The Identity of Things at GIS


by Paul Madsen and Isaac Potoczny-Jones

GIS SLides Preview Image

Download the Slides

The Internet of Things (IoT) is exciting, but it’s having its own “identity crisis”. The security and privacy issues in IoT are some of the biggest roadblocks to widespread adoption, and the identity management community is in a position to address a number of those roadblocks.

This year, the Global Identity Summit will tackle this with a track about the “Identity of Things.” GIS is the U.S. federal government’s primary outreach and collaboration-building event with the worldwide identity community. Download the pre-conference slides, the post-conference whitepaper, or read on for the pre-conference whitepaper.

IoT Today

Where most of us now physically adjust the dial of a thermostat to change the temperature — a connected thermostat places an application between us and the physical device. It is the intermediate application layer that enables the power of the IoT — from automating temperature changes based on defined criteria to long-term analysis of trends in order to maximize cost savings and comfort.

The potential value of the IoT is clear:

  • Transportation improvements like self-driving cars could save millions of lives,
  • Fitness and health wearables could drastically improve health outcomes,
  • Intelligent automation, from thermostats to smart grid technology, can save money,
  • Smart jet turbines can improve fuel efficiency and reduce down time.

IoT devices are being widely deployed today, and many companies from startups to established industry players like Google and Samsung are releasing IoT products. Each product line has its own approach to authentication, and there are very few applicable standards for organizations to build on. This results in insecure systems with weak authentication, bad user experience (e.g. where they type passwords into systems with limited user interfaces), and incompatibility between devices that should, in theory, work together.

Limitations and Vulnerabilities

While IoT shows enormous promise in improving the health and well-being of users and saving costs, there are a number of security and privacy limitations holding back wide scale adoption:

  • There are a lack of standards and industry best practices for IoT security.
  • Authentication is particularly challenging because each IoT device has different capabilities, power needs, and interfaces making authentication particularly challenging; some interact directly with users and some only interact machine-to-machine.
  • When security issues are discovered, the update process for IoT devices can be challenging. They might not have direct access to the Internet and they might not have a user interface.
  • Many IoT devices impact the real-world behavior of physical systems, and that can sometimes have life and death implications.
  • Many consumers, wary of privacy abuses of the web applications they already use, are reluctant to place their trust in IoT devices and providers

Recent IoT hacks highlight the unacceptable security and privacy reality of today’s authentication and authorization architectures in meeting security and privacy requirements. For instance:

Market Segments

The IoT is a large space, with many different verticals and aspects, including

Consumer:

  • Smart Home products include connected power switches, light bulbs, thermostats, door locks, and others. Popular brands include Google (Nest), Samsung, and Lowe’s.
  • Wearable devices can track our activity level, amount of sleep, location, and heart rate. They can even act as an authentication token.  Popular brands include Fitbit, Garmin, and Apple.
  • Transportation includes connected cars of today, self-driving cars of the future, and public transportation systems. Even ride-sharing products like Lyft and Uber interact so deeply with our mobile devices that they may eventually converge with self-driving cars.

Industrial / Critical infrastructure:

  • Supervisory control and data acquisition (SCADA) industrial control systems operated by computers are increasingly being connected to the Internet, combining technologies with vastly different scope and security profiles.
  • Heating, ventilation, and air conditioning (HVAC) systems in buildings and vehicles are likewise increasingly network-connected and wirelessly accessible.

Health:

  • Fitness bands constitute perhaps the most popular type of wearable electronic and IoT health devices on the market today. Users employ these devices to make fitness and health decisions about their lives.
  • Medical devices like insulin pumps, pacemakers, and surgery equipment increasingly have wireless capability, so the machine-to-machine communication between these devices needs strong authentication for control and reprogramming.

These different sectors have the same fundamental security and privacy needs, authentication, integrity, confidentiality, and delegation. Managing the identities of devices and users will be fundamental to the security and privacy of the IoT. The authentication of IoT actors and authorization of their interactions demands a consistent, interoperable identity layer across IoT verticals, platforms, and protocols.


The Vision for IoT Security AND Privacy

Good security means knowing who entities are and what they should or should not be allowed to do. Good privacy requires that users will be able to control how their devices collect, store and share data.

