IoT devices are being deployed around the world in record numbers. There will be 41.6 billion connected devices generating 79.4 zettabytes of data by 2025, according to IDC estimates. With many of these devices running critical infrastructure components or collecting, accessing and transferring sensitive business or personal information, IoT authentication and access control have become even more critical.
IoT device authentication is fundamental to ensure connected devices can be trusted to be what they purport to be. Thus, access control can police what resources can be accessed and used and in which context to minimize the risk of unauthorized actions.
The challenges of IoT access control
When it comes to deploying authentication and access control mechanisms in an IoT environment, there are many aspects that complicate the task. That is because most devices have limited processing power, storage, bandwidth and energy. Most legacy authentication and authorization techniques are too complex to run on resource-constrained IoT devices due to the communication overhead of common authentication protocols. Another problem is that devices are sometimes deployed in areas where it may be impossible or impractical to provide physical security.
There is also an incredibly wide range of hardware and software stacks in use to consider. This leads to a massive amount of devices communicating across multiple standards and protocols -- unlike more traditional computing environments. For example, researchers identified at least 84 different authentication mechanisms in IoT environments that had either been proposed or put into production in 2019. A lack of standards and IoT-specific access control models makes the task of keeping devices and networks secure more complex.
3 approaches to improving IoT access control
Any centralized access management model trying to manage thousands of IoT devices deployed far and wide will have its limitations; no one approach will be suitable for every scenario. Vendors that seek to develop decentralized IoT access control services are examining how blockchain technology could eliminate problems caused by centralized systems. Network administrators and security teams must stay abreast of the latest developments as they could lead to truly scalable service offerings in the near future.
Until then, every IoT device must have a unique identity that can be authenticated when the device attempts to connect to a gateway or central network. Some devices are identified based solely on their IP or MAC (media access control) address, while others may have certificates installed. But a far superior way to identify any type of device is through machine learning. Static features can be used to do this, in addition to behavioral analysis, such as API, service and database requests to better assure the device's identity. The combined use of identity and behavior for authentication also provides the ability to constantly adapt access control decisions based on context -- even for devices with limited resources.
This attribute-based access control model evaluates access requests against a range of attributes that classify the device, resource, action and context. It also provides more dynamic access control capabilities. The approval of actions and requests can be updated in real time, based on changes in the contextual attributes. However, it does require administrators to choose and define a set of attributes and variables to build a comprehensive set of access rules and policies.
How IoT access control fortifies an infosec strategy
A strong IoT access control and authentication technology can help thwart attacks. But it is only one important aspect of a larger, integrated IoT security strategy that can detect and respond to suspicious IoT-based events. For any authentication and access control strategy to work, IoT devices must be visible. Thus, critical device inventory and lifecycle management procedures need to be established, as well as the ability to scan for IoT devices in real time.
Once an IoT device is successfully identified and authenticated, it should be assigned to a restricted network segment. There, it will be isolated from the main production network, which has security and monitoring controls specifically configured to protect against potential IoT threats and attack vectors. That way, if a specific device is flagged as compromised, the exposed surface area is limited, and lateral movement is kept in check. These measures put administrators in a position where they can identify and isolate compromised nodes, as well update devices with security fixes and patches.
IoT is changing the world and how IT security needs to operate. Security vendors are still playing catch-up with the size and complexity of IoT environments. Ideally, the next generation of service offerings will better match the demands of IoT identity and access management.