IoT & Hardware
Reader small image

You're reading from  Practical Internet of Things Security - Second Edition

Product typeBook
Published inNov 2018
Publisher
ISBN-139781788625821
Edition2nd Edition
Tools
AWSAzure
Concepts
Internet of Things Security
Right arrow
Authors (2):
Brian Russell
Brian Russell
author image
Brian Russell

Brian Russell is the founder of TrustThink, LLC, where he leads multiple efforts towards the development of trusted IoT solutions. He has over 20 years of information security experience and has led complex system security engineering programs in the areas of cryptographic modernization, cryptographic key management, unmanned aerial systems, and connected vehicle security. He is the co-chair of the Cloud Security Alliance (CSA) IoT Working Group and was the recipient of the 2015 and 2016 CSA Ron Knode Service Award. Brian is an adjunct professor at the University of San Diego (USD) in the Cyber Security Operations and Leadership program.
Read more about Brian Russell

Drew Van Duren
Drew Van Duren
author image
Drew Van Duren

Drew Van Duren has provided 20 years of support to commercial and government customers in their efforts to secure safety-of-life and national security systems. He has provided extensive applied cryptographic design, key management expertise, and system security architecture design through rigorous integration of system security design with the core engineering disciplines. Drew has managed as Technical Director the two largest FIPS 140-2 test laboratories, security-consulted for the New York City Connected Vehicle Pilot Deployment, and participated in multiple standards groups such as the RTCA, SAE, and IEEE 1609 working group. Today, he supports the IEEE P1920 committee heading security architecture for unmanned aircraft aerial networks.
Read more about Drew Van Duren

View More author details
Right arrow

Chapter 7. Identity and Access Management Solutions for the IoT

While society continues to adopt ever more smart home appliances and IoT wearables, the IoT is diversifying into broader applications for different professions, and governments and throughout industries. The network connectivity needed to support it is becoming ubiquitous and, to that end, devices will need to be identified and access provisioned in new and different environments and organizations. This chapter provides an introduction to identity and access management for IoT devices. The identity life cycle is reviewed, and a discussion on infrastructure components required for provisioning authentication credentials is provided, with a heavy focus on PKI. We will also examine different types of authentication credentials and discuss new approaches to providing authorization and access control for IoT devices.

We will address these subjects in the following topic areas:

  • Introductory discussion on Identity and Access Management...

An introduction to IAM for the IoT

Security administrators have traditionally been concerned with managing the identities of people and controlling access to systems that interact with their technology infrastructure. The concept of Bring Your Own Device (BYOD), for example, can allow authorized individuals to associate mobile phones or laptops with their corporate account to receive network services on their personal devices. The allowed network services may be given once minimal security assurances are deemed to have been satisfied on the device. This may include using strong passwords for account access, application of virus scanners, or even mandating partial or full disk encryption to help with data loss prevention.

The IoT introduces a much richer connectivity environment than BYOD. Many more IoT devices are expected to be deployed throughout an organization than the usual one or two mobile phones or laptops for each employee. IAM infrastructures must be designed to scale to the number...

The identity life cycle

Before we begin to examine the technologies that support IAM for the IoT, it is useful to lay out the life cycle phases of what we call identity. The identity life cycle for an IoT device begins with defining the naming conventions for the device; it ends with the removal of the device's identity from the system. The following diagram provides a view of the process flow:

 

This life cycle procedure should be established and applied to all IoT devices that are procured, configured, and ultimately attached to an organization's network. The first aspect requires a coordinated understanding of the categories of IoT devices and systems that will be introduced within your organization, both now and in the future. Establishing a structured identity namespace will significantly help manage the identities of the thousands or millions of devices that will eventually be added to your organization.

Establish naming conventions and uniqueness requirements

Uniqueness is a feature that...

Authentication credentials

IoT messaging protocols often support the ability to use different types of credentials for authentication with external services and other IoT devices. This section examines the typical options available for these functions.

Passwords

Some protocols, such as MQTT, only provide the ability to use a username/password combination for native-protocol authentication purposes. Within MQTT, the connect message includes the fields for passing this information to an MQTT broker. In the MQTT Version 3.1.1 specification defined by OASIS, you can see these fields within the connect message (reference: http://docs.oasis-open.org/mqtt/mqtt/v3.1.1/os/mqtt-v3.1.1-os.html):

Note

There are no protections applied to support the confidentiality of the username/password in transit by the MQTT protocol. Instead, implementers should consider using the Transport Layer Security (TLS) protocol to provide cryptographic protections.

There are numerous security considerations related to using...

IoT IAM infrastructure

Now that we have addressed many of the enablers of identity and access management, it is important to elaborate how solutions are realized in infrastructure. This section is primarily devoted to Public Key Infrastructures (PKI) and their utility in securing IAM deployments for the IoT.

