Share risk by extending identity to IoT devices – but letting people control their data: ForgeRock

Tools providing citizens with control over their personal data will help increasingly security-conscious companies better manage exposure to the growing identity challenge posed by a flood of devices and the Internet of Things (IoT), one industry expert has predicted as the latest international Data Privacy Day rekindles awareness of personal privacy online.

Control over personal data has become increasingly challenging for online users and solutions for sharing data – and controlling access to data sources – have been limited in scope in the past, as with the way that Google manages access to a shared Google Docs document. But with online sharing only increasing, security vendor ForgeRock is hoping that broader support for the User-Managed Access (UMA) standard will improve cross-service control over data.

Broader use of UMA – implemented within ForgeRock's newly-minted ForgeRock Identity Platform (FIP) – will allow organisations and online services to verify user credentials regardless of the service in use, or the service where they are managed.

“A lot of companies are telling us they have consumer data that they're storing, but that they really don't want to have ownership of that data,” vice president of product management John Barco told CSO Australia.

“Things like medical records or even Spotify playlists should be something that consumers own, and they should be able to manage it – but companies are responsible for the security of that data. UMA allows users to manage their own data and select whom they want to share it with, how to control it, how to authorise it, and how to manage the revocation of access to that data.”

ForgeRock last year wrapped its efforts to promote UMA into the Kantara Initiative, an open working group promoting implementation and broader use of compatible APIs.

Yet UMA is only one of the ways ForgeRock is working to expand the notion of identity. Conventional models use user ID and password combinations to confirm identity at the door of the network but rarely if ever challenge users again: “once you're in they lost track of you and don't really care what you do”, Barco said.

To address this weakness, ForgeRock this designed FIP with identity-management capabilities that not only extend the notion of identity to IoT components and nearly anything else, but enforces it through 'continuous security' that revalidates user and device identity at regular intervals.

This approach is particularly important as IoT drives a higher degree of interconnection that will expose corporate networks to a broader range of inputs and, potentially, vulnerabilities.

“We are creating a management problem by having so many IoT devices that require identity,” Barco explained. “Any time you have a number of diverse applications and devices, it does get complex – and the same things that happened in managing growing numbers of users is happening with devices and IoT. But now, instead of talking about tens of of thousands of users, we're talking about tens of millions of devices.”

ForgeRock isn't alone in trying to rein in the explosive growth of the IoT, which is challenging conventional security approaches and raising new implications for the privacy of user data. Chipmaker ARM recently acquired an IoT security specialist, for example, while Verizon Enterprise Solutions last year scaled its digital-certificate tools to cope with IoT volumes.

US legislators have introduced legislation for managing IoT security, while security-industry group ISACA released a guide to evaluating IoT security risk after a survey found 43 percent of organisations would be using IoT or deploying it within 12 months. And Gartner, warning of the need to secure the Identity of Things (IDoT), has already highlighted the importance of better identity management.