How to Secure Customer Identities in the Era of Data Breaches and the Internet of Things

By Sven Dummer

Whether managed in-house or in tandem with external agencies, an IoT device security strategy that considers the safety and security needs of a user, device and network holistically will produce a secure platform that promotes user connectivity.


Data breaches have been the topic du jour in recent years: Equifax, LinkedIn, MySpace, Yahoo!, the Democratic National Convention and Yahoo!—again. More specifically, we have seen the proliferation of the publication of those data breaches, and any such breaches mean big risks for a brand’s reputation and bottom line. This has led everyone to start double-checking the methods by which they manage their user data storage, their devices and the networks on which those devices exchange critical information. And with the Internet of Things (IoT) upon us, not only are brands tasked with guarding against more breaches, but they must secure many more access points than ever before.

In fact, the attack surface isn’t getting any smaller. Last year, GlobalWebIndex estimated that there are now 3.64 connected devices per person in the marketplace. According to Intel, there will be more than 200 billion connected devices and sensors by 2020. Given that the population is expected to grow to 7.58 billion, that’s more than 26 connected devices for every person living on Earth—more than seven times the number that exist today.

Not only are we growing the number of per capita devices, but we’re also letting those devices into our lives in a way that can make a breach more personal. Last year, a story in the San Francisco Globe outlined how a family found a stranger hacking into their connected baby monitor. The hacker obtained the login information for the baby monitor and used those credentials to access it via the associated Web app. Terrifyingly, the stranger was speaking to their toddler through the monitor until the parents stumbled onto the hack themselves. More recently, hackers have found Internet-connected teddy bears to be a gateway into a child’s world. In both cases, an effective security strategy could have prevented undesired access to the device.

While an effective security strategy can be established in-house, managed security could be an appealing option for organizations that lack the expertise, given the potential risk and scale of these IoT vulnerabilities. So, what goes into an effective managed security strategy?

Firewalls, Monitoring and Penetration Testing
Although they might be considered table stakes, organizations must have industry-standard firewalls for data ingress and virus-protection programs, as well as robust performance monitoring to proactively detect and avoid brute force and denial-of-service attacks. In addition, vulnerability scans, penetration testing and intrusion detection are critical to reducing the risk of breach for an IoT platform, and part and parcel of any good device-security strategy.

Device-Independent Identity
At the heart of an effective connected device strategy is a database of devices that keeps track of device attributes, entitlements for each device, and users or other devices associated with that device. In a managed security infrastructure, this information should reside independently of the device itself, to ensure that the device metadata and access are stored in a secure environment in the event that it is damaged or compromised.

Relationship Management
One thing that differentiates the IoT from a standard user model is the need to represent the relationship between the device and its users. A full IoT security strategy will include a structure for supporting access permissions for users tied to each device. For example, is there a single administrator? How is user access granted and rescinded? An effective IoT-device security strategy should support multiple levels of access and manage both the relationship of the user to the device and the relationship between users.

Standards-based Device Authentication and Scoped Access
Finally, authentication and scoped access are the primary components of gating connected devices. An IoT solution needs to generate, store, manage and deploy a high volume of access credentials. Each of those credentials needs to permit access at a feature level. In addition, credentials need to be properly scoped to ensure that a device can only access the features and data it is entitled to manage, in the same way that a service provider is scoped to access specific data and functions on behalf of an authenticated user. While a standard for managing IoT devices is not prescriptive, vetted and tried identity and access protocols will help secure the device authentication and authorization process.

The IoT is increasing the scale and complexity of IT security beyond the capabilities of a single organization. Whether managed in-house or in tandem with one or more external agencies, an IoT device security strategy that considers the safety and security needs of a user, device and network holistically will produce an IoT platform that promotes a secure, efficient ecosystem for increased user connectivity. You can learn more about how to protect consumer data in the world of IoT in our recent webinar with Merritt Maxim from Forrester Research.

Sven Dummer leads product marketing at Janrain, helping companies to build better online experiences for their customers through cloud-based customer identity and access management (CIAM). Previously, Sven worked with Silicon Valley startups as well as Fortune 500 companies, including Yahoo!, Wind River (acquired by Intel), SUSE and Microsoft, in product development, product marketing and management roles. At Intel, Sven also helped to launch (and named) the collaborative Yocto Project, an open-source initiative that enables users to create custom Linux-based systems for IoT devices, regardless of the hardware architecture used. Sven is based in the San Francisco Bay Area.