Identity and Access Management of Things (1 of 2)
Quadrant Knowledge Solutions has recognised our collaboration and its importance for securing Digital Transformations with Connected Things. For more information, register here for our joint webinar “Who Secures Trust in Digital Transformation with Connected Things? Meet your Security Twin!” on 10 September 8am PST. Bring your best questions by reading the IDC Technology Spotlight (registration required) on Security Twins before joining us.
Digital Transformation (DX) is the march of progress toward a fully connected world – where data flows through the world to streamline processes, eliminate unnecessary paperwork and enable business to create new revenue streams and reduce costs. It’s more than digitizing paperwork: we’re not just doing all the same old things ‘on a computer’. It’s about designing new systems based on data that can do more things faster, better, cheaper, as long as you can get the right information to the right place at the right time. It has great promise, but it also carries risk: information falling into the wrong hands can be very costly, and bad data getting inside your systems is equally dangerous. The APIs and data that power DX need protection. Whether in the cloud, in your own data centre, or in smart devices, identifying “who is attempting to access what” is the key to protection.
Identity and Access Management is the information security discipline that keeps data in the right hands and systems under the right control. Its emergence from single-sign-on for the enterprise, to social login for customers to API protections for data places it in pole position to protect Connected Things. The time has come for IAM of Things.
Digital Transformation with Connected Things
Connected Things are everywhere – computers, servers, smartphones, cars, watches, smart meters, street lamps, wind turbines, industrial control systems, railways, airports… the thirst for connection is profound. The disciplines of Information Technology and Operational Technology were previously separated by “air-gaps” – purposely disconnected systems to prevent infection of mission critical systems from a malicious email attachment. However, connections do have their advantages: massive cost savings can be realized by remotely monitoring and maintaining capital equipment. The Industrial Internet of Things is taking Operational Technology online and bringing risks and rewards with it, either by ripping and replacing old technology with new or connecting things that were never designed with connection in mind.
With a mix of legacy infrastructure, new technology stacks, capabilities, performance, bandwidths, protocols and efficiency, it’s not easy to integrate differing systems and expect them to work seamlessly. Integration needs to happen at a high level of abstraction; A data-layer abstraction is needed.
According to Gartner “A digital twin is a digital representation of a real-world entity or system. The implementation of a digital twin is an encapsulated software object or model that mirrors a unique physical object, process, organization, person or other abstraction. Data from multiple digital twins can be aggregated for a composite view across a number of real-world entities, such as a power plant or a city, and their related processes.”
Digital Twins reside in cloud platforms that enable data to be shared amongst other digital twins through APIs, controlling who should gain access to what data. They can be used to aid system development before physical implementation, modelling behaviour and scenario planning before physical commitments are made. And once buildings or manufacturing plants are in operation, their Digital Twins can receive real world data about their actual use, further enhancing the model for next generation constructions and enabling more efficient remote maintenance and operation. Even predicting when maintenance should occur just before equipment fails. Digital Twins bring tremendous efficiency and reliability.
People have Digital Twins too. The data collected about you, your behaviour, how you authenticate and what you’re authorised to do is also a form of Digital Twin that resides in an Identity and Access Management system. An identity system performs many functions such as securely storing names, attributes, authentication keys, consents and permissions to access resources.
Security and Trust of Connected Things
Beecham Research in 2019 found that 62% of Digital Transformations with Connected Things failed, with security and trust as the top issue. Failure means the project did not progress beyond a single site trial or become core to the business.
Connected Things are computers without the user interfaces we’re accustomed to. They sense and respond to their surroundings, and may also have some other means of controlling or taking instructions from other machines. Valves, motors, lights and more can be controlled from flipping bits in data centres thousands of miles away. While everything is working well this is fantastic, but as the old adage goes: “with great power comes great responsibility“. The enhanced risks of connecting things, particularly new data and supply chain risks, must be managed very carefully. Simple though it may seem, we often forget that “Things are only secure until they are not”; real world consequences can damage capital equipment, the environment, productivity, reputations or endanger life itself if we allow security and maintenance postures to slip.
An exposed Connected Thing can corrupt data in its Digital Twin – and if there’s no way of telling truth from fiction, the risks from using them will be all the greater. Furthermore, an incomplete view of the state of the device, either from missing details or stale data, can lead to the wrong trust decisions being made. This isn’t just about botnets and hacks: it’s also about everyday mistakes, wear and tear, and miscommunications.
Some Connected Things run Linux operating systems, some run Real-time Operating Systems and others run smaller software stacks to operate from a coin-cell power source for years. Traditional endpoint protections such as anti-virus scanners would consume a battery’s charge in short time and are not appropriate. Every re-authentication depletes energy; security is hard work. Keeping connected things secure involves its supply chain, who must all co-ordinate their activities to ensure that not only are known vulnerabilities patched but that system integrators test them, owners approve them and system operators schedule downtime to install them. Wouldn’t you rather know this information before making a blind decision on data that may either be the most useful information you’ve ever received or an attacker making a fool of you?
Security and trust of Connected Things must be at the core of Digital Transformations with Digital Twins.
Part Two of this blog will be published next week. Remember to register for the webinar!