The security requirements for the IoT are fundamentally the same as for any network over which sensitive and valuable data moves:

  • Authentication verifies the identities of actors as they interact to ensure that malicious parties are not given inappropriate permissions.
  • Confidentiality protects data from being inappropriately accessed by unauthorized actors. It often manifests in authorization policies and encryption.
  • Integrity protects data or methods from modification or deletion by unauthorized parties. It often manifests in digital signatures.
  • Availability maintains functionality in potentially adverse conditions, which is particularly important when the IoT interacts with the physical environment.
  • Delegation includes how the data subject is able to assign privileges to other actors with respect to how the subject’s data is accessed and manipulated. Those other actors can be other humans, applications, or devices.

The privacy requirements of the IoT define how sharing and usage of the collected data meets the expectations and desires of the data subject:

  • Transparency helps people understand who knows what about them. It  provides people information on how their data is to be used, with whom it is shared, and how long it is held.
  • Consent is the ability for users to explicitly define how IoT devices and related services will operate on their behalf through specific permissions.
  • Intervenability is the ability for users to view, change, correct, block, revoke consent, and delete personal data stored by providers and applications.
  • Unlinkability is the separation of informational contexts, such as work, personal, family, citizen, and social. It prevents inappropriate linkages from being established across different contexts.

Fundamentally, IoT privacy demands that providers show restraint in how they treat data — restraint in collection, restraint in analysis, and restraint in sharing. IoT providers will have the ability to act inappropriately with the user data they hold; privacy demands they do not give in to that temptation.

Challenges

The IoT essentially introduces no new security and privacy requirements beyond those of the current Internet and Web — but it does introduce novel challenges for addressing those requirements. We list some of those challenges below:

Application areas:

  • Life and death: Malicious or unintentional compromise of IoT devices has life and death implications. For instance, if a hacker is able to compromise the control systems of a connected car, they could, prevent the brakes from working.
  • Scale: The number of devices in IoT deployments will exceed even the largest number of human users in web applications.

Constraints:

  • Power: Many devices are low power hardware devices with very simple operating systems. This results in simple cryptographic implementations and protocols. For instance, symmetric crypto algorithms (like AES) power most devices since they can be implemented extremely cheaply (and low power) in hardware. Unfortunately, these compromises result in bad key sharing practices since key sharing in symmetric crypto is very difficult to do securely. This manifests as problems like cryptographic keys printed in manuals, the same key shared across a lot of devices, and sending the key in the clear during enrollment.
  • User Interface (UI): Some IoT devices have limited UI or even no UI whatsoever. This results in limited options for verifying the device has authenticated appropriately.
  • Security Updates: Devices may be hard to update securely once deployed, e.g. for the distribution of security patches. Related, the lifecycle of some IoT devices will be years, obviating a model where new security fixes are deployed through purchase of a new model.

Interaction with users and organizations:

  • Data ownership may sometimes be muddied: Multiple parties may feel they have rights to the data generated by IoT devices, or access to control them.
  • Identity silos: Users and devices can identify each-other in some contexts, but when crossing trust boundaries (e.g. between vehicles or buildings owned by different individuals) identity breaks down.
  • Interoperability: IoT suffers from interoperability problems due to devices and individuals not being able to identify each-other across products or trust boundaries.
  • Interacting with multiple users: By their nature, IoT devices may interact with multiple users; for instance, a camera in a public place will have privacy implications for a number of individuals. How should those users be identified and their privacy preferences respected?

Vulnerabilities:

  • Cloud vulnerabilities: Rushed time to market results in cloud infrastructure (which is often controlling IoT infrastructure) having lots of vulnerabilities.
  • Wireless vulnerabilities: Wireless protocols like zigbee and zwave suffer from cryptographic weaknesses.
  • Legacy issues: Despite many devices being brand new, others already suffer from a legacy problem where insecure hardware systems have been deployed.
  • System-level risk analysis: Ideally, the strength of authentication, cryptography, or security could be scaled to the level of risk for a particular device, but each IoT device is deployed within an unpredictable context of other devices and purposes. For instance, a door lock can be seen as inherently higher risk than a motion sensor (and so should have stronger security), but if that motion sensor is part of a security alarm system and the door lock is for an internal door, their risk profiles may be flipped.

Future Vision

There is reason for both hope and concern when looking to the future of authenticating IoT devices. Since it’s an emergent technology area with strong growth potential, we have the opportunity to address security and authentication from the ground up. However, there are already signs that the IoT industry is pushing forward without addressing foundational problems or learning from the mistakes of other technology development efforts.

