Making Cloud SLAs readily usable in the EU private sector

A smarter, more secure Internet of Things?

We are standing on the very brink of the most fundamental change in the way human beings use technology since the introduction of agriculture, over 6 thousand years ago. The Internet of Things will not just change our work or home, it will change every aspect of our lives, including redefining the very concepts of privacy, industry and government, David Mount, NetIQ.
 
Identity key for IoT security challenge
Speaking at the 2015 European Identity and Cloud conference in Munich, David Mount (NetIQ solutions consulting director), said that identity is the key to managing the risks of millions of devices being able to access too much information. Why? Identity is the one thing that is still under the control of the organisation and the individual. It can help balance the needs of users with the needs of risk managers. 
The internet of things (IoT) will not necessarily introduce new cyber threats, but it will amplify those we are already facing. While the IoT is likely to deliver many benefits, such as better traffic management in smart cities, there is a darker side to the IoT. It’s important to think about how we can control our data once it is collected to address concerns about how it is stored, who can access it and how it is used. We cannot expert manufacturers to do this for us as they are more focused on making devices easy to use, connecting and exchanging data, possibly at the expense of security. 
There also need to be assurances that unauthorised parties are not able to hack into IoT communications to steal or manipulate data. Some types of information may not seem important but it can sometimes be used to access much more sensitive data through social engineering. Fitness tracking devices is one example of this potential threat. 
Because attacks are inevitable, we need to find ways of mitigating their effects. Key to this is getting the basics right, for example, in terms of identity and access. Priorities range from minimising access rights of individuals and devices to ensure they are appropriate to enforcing access controls and monitoring user activity to ensure that it is appropriate and normal. More data is not the right answer, according to Mount. There are already too many tools that generate too much data, meaning lots of noise but not enough insight. He cited the Target breach as one example. 
 
Getting the security context right
Because security needs context, identity and security can no longer be separate silos within organisations. Identity helps define the context: checking that actors are who they claim to be, seeing how they are using their entitlements and assessing whether that use is normal and appropriate. In the IoT, it is essential to adopt “identity-centric” thinking so there is an adequate level of control. 
The Internet of Everything requires a parallel identity of everything capable of ascribing behaviour to things, track that behaviour and then decide if it is normal or not, said Mount. Only by doing so, can we manage how people and devices interact. The more devices we connect, the more important this will be. 
 
Role of information security professionals
Information security professionals need to understand the identity stored in their organisations and examine how identity information is currently used. The next step is to look for ways to integrate identity context and begin to understand the behaviour of the things in their organisation, and how they interact.
Mount also advises information security professionals to build a framework that can handle more sophisticated and aggregate identity information ensuring the framework can scale. We need an extensible identity framework that can encompass the people, products, devices and services that are all part of the IoT.