Identi-Tea Podcast, Episode 5: The Answer is Blowing in the (IoT) Wind

In episode 5, Daniel and Chris are live at IoT World / Connected & Autonomous Vehicles 2017 in Santa Clara, CA. Topics include how identity can play a key role in customizing the user experience for connected cars, how to creatively use access policies and contextual data to solve IoT challenges, and how securing devices on the edge requires a different way of thinking. Oh, and it was very windy.

Episode Links:

ForgeRock Identity Live 2017

Video: Objects in Mirror May Be Closer Than They Appear (Donut Demo)

ForgeRock Edge Security Early Access Program

 

Identity Disorder Podcast, Episode 4: The Rodeo of Things

identity-disorder-speakers-ep004

In episode 4, Daniel and Chris are pleased to welcome one of ForgeRock’s founders, Victor Ake. Victor gives his insight into the Identity of Things, talking the differences between constrained and unconstrained devices, how IoT brokers work, securing IoT devices using identity standards, and how microservices fit in to the picture. Other topics include airport hotels, wrestling, and–wait for it–the rodeo.

Episode Links:

ForgeRock IoT Page:
https://www.forgerock.com/solutions/devices-things/

ForgeRock Identity Summit in London and Paris
https://summits.forgerock.com/

All upcoming ForgeRock events:
https://www.forgerock.com/about-us/events/

Blockchain for Identity: Access Request Management

This is the first in a series of blogs, that will start to look at some use cases for leveraging block chain technology in the world of identity and access management.  I don’t proclaim to be a BC expert and there are several blogs better equipped to tackle that subject, but a good introductory text is the O’Reilly published “Blockchain: Blueprint for a New Economy”.

I want to first look at access request management.  An age old issue that has developed substaintially in the last 30 years, to several sub-industries within the IAM world, with specialist vendors, standards and methodologies.

In the Old Days

 

Embedded/Local Assertion Managment
 
So this is a typical “standalone” model of access management.  An application manages both users and access control list information within it’s own boundary.  Each application needs a separate login and access control database. The subject is typically a person and the object an application with functions and processes.
Specialism & Economies of Scale
 
So whilst the first example is the starting point – and still exists in certain environments – specialism quickly occured, with separate processes for identity assertion management and access control list management.
Externalised Identity & ACL Management
So this could be a typical enterprise web access management paradigm.  An identity provider generates a token or assertion, with a policy enforcement process acting as a gatekeeper down into the protected objects.  This works perfectly well for single domain scenarios, where identity and resource data can be easily controlled.  Scaling too is not really a major issue here, as traditionally, this approach would be within the same LAN for example.
So far so good.  But today, we are starting to see a much more federated and broken landscape. Organisations have complex supply chains, with partners, sub-companies and external users all requiring access into once previously internal-only objects.  Employees too, want to access resources in other domains and as-a-service providers.
Federated Identities

This then creates a much more federated landscape.  Protocols such as SAML2 and OAuth2/OIDC allow identity data from trusted 3rd parties, but not originating from the objects domain, to interact with those resource securely.

Again, from a scaling perspective this tends to work quite well.  The main external interactions tend to be at the identity layer, with access control information still sitting within the object’s domain – albeit externalised from the resource itself.

The Mesh and Super-Federation

As the Internet of Things becomes normality, the increased volume of both subjects and objects creates numerous challenges.  Firstly the definition of both changes.  A subject will become not just a person, but also a thing and potentially another service.  An object will become not just an application, but an autonomous piece of data, an API or even another subject.  This then creates a multi-point set of interactions, with subjects accessing other subjects, API’s accessing API’s, things accessing API’s and so on.

Enter the Blockchain

So where does the block chain fit into all this?  Well, the main characteristics that can be valueable in this sort of landscape, would be the decentralised, append-only, globally accessible nature of a blockchain.  The blockchain technology could be used as an access request warehouse.  This warehouse could contain the output from the access request workflow process such as this sample of psuedo code:

{“sub”:”1234-org2″, “obj”:”file.dat”, “access”:”granted”, “iss”:”tomorrow”, “exp”:”tomorrow+1″, “issuingAuth”:”org1″, “added”:”now”}

This is basic, but would be hashed and cryptographically made secure from a trusted access request manager.  That manager would have the necessary circle of trust relationships with the necessary identity and access control managers.

