.
The report is in response to the growth of the emerging IoT market in both the business and consumer markets, which demands management of more identities across devices than existing identity and access management (IAM) systems are required to support, the CSA said.
IAM systems were set up to manage the identity and access of people across company networks. But now the security industry is seeing a paradigm shift in which IAM also must manage the hundreds of thousands of “things” that may be connected to a network, the alliance said in a press release.
These things—which include anything from devices to home appliances to factory machinery—bring new demands than typical IAM scenarios in other business and consumer scenarios, according to the CSA.
Hence the report, which details 23 recommendations for implementing IAM for the IoT to help security professionals ensure the integrity of IoT deployments. The recommendations are drawn from real-world best practices collected by the IoT Working Group as well as guidance from third-party organizations, such as the Kantara Initiative, the FIDO Alliance and the Internet Engineering Task Force.
To safety integrate IAM within IoT networks, the guidance recommends that security professionals integrate IoT implementation into existing IAM and governance frameworks in an organization. It also advises that they do not deploy IoT resources without changing default passwords for administrative access.
The CSA IoT Working Group also recommends that security pros evaluate a move to identity relationship management (IRM) in place of traditional IAM when securing it within an IoT infrastructure, as well as design authentication and authorization schemes based on system-level threat models.
The IAM guidance is the first in what will be a series of documents to help security and IT staff secure IoT solutions, said Brian Russell, co-chair of the CSA’s IoT Working Group, in the press release. "With this guidance [we are] seeking to provide prescriptive guidance to stakeholders detailing an easy-to-follow set of recommendations for establishing an IAM for IoT program within their organization,” he said.