ForgeRock, the developer of a platform for federated identity, has published a white paper setting out the case of an Identity of Things (IDoT) in which it argues that early adopters of IoT have largely left behind identity and access management and that, as a result, many organisations are scrambling to deal with the consequences.
In the white paper, Access Management (IAM) Reference Architecture for the Internet Of Things (IoT) ForgeRock argues that successful IoT implementations have complex relationships to people, things and services, and the only sustainable method for securing the IoT long term is to enable persistent identity across applications, devices and things.
“We have reached a point where consent and control over devices and data is critical to the success of IoT, both in the consumer and industrial spaces,” ForgeRock says, “IoT solutions must offer a set of identity controls that properly govern who has access to what.”
According to ForgeRock, in the identity world these controls are the well-known concepts of authentication and authorisation, but many IoT manufacturers are unintentionally reinventing the wheel because they do not realise that the world of identity and access management has already solved many of their problems. “In fact, many problems can be addressed by applying existing identity standards and infrastructure to common IoT use cases,” it says.
And IoT architecture for identity management
The white paper describes an IoT architecture from a service-interaction perspective. It focuses primarily on how data flows from a set of devices to a centralised hub or cloud service. This is then expanded to include common scenarios at each stage of the data flow. “The brokering level, for example, will require things such as device registration, authentication and revocation,” ForgeRock says. “Cloud service or data storage platforms will require the ability to share data, probably via APIs, which would also require registration and authentication / authorisation services.”
It points out that the IoT component architecture “is a complex, evolving landscape and has a strong focus on interoperability and data management,” and it contrasts this with traditional identity and access management services that were “built for a company’s internal use to assist with manual on- and off-boarding and to establish access privileges to company data and systems behind the firewall.”
It argues that, to accommodate IoT, a company must implement a dynamic identity solution that is capable of serving and connecting employees as well as customers, partners, and devices, regardless of location. It then proceeds to list “several identity integration touchpoints where registration, authentication and authorisation services are available.”