After each access request, an entry would be made to the chain.  Each object would then be able to make a query against the chain, to identify all corresponding entries that map to their object set, unionise all entries and work out the necessary access control result.  For example, this would contain all access granted and access denied results.

 

A Blockchained Enabled Access Requestment Mgmt Workflow
 
So What?
 
So we now have another system and process to manage?  Well possibly, but this could provide a much more scaleable and interoperable model with request to all the necessary access control decisions that would need to take place to allow an IoT and API enabled world.
Each object could have access to any BC enabled node – so there would be massive fault tolerance and elastic scaling.  Each subject would simply present a self-contained assertion.  Today that could be a JWT or a token within a proof-of-possession framework.  They could collect that from any generator they choose.  Things like authentication and identity validation would not be altered.
Access request workflow management would be abstracted – the same asychronous processes, approvals and trusted interactions would take place.  The blockchain would simply be an externalised, distribued, secure storage mechanism.
From a technology perspective I don’t believe this framework exists, and I will be investigating a proof of concept in this area.

This blog post was first published @ http://www.theidentitycookbook.com/, included here with permission from the author.

Top 5 Security Predictions for 2016

It's that time of year again, when the retrospective and predictive blogs come out of the closet, just before the Christmas festivities begin.  This time last year, the 2015 predictions were an interesting selection of both consumer and enterprise challenges, with a focus on:


  • Customer Identity Management
  • The start of IoT security awareness
  • Reduced Passwords on Mobile
  • Consumer Privacy
  • Cloud Single Sign On

In retrospect, a pretty accurate and ongoing list.  Consumer related identity (cIAM) is hot on most organisation's lips, and whilst the password hasn't died (and probably never will) there are more people using things like swipe login and finger print authentication than ever before.

But what will 2016 bring?


Mobile Payments to be Default for Consumers

2015 has seen the rise in things like Apple Pay and Samsung Pay hitting the consumer high street with venom.  Many retail outlets now provide the ability to "tap and pay" using a mobile device, with many banks also offering basic contactless payments on debit cards.  The limit for such contactless payments, was recently upped to £30 in September, making the obvious choice for busy interactions such as supermarkets and coffee shops.  This increased emphasis on the mobile representing an identity, will put pressure on mobile's ability for secure credential storage and the potential for fraud and payment data theft.


Internet of Things Data Sharing to be Tackled

IoT is everywhere.  The "web of things", the "internet of everything", each week a new term is coined.  The simple fact is that millions more devices are coming on line, and are generating, collecting and aggregating data from a range of sources - both personal and machine related.  That data needs to be effectively shared using a transparent consent model.  Individuals are more accurately aware than ever before, that their data can be used in a myriad of different ways - some for service improvement but some maliciously.  3rd party data sharing is inevitable, if the true benefits of the IoT world are to be realised - but that data sharing requires real consent and revocation capabilities using standards such as User Managed Access and others.


EU General Data Protection Regulation Brings New Organisational Challenges

The recent change in the EU GDPR, will bring challenges for many organisations looking to leverage the power of digital transformation or harness the power of cloud.  The new EU changes, provide a clear message, regarding the use and management of user data, with powerful fines now acting as a large incentive for compliance and process redesign.  Many end users and consumers are becoming fully aware of how powerful their data can become, when combined with things like tracking, marketing or analytics and full and proper control over that data should be made available.


An Increase in Device Pairing & Sharing

The increase in house hold and consumer devices with "smart" capabilities is leading to a more "pin and pair" ecosystems for things like smart TVs, connected cars, home heating systems, fridges and more.  The ability for a device to be linked to a physical identity, brings a brand new set of use cases for identity impersonation, data sharing and personalisation.  The ability for a TV to be linked to a physical person and not just a household for example, brings interesting use cases for personalised content delivery.  The pairing of devices will probably leverage existing authorization standards such as OAuth2, where quick and simple revocation will help to increase confidence in how physical identities can be linked and revoked from devices.


