I recently attended the newly renamed Mobile World Congress Americas – formerly CTIA Super Mobility – which is an event I’ve been attending for more years than I care to count.
This year’s show was buzzing and was a new show in many ways, so I was very happy to participate in a panel titled “IoT Platforms and Services” that focused on the industrial IoT and ways to secure it.
With estimates of the number of IoT devices now heading past 20 billion by 2020, including nearly 8 billion in business or industry, the security issue is becoming increasingly pressing. During the panel, I began to wonder in particular about who on earth would “vouch for the identity” of all those IoT devices.
I’ve written before about the ever-increasing “surface of attack” that the public internet represents, which is very much driven by the sheer number of devices and ways of connecting to the web. So, the bottom line is this: No matter how you look at it, 20 billion connected IoT devices represents a lot of risk, and will take an immense amount of policing to protect.
“It’s critical to understand that authentication and identity are two entirely different things. The first gives permission, but the second renews it before each interaction, because the identity of the person or device is known and understood in advance.”
In business and industry – where these devices might be monitoring and protecting vital national infrastructure; controlling highways, freeways, and self-driving cars; or communicating vital patient data in the medical profession – we’re going to need some reassurance that every connected device is tested, trustworthy, and free from outside interference.
On the panel, I started to talk about the need for identity, and my remarks caused a bit of a stir. While the moderator did try to draw us back to the topic, the reaction on stage, in the audience, and on Twitter seemed to indicate that I had touched a nerve.
It’s critical to understand that authentication and identity are two entirely different things. The first gives permission, but the second renews it before each interaction, because the identity of the person or device is known and understood in advance.
When you verify the identity, you should also know who supplied that device, who installed it, who made changes to it, and whether they were authorized to make the change – the very source of the identity of the object. That back story then plays a critical role in authorizing change and allowing network access.
The topic of security around IoT devices is prevalent but seems to be focused on the security of the device itself. But back to what we have said previously: These “things” in IoT are connecting to the internet, and without proper identification and without the management of that identity, the application for that IoT use case is at risk.
Mary Clark is a former Chief Corporate Relations Officer and Chief of Staff at Syniverse.