Our vision for the future is that the Identity of Things should be:

  • Authenticated and secure: IoT systems are authenticated securely by default. Devices use best practices to connect to the wider Internet, of which they are bound to be a part, while maintaining appropriate separation (using e.g. firewalls and VPNs) where appropriate.
  • Interoperable and compositional: The authentication system, cryptography, wireless and communications protocols allow for interoperability and composition of IoT devices.
  • Privacy preserving: IoT systems protect the privacy of their users and take into account that many different individuals may occupy the physical environment being measured or impacted; these users may have different needs and expectations for privacy.
  • Risk-based: When the limitations of IoT devices’ power, networking, or UI limit the ability to secure them, that the risk of using these devices in various environments is clear.

These needs imply an authentication mechanism with the following functionality:

  • Attestation: Devices will show evidence of their bona fides when first introduced to the authentication and authorization infrastructure.
  • Scalable trust: To meet the predicted scale of the IoT and heterogeneous devices use cases, there will necessarily be scalable and dynamic trust models. Distributed consensus architectures (e.g. Blockchain) may be useful here.
  • Secure storage: Devices will store credentials and crypto keys that will be used in interactions with the authentication and authorization infrastructure and other IoT actors in local storage.
  • Token issuance: Devices will trade primary credentials (i.e. those issued at manufacture time) for secondary tokens that can be presented to applications and other devices.
  • Consent: Users will be able to assign constrained permissions to and for access to devices through a consistent and intuitive consent step.
  • Revocable security tokens: Secondary tokens will be revoked if and when necessary.
  • Proof of possession security tokens: The risk of theft of secondary tokens will be mitigated by proof of possession mechanisms.

Applicable technologies for the Identity of Things will be a combination of existing systems and newly developed capabilities.

  • Network protocols: OAuth 2.0, an IETF standard, defines a framework for securing application access to protected resources. The IETF working group, Authentication and Authorization for Constrained Environments (ACE), is planning to develop standards that may be applicable to IoT.
  • Authentication: Passwords are widely known to be insecure and difficult to use at scale. The various challenges with passwords are amplified with IoT since devices are not necessarily tied to specific users, and their constrained interfaces can make inputting passwords difficult or impossible. New authentication mechanisms using strong cryptography and protocols like FIDO will be needed for IoT.
  • Wireless standards: Depending on their requirements and power capabilities, various wireless standards are available to IoT devices. These protocols can include cellular, WiFi, Bluetooth / Bluetooth Low Energy (BLE), Zigbee, and ZWave. WiFi in particular has been extensively vetted for security issues and is widely deployed in home and commercial environments.
  • Cloud APIs: Many IoT devices are connected to the Internet for control (e.g. turning switches on and off), data storage (e.g. uploading video), configuration, and integration with other devices.

Future Planning

To make this vision into a reality, stakeholders should develop a strategy, identify key initiatives to bootstrap technical improvements, and sustain innovation in the market.

Strategize: Identify the key goals for the Identity of Things and the most important barriers to attaining those goals.

  • Outline the existing authentication and security technologies that most closely align with the needs of IoT.
  • Specify the unique constraints of IoT that make those technologies more or less applicable.
  • Bring in key stakeholders in technology, research, and government to align their initiatives and products to this strategy.

Bootstrap: Bring industry and government groups together with projects that will remove barriers and spur innovation.

  • Surface best practices for enrollment and authentication from device-to-net, device-to-device, and user-to-device.
  • Develop protocols and standards for interoperability that can be widely deployed.
  • Identify and fill gaps in existing cybersecurity and risk management standards.
  • Experiment with innovative products that demonstrate best practices and unique opportunities.

Sustain: Leverage the growth of the IoT market to sustain robust shared infrastructure.

  • Develop reusable and open infrastructure for the core authentication and security capabilities and allow all comers to build innovative products on top.
  • Incentivize hardware and software developers to utilize that shared infrastructure and contribute to its ongoing evolution.
  • Upgrade, augment, or layer security on existing legacy infrastructure.

Session Overview

Let’s work together to form a joint vision for the future of IoT Authentication, Authorization, Security, and Privacy. There will be three sessions:

  • Level Setting: The speakers in this session will help us get on the same page about what the Identity of Things is and what are its core issues.
  • Future Requirements: The speakers in this session will help create a positive vision for the IoT to realize its full potential in a secure and interconnected world.
  • Workshop: The entire group will work collaboratively to define a path forward. The workshop is outlined in more detail below.

