How brands should prepare for the convergence of identities and the Internet of Things March 30, 2017 by Jim Kaskade Q&A with Merritt Maxim of Forrester Anyone who knows me, knows that I’m extremely passionate about opportunities involving Internet of Things (IoT) – or should I call it Identity of Things – and what it will bring to end-consumers and businesses alike! The industry of connected devices is growing at a breakneck speed and consumers are getting more and more excited as they learn about the ever-expanding possibilities. But are brands preparing themselves properly for IoT? Do they know the complexities involved? I recently invited Merritt Maxim, Senior Analyst at Forrester Research, to join me for a webinar to discuss the importance of protecting customer identity data in the era of IoT. We covered such topics as: Understanding the landscape of identity threat vulnerabilities and the impact of breaches on brand experience and customer loyalty Managing the relationship between users and devices Exploring case studies and best practices for protecting customer identity data Merritt and I then had an opportunity to reflect a little more after our webinar… Jim: What are the main security implications as Internet of Things is taking off? Merritt: IoT-enabled connected devices create a range of security and privacy risks. First, IoT devices can increase risk to your company and brand because these devices expand your company’s potential attack surface. The increased attack surface can place your company’s core systems and data at risk, as was clearly demonstrated during the Mirai botnet in the fall of 2016. IoT security requires an end-to-end approach. IoT security must incorporate an end-to-end architecture from the IoT device to the cloud back end. While many security teams focus on securing the IoT device with technologies such as encryption, trusted execution environments, and other chip-level measures, security teams can’t implement these device-centric approaches in isolation. In many cases, IoT devices may operate autonomously, or semi-autonomously, and will not have a human identity involved to validate and authenticate actions. This means that the security teams need to place an equivalent level of emphasis and priority on securing network communications and the back-end data stores connected to IoT devices. Jim: What are the right questions to ask when considering an IoT vendor or partner? Merritt: When evaluating any IoT vendor or partner, a crucial consideration is the breadth and depth of the vendor’s IoT ecosystem. The reality today is that it is unlikely that any single technology vendor can address all enterprise requirements for an IoT solution. This places a premium on vendors that maintain or participate in a broader ecosystem of IoT products and services. Rich IoT ecosystems possess more partners and talent familiar working with the systems, which helps ease integration challenges and accelerate deployment times in a risk-appropriate manner. Security certifications are also emerging in importance, and while there is no single definitive IoT standard, certifications are still a useful measure on a given supplier’s commitment to data security. Jim: With the merging of identities and connected devices, how are brands going to safeguard customer data and trust? Merritt: Encryption is an absolute must. In IoT scenarios, encryption (whether on the data, the network, or both) is an essential IoT security best practice. And although encryption is necessary to meet the usual requirements around personal privacy and confidentiality, many IoT scenarios now involve automation of industrial, business, and personal processes. This may create business value, but it also introduces scenarios where breaching of these IoT systems can lead to destruction of property and equipment and even personal safety issues. The higher potential risks associated with IoT scenarios mandate encryption of data in motion and at rest and that the security team maintain appropriate key management processes and procedures to ensure integrity of the encryption keys. In addition to securing the data in motion and at rest (on the device and in the cloud back end), brands must also provide adequate policies around usage and sharing of data that consumers can easily opt in or opt out of, thus providing customers the confidence that their data is being used and shared in an appropriate manner. When done correctly, such measures can reinforce customers’ perceptions toward individual brands. Jim: How should IT departments prepare to support customer identities across connected devices? Merritt: Organizations need to focus on the basics first. The first step would involve conducting a base assessment to identify which systems, devices, and users connect with or store valuable data, and prioritize those assets over all others. This ensures that any security alerts are prioritized based on risk. Once the assessment is complete, a next step would involve investigating technologies such as strong device authentication controls to the identity of an IoT device and verifying its state. This could include usage of digital certificates/PKI to identify devices as authentic. The next layer would involve assessing how to enable end users to set policies on which actions, data collections, and software updates can be performed on a device and how such policies can be enforced across devices or across individuals (such as in a connected home environment, where there may only be one device but multiple family members with different levels of authorization.) Another growing area of interest is assessing how analytics can be used to identify device and user behavior that may indicate security vulnerabilities and compromises, so that the security team can proactively respond to such possible breaches. Jim: What are Forrester’s predictions about IoT trends this year? Merritt: In 2017, we expect that hackers will continue to use IoT devices to promulgate distributed denial of service (DDoS) attacks and attack devices themselves. The biggest targets will likely be the hottest areas of IoT adoption, including: Fleet management in transportation Security and surveillance applications in government Inventory and warehouse management applications in retail Industrial asset management in primary manufacturing The fact that many IoT solutions lack simple update and patching mechanisms exacerbates the security problem, making remediation of security vulnerabilities more challenging. The continued rise of IoT threats will require security teams to collaborate more closely with developers to ensure the ability to release and deploy remediation quickly and prevent organizations, brands, and devices from becoming the 2017 poster child for IoT security incidents. To hear more from our recent webinar on IoT, please watch the replay here. And if ever you’d like to have a meaty conversation on where the IoT industry is going, I’m always up for a chat!