Every Company Will Have a Blockchain R&D Team

The Bitcoin revolution seems to have hit the top of the "peak of inflated expectations", with the effective delivery still some 5 to 10 years away.  However, the capabilities of the blockchain architecture are starting to visit new non-currency related use cases, such as intellectual property protection, art copyrighting, access request cataloguing and more.  The interest in the distributed and hashed nature of the blockchain, make new transparent data sharing and decision point architectures a potential weapon in the security architect's arsenal.  Whilst many of the capabilities and features may need implementing, many organisations will be looking on with keen eyes, to see if this ecosystem can start to deliver on it's early promise.


Will be interesting to see what 2016 brings.  One thing is for sure, that information security has never been such a concern for many organisations in both the private and public sector.

Happy holidays and see you in 2016!

By Simon Moffatt





Top 5 Security Predictions for 2016

It's that time of year again, when the retrospective and predictive blogs come out of the closet, just before the Christmas festivities begin.  This time last year, the 2015 predictions were an interesting selection of both consumer and enterprise challenges, with a focus on:


  • Customer Identity Management
  • The start of IoT security awareness
  • Reduced Passwords on Mobile
  • Consumer Privacy
  • Cloud Single Sign On

In retrospect, a pretty accurate and ongoing list.  Consumer related identity (cIAM) is hot on most organisation's lips, and whilst the password hasn't died (and probably never will) there are more people using things like swipe login and finger print authentication than ever before.

But what will 2016 bring?


Mobile Payments to be Default for Consumers

2015 has seen the rise in things like Apple Pay and Samsung Pay hitting the consumer high street with venom.  Many retail outlets now provide the ability to "tap and pay" using a mobile device, with many banks also offering basic contactless payments on debit cards.  The limit for such contactless payments, was recently upped to £30 in September, making the obvious choice for busy interactions such as supermarkets and coffee shops.  This increased emphasis on the mobile representing an identity, will put pressure on mobile's ability for secure credential storage and the potential for fraud and payment data theft.


Internet of Things Data Sharing to be Tackled

IoT is everywhere.  The "web of things", the "internet of everything", each week a new term is coined.  The simple fact is that millions more devices are coming on line, and are generating, collecting and aggregating data from a range of sources - both personal and machine related.  That data needs to be effectively shared using a transparent consent model.  Individuals are more accurately aware than ever before, that their data can be used in a myriad of different ways - some for service improvement but some maliciously.  3rd party data sharing is inevitable, if the true benefits of the IoT world are to be realised - but that data sharing requires real consent and revocation capabilities using standards such as User Managed Access and others.


EU General Data Protection Regulation Brings New Organisational Challenges

The recent change in the EU GDPR, will bring challenges for many organisations looking to leverage the power of digital transformation or harness the power of cloud.  The new EU changes, provide a clear message, regarding the use and management of user data, with powerful fines now acting as a large incentive for compliance and process redesign.  Many end users and consumers are becoming fully aware of how powerful their data can become, when combined with things like tracking, marketing or analytics and full and proper control over that data should be made available.


An Increase in Device Pairing & Sharing

The increase in house hold and consumer devices with "smart" capabilities is leading to a more "pin and pair" ecosystems for things like smart TVs, connected cars, home heating systems, fridges and more.  The ability for a device to be linked to a physical identity, brings a brand new set of use cases for identity impersonation, data sharing and personalisation.  The ability for a TV to be linked to a physical person and not just a household for example, brings interesting use cases for personalised content delivery.  The pairing of devices will probably leverage existing authorization standards such as OAuth2, where quick and simple revocation will help to increase confidence in how physical identities can be linked and revoked from devices.


Every Company Will Have a Blockchain R&D Team

The Bitcoin revolution seems to have hit the top of the "peak of inflated expectations", with the effective delivery still some 5 to 10 years away.  However, the capabilities of the blockchain architecture are starting to visit new non-currency related use cases, such as intellectual property protection, art copyrighting, access request cataloguing and more.  The interest in the distributed and hashed nature of the blockchain, make new transparent data sharing and decision point architectures a potential weapon in the security architect's arsenal.  Whilst many of the capabilities and features may need implementing, many organisations will be looking on with keen eyes, to see if this ecosystem can start to deliver on it's early promise.