802.1x

The 802.1x authentication mechanisms can be employed to limit IP-based IoT device access to a network. Note though that not all IoT devices rely on the provisioning of an IP address. While it cannot accommodate all IoT device types, implementing 802.1x is a component of a good access control strategy able to address many use cases.

Enabling 802.1x authentication requires an access device and an authentication server. The access device is typically an access point and the authentication server can take the form of a RADIUS or some Authentication, Authorization, and Accounting (AAA) server.

 

PKI for the IoT

Chapter 6Cryptographic Fundamentals for IoT Security Engineering, provided...

Authorization and access control

Once a device is identified and authenticated, determining what that device can read or write to other devices and services is required. In some cases, being a member of a particular Community Of Interest (COI) is sufficient; however, in many instances there are restrictions that must be put in place, even upon members of a COI.

OAuth 2.0

To refresh, OAuth 2.0 is a token-based authorization framework specified in IETF RFC 6749, which allows a client to access protected, distributed resources (that is, from different websites and organizations) without having to enter passwords for each. As such, it was created to address the frequently cited sad state of password hygiene on the internet. Many implementations of OAuth 2.0 exist, supporting a variety of programming languages to suit. Google, Facebook, and many other large tech companies make extensive use of this protocol.

The IETF ACE working group has created working papers that define the application of OAuth...

Summary

This chapter provided an introduction to identity and access management for IoT devices. We reviewed the identity life cycle and discussed infrastructure components such as PKIs required for provisioning authentication credentials. We examined different types of authentication credentials and explored new approaches to providing authorization and access control for IoT devices.

In Chapter 8, Mitigating IoT Privacy Concerns, we will visit the complex ecosystem in which IoT privacy concerns need to be addressed and mitigated. Security controls, such as effective identity and access management, which were discussed in this chapter, represent only one element of the IoT privacy challenge.

lock icon
The rest of the chapter is locked
Previous Chapter
Chapter 13 of 19
Next Chapter
You have been reading a chapter from
Practical Internet of Things Security - Second Edition
Published in: Nov 2018Publisher: ISBN-13: 9781788625821
© 2018 Packt Publishing Limited All Rights Reserved
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Sign up now
undefined
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Start free trial
Renews at $15.99/month. Cancel anytime

Authors (2)

author image
Brian Russell

Brian Russell is the founder of TrustThink, LLC, where he leads multiple efforts towards the development of trusted IoT solutions. He has over 20 years of information security experience and has led complex system security engineering programs in the areas of cryptographic modernization, cryptographic key management, unmanned aerial systems, and connected vehicle security. He is the co-chair of the Cloud Security Alliance (CSA) IoT Working Group and was the recipient of the 2015 and 2016 CSA Ron Knode Service Award. Brian is an adjunct professor at the University of San Diego (USD) in the Cyber Security Operations and Leadership program.
Read more about Brian Russell

author image
Drew Van Duren

Drew Van Duren has provided 20 years of support to commercial and government customers in their efforts to secure safety-of-life and national security systems. He has provided extensive applied cryptographic design, key management expertise, and system security architecture design through rigorous integration of system security design with the core engineering disciplines. Drew has managed as Technical Director the two largest FIPS 140-2 test laboratories, security-consulted for the New York City Connected Vehicle Pilot Deployment, and participated in multiple standards groups such as the RTCA, SAE, and IEEE 1609 working group. Today, he supports the IEEE P1920 committee heading security architecture for unmanned aircraft aerial networks.
Read more about Drew Van Duren

Other recommended products

Related to this chapter

Hands-On Cryptography with Python

Hands-On Cryptography with Python

Cryptography is essential to protect sensitive information, but it is often performed inadequately or incorrectly. This book will show how to encrypt, evaluate, compare, and attack your data using Python. Overall, the book will help you deal with the common errors in encryption and would know how to exploit them.

BookJun 2018100 pages
Practical Industrial Internet of Things Security

Practical Industrial Internet of Things Security

This book provides you with a comprehensive understanding of Industrial IoT security; and practical methodologies to implement safe, resilient cyber-physical systems. It will help you develop a strong foundation and deeper insights on the entire gamut of securing connected industries, from the edge to the cloud.

BookJul 2018324 pages
Azure IoT Development Cookbook

Azure IoT Development Cookbook

It is important to develop robust and reliable solutions for your organization to leverage IoT services. Microsoft’s end-to-end IoT platform is the most complete IoT offering. It empowers enterprises to build and realize value from their IoT solutions for innovative business outcomes with Microsoft Azure IoT. This book will teach you how to connect multiple devices to the Azure IoT hub, develop, manage the IoT hub service, and integrate the hub with the cloud.