Workshop Structure

We will hold three parallel hands-on focus groups. Each group will have a designated facilitator and note taker. The facilitator will pose questions on a specific topic and conduct an orderly discussion. The note-taker will develop a summary of each group’s discussion points.

The final 10 minutes of each workshop will be dedicated to very brief group report-outs.

The output of these groups will be integrated into a post-conference paper that will be provided to all participants and the broader community outside of these walls.

Group 1: IoT Challenges: Auth, Security, and Privacy

While IoT shows enormous promise in improving the health and well-being of users and saving costs, there are a number of security and privacy limitations holding back wide scale adoption.

Recent IoT hacks highlight the unacceptable current reality of today’s authentication and authorization architectures in meeting security and privacy requirements. For instance, some challenges you may consider are: A lack of standards, diversity of power needs and interfaces, security update lifecycle, consumer trust, and the interface with physical systems whose properties cannot be anticipated in the risk profile of the device.

This group will attempt to clearly define and categorize the core challenges.

Group 2: IoT Requirements: A Joint Future Vision

Let’s work together to paint a positive vision for the IoT to realize its full potential in a secure and interconnected world.

There is reason for both hope and concern when looking to the future of authenticating IoT devices, and we have the opportunity to address security and authentication from the ground up.

Prior to the conference, our view is that the Identity of Things should be: authenticated and secure by default; interoperable and compositional; privacy preserving; and that security should be considered within a risk-based framework.

This group will set a positive vision for the future of IoT.

Group 3: IoT Opportunities and Technologies

How can we get to our future vision in light of the challenges in front of us? What are the most exciting societal, governmental, and business opportunities for the IoT that we can leverage to make this vision a reality? What technologies will be needed to support that vision?

Applicable technologies for the Identity of Things will be a combination of existing systems and newly developed capabilities.

You might consider your analysis in light of these elements:

  • Strategy: Identify the key goals for the Identity of Things and the most important barriers to attaining those goals.
  • Bootstrapping: Bring industry and government groups together with projects that will remove barriers and spur innovation.
  • Sustainment: Leverage the growth of the IoT market to sustain robust shared infrastructure.

This group will paint the roadmap for IoT opportunities and technologies.

About Your Facilitators

  • Paul Madsen: Paul is a Senior Technical Architect within the Office of the CTO at Ping Identity. He has participated in various design, chairing, editing, and education roles for a number of identity standards, including OASIS SAML, the Simple Cloud Identity Management (SCIM), OAuth 2.0, and TV Everywhere. He holds an M.Sc. in Applied Mathematics and a Ph.D. in Theoretical Physics from Carleton University and the University of Western Ontario respectively.
  • Isaac Potoczny-Jones: Isaac is the CEO of Tozny, a technology company focused on improving the security and privacy of everyone. Before founding Tozny, Isaac developed cutting edge security, encryption and authentication solutions for defense agencies and other government entities. He’s been a cybersecurity researcher at Galois for 10 years with a focus on identity management, authentication, authorization, and access control. Education: BS Computer Science, MS Cybersecurity.

GIS was held in Tampa, Florida — Sept 19–22, 2016. GIS is held annually and is designed to:

  • Promote a comprehensive understanding of current capabilities, pending needs, market trends, and future directions of both the federal government and the entire identity community.
  • Initiate and advance public-private and cross-discipline collaboration necessary for the continued advancement and appropriate application of identity and access management disciplines across all mission spaces.

Speakers – Wednesday Sept 21 at 2-5PM

Level Setting:

  • 2:00 – 2:30: Isaac Potoczny-JonesIntroduction to the Identity of Things; Limitations, Markets, and Future Vision.
  • 2:30 – 3:00: Paul Grassi – How standards can improve IoT security.

Future Requirements:

  • 3:00 – 3:20: Nizar Jamal – Our IoT Ecosystem will only Thrive if it is Secure and Open.
  • 3:20 – 3:40: Karl Martin – Hardware-Backed Trust: The IoT Identity Opportunity.
  • 3:40 – 3:45: Q&A.

Workshop:

  • 4:00 – 5:00 PM: Create the future of IoT Identity!

 

Discuss this post at Medium.com.