Will be interesting to see what 2016 brings.  One thing is for sure, that information security has never been such a concern for many organisations in both the private and public sector.

Happy holidays and see you in 2016!

By Simon Moffatt





Identity Summit London 2015

Mike Ellis, ForgeRock CEO at London Identity SummitLast week, ForgeRockhosted the London edition of the Identity Summit 2015. It was a great event, very successful with over 200 attendees to discuss identity, digital transformation and IoT.ForgeRock Identity Summit London Attendees

My coworker Markus has published a detailed recap of the Summit, so I leave you with my usual picture gallery. Enjoy !

Screen Shot 2015-10-14 at 18.26.19There will be two other Identity Summits in November this year. One in Amsterdam on November 5, one in Düsseldorf on November 12. If you haven’t registered yet, it’s still time !


Filed under: Identity Tagged: conference, digitalTransformation, europe, ForgeRock, identity, Identity Relationship Management, iot, London

techUK: Securing the IoT – Workshop Review

This week saw the techUK host a workshop on securing the Internet of Things and overcoming the risks associated with an increasingly connected world. The event (#IoTSecurity) attracted a variety of speakers from the public and private sector and brought about some interesting topics and further questions on this ever changing landscape.

Embedded Device and Host Device Life Cycle Disparity

Stephen Pattison from ARM, introduced the event, and brought up and interesting view of the challenge with keeping IoT devices up to date - either with firmware, software or hardware improvements.  He observed there is often a disparity between the small inexpensive sensor, actuator, or controller type components and the host device with respect to life span.  For example, a car may last 15 years, whilst a tracking component may last 36 months.  The rip and replace nature of general consumerism has subtle issues with respect to the IoT landscape, where the re-provisioning of new embedded devices, or the improvement in existing devices is often overlooked.

IoT Security Issues versus Opportunities

Duncan Brown, European Security Research Director at IDC, outlined some of the key problems facing the IoT landscape from a security perspective.  The main factors contributing to the security issue, can basically be broken down into the number of physical devices and the amount of data those devices generate.  The sheer volume of connected devices, opens up a new attack vector, with often the network these devices operate on, only being as secure as the weakest link.  That weakest link is often a low powered and poorly protected device, which allows a land and expand pivot style attack, which if successful, can quickly allow attacks on to more powerful computing resources.  The second main factor is associated with the yottabytes (a trillion terabytes !) of data IoT devices related devices are capable of collecting.  That data needs to be protected in transit and also at rest, where transparent access control and sharing protocols need to be applied.  These issues of course, are now opening up new sub-industries, where security assessments, device certifications, software audits and consultancy practices can provide services for.

As with many consumer related interactions, IoT also create an 'elastic security compromise'.  You seemingly can only have 2, out of enjoyable user experience, low risk and low cost.

Indirect Attacks

David Rogers, CEO of Copper Horse Solutions, with his specialism in mobile security, focused on describing how some of the challenges facing the telco operators over the last 10 years, can now be applied to the IoT space. With many newly manufactured cars by 2017 going to contain SIM technology, attack vector, data collecting and data sharing aspects of driving will increase substantially.  David made a subtle observation with respect to how IoT attacks could develop.

Whilst many laugh at the prospect of their digital fridge or washing machine being hacked as a gimmick, the net result of a large scale attack on home automation, isn't necessarily placing the immediate home owner as the victim.  The attacker in this case, could well be targeting the insurance market - which would face a deluge of claims if their washing machine suddenly flooded for example.

Privacy Challenges

Sian John, Security Strategist at Symantec, then focused on the IoT standards and privacy landscape. She argued that IoT is in fact rapidly becoming the 'Internet of Everything', where increased connectivity is being applied to every aspect of everyday life.  Whilst this may delivery better service or convenient experiences, this also opens up new security vulnerabilities and issues with regards to consumer data privacy.  Whilst the IoT ecosystem is clearly focused on physical devices, Sian argued that there is in fact a triad of forces at work: namely people, things and data (albeit I prefer 'people, data and devices...').  Often, the weakest link is the people aspect, who are often concerned with regards to personal data privacy, but don't have the knowledge or understanding with regards to terms of condition, consent questioning or device configuration.