BookAug 2017254 pages
IoT Penetration Testing Cookbook

IoT Penetration Testing Cookbook

IoT is an upcoming trend in the IT industry today; there are a lot of IoT devices on the market but there is a minimal understanding of how to safeguard them. If you are a security enthusiast or pentester, this book will help you understand how to exploit and secure IoT devices. You will learn how to identify vulnerabilities in IoT device architecture and firmware using software and hardware pentesting techniques, and you'll also focus on various IoT exploitation techniques and security automation.

BookNov 2017452 pages
Hands-On Security in DevOps

Hands-On Security in DevOps

Hands-On Security in DevOps explores how the techniques of DevOps and Security should be applied together to make cloud services safer. By the end of this book, readers will be ready to build security controls at all layers, monitor and respond to attacks on cloud services, and add security organization-wide through risk management and training.

BookJul 2018356 pages
Enterprise Internet of Things Handbook

Enterprise Internet of Things Handbook

Internet of Things is today and now. This “hand” book covers almost all the bare essential knowledge that is needed for an architect or a developer to build IoT solution. Right from understanding what IoT is and exploring various off of the shelf IoT platforms, this book has it all. This book also covers Machine Learning IoT at a basic level using Azure Machine Learning Studio.

BookApr 2018332 pages
Developing IoT Projects with ESP32

Developing IoT Projects with ESP32

ESP32 is a low-cost, low-power MCU series by Espressif systems that can be used in wireless IoT applications. With Wi-Fi and Bluetooth technologies as well as security features, it's a full-fledged SoC for developing IoT products for consumer and industrial markets. This book will help you get up to speed with ESP32 using interesting projects.

BookSep 2021474 pages
Building Bluetooth Low Energy Systems

Building Bluetooth Low Energy Systems

Technology is expanding and so are our networks. The coming era is the age of the Internet of Things and it requires a seamless integration of software with hardware. The need for power-efficient connectivity is greater than ever. Bluetooth Low Energy presents a low-cost, small-distance communication platform that completely solves this problem. This book will introduce you to the technical aspects and implementation of BLE, which will enable you to create customized Bluetooth Low Energy Systems for day-to-day use.

BookApr 2017242 pages
Information Security Handbook

Information Security Handbook

Having an information security mechanism is one of the most crucial factors for any organization. Important assets of organization demand a proper risk management and threat model for security, and so information security concepts are gaining a lot of traction. This book covers the concept of information security, and shows you why it’s important.

BookDec 2017330 pages
Modern Cryptography for Cybersecurity Professionals

Modern Cryptography for Cybersecurity Professionals

Every minute of the day, there are petabytes of data exchanged between our homes, cars, businesses, and IoT devices. But just what exactly is involved when using cryptographic techniques? Modern Cryptography for Cybersecurity Professionals will help you to understand common cryptographic techniques and terms used today to secure our data.

BookJun 2021286 pages
Internet of Things for Architects

Internet of Things for Architects

The Internet of Things (IoT) is the most significant factor in the technology industry in the last 10 years. It will usher in the third industrial revolution and significantly impact global economies. Industry giants are in the process of adopting IoT solutions to add value, reduce costs, and improve people’s lives. As such, the architectural side of IoT has become critical. This book will help you understand the plethora of technologies that can be used to build a successful IoT deployment. This professional guide will help you architect IoT solutions for a variety of industries and organizations.

BookJan 2018524 pages
IoT and Edge Computing for Architects

IoT and Edge Computing for Architects

New edition of the top-selling guide to IoT and edge computing for architects that helps you create IoT solutions for a variety of industries and organizations.

BookMar 2020632 pages

Personalised recommendations for you

Based on your interests and search pattern

Architectural Patterns and Techniques for Developing IoT Solutions

Architectural Patterns and Techniques for Developing IoT Solutions

This book covers all the patterns and considerations that give you both the power and flexibility to build scalable, secure, and performant IoT solutions by combining various patterns in interesting ways. It also lists the benefits of combining IoT with technologies like blockchain, 3D-printing, 5G, Generative AI, quantum computing, and LLMs.

BookSep 2023304 pages
Arduino Data Communications

Arduino Data Communications

Arduino Data Communication focuses on IoT’s Internet aspect, guiding you in setting up your own infrastructure for storing and managing the data collected from sensors. This book goes beyond microcontroller basics, equipping you with the knowledge essential for building real-world projects.

BookNov 2023286 pages5
Arduino IoT Cloud for Developers

Arduino IoT Cloud for Developers

From fundamental principles to advanced techniques, this comprehensive book equips you with the knowledge and skills needed to design and deploy IoT applications seamlessly. Explore cloud integration, best practices, and real-world projects to harness the full potential of IoT application development with the Arduino IoT Cloud.

BookNov 2023402 pages
The Azure IoT Handbook

The Azure IoT Handbook

Building IoT Systems with Azure IoT is a comprehensive introduction for those who are new to the Internet of Things and looking to get up to speed in no time. This book will teach you how to create and develop IoT solutions with intelligent edge-to-cloud technologies in the Azure cloud.

BookDec 2023248 pages