Sian also pointed out that many consumers have a deep distrust of both technology vendors and social network operators when it comes to personal data privacy.

Overall, it seemed the discussions were focused on the need for a strong and varied security ecosystem, that can focus on the entire 'chip to cloud' life cycle of IoT data, where the identity of both the devices and people associated with those devices is strongly managed.

By Simon Moffatt











techUK: Securing the IoT – Workshop Review

This week saw the techUK host a workshop on securing the Internet of Things and overcoming the risks associated with an increasingly connected world. The event (#IoTSecurity) attracted a variety of speakers from the public and private sector and brought about some interesting topics and further questions on this ever changing landscape.

Embedded Device and Host Device Life Cycle Disparity

Stephen Pattison from ARM, introduced the event, and brought up and interesting view of the challenge with keeping IoT devices up to date - either with firmware, software or hardware improvements.  He observed there is often a disparity between the small inexpensive sensor, actuator, or controller type components and the host device with respect to life span.  For example, a car may last 15 years, whilst a tracking component may last 36 months.  The rip and replace nature of general consumerism has subtle issues with respect to the IoT landscape, where the re-provisioning of new embedded devices, or the improvement in existing devices is often overlooked.

IoT Security Issues versus Opportunities

Duncan Brown, European Security Research Director at IDC, outlined some of the key problems facing the IoT landscape from a security perspective.  The main factors contributing to the security issue, can basically be broken down into the number of physical devices and the amount of data those devices generate.  The sheer volume of connected devices, opens up a new attack vector, with often the network these devices operate on, only being as secure as the weakest link.  That weakest link is often a low powered and poorly protected device, which allows a land and expand pivot style attack, which if successful, can quickly allow attacks on to more powerful computing resources.  The second main factor is associated with the yottabytes (a trillion terabytes !) of data IoT devices related devices are capable of collecting.  That data needs to be protected in transit and also at rest, where transparent access control and sharing protocols need to be applied.  These issues of course, are now opening up new sub-industries, where security assessments, device certifications, software audits and consultancy practices can provide services for.

As with many consumer related interactions, IoT also create an 'elastic security compromise'.  You seemingly can only have 2, out of enjoyable user experience, low risk and low cost.

Indirect Attacks

David Rogers, CEO of Copper Horse Solutions, with his specialism in mobile security, focused on describing how some of the challenges facing the telco operators over the last 10 years, can now be applied to the IoT space. With many newly manufactured cars by 2017 going to contain SIM technology, attack vector, data collecting and data sharing aspects of driving will increase substantially.  David made a subtle observation with respect to how IoT attacks could develop.

Whilst many laugh at the prospect of their digital fridge or washing machine being hacked as a gimmick, the net result of a large scale attack on home automation, isn't necessarily placing the immediate home owner as the victim.  The attacker in this case, could well be targeting the insurance market - which would face a deluge of claims if their washing machine suddenly flooded for example.

Privacy Challenges

Sian John, Security Strategist at Symantec, then focused on the IoT standards and privacy landscape. She argued that IoT is in fact rapidly becoming the 'Internet of Everything', where increased connectivity is being applied to every aspect of everyday life.  Whilst this may delivery better service or convenient experiences, this also opens up new security vulnerabilities and issues with regards to consumer data privacy.  Whilst the IoT ecosystem is clearly focused on physical devices, Sian argued that there is in fact a triad of forces at work: namely people, things and data (albeit I prefer 'people, data and devices...').  Often, the weakest link is the people aspect, who are often concerned with regards to personal data privacy, but don't have the knowledge or understanding with regards to terms of condition, consent questioning or device configuration.

Sian also pointed out that many consumers have a deep distrust of both technology vendors and social network operators when it comes to personal data privacy.

Overall, it seemed the discussions were focused on the need for a strong and varied security ecosystem, that can focus on the entire 'chip to cloud' life cycle of IoT data, where the identity of both the devices and people associated with those devices is strongly managed.

By Simon Moffatt