Striking right balance in the world of IoT and IAM

Share this content:

Among all the emerging trends, Internet of things (IoT) is the one that has brought numerous opportunities for businesses but at the same time, it has also introduced huge security challenges in front of the IAM policy of the business. While ageing identity and access management policies are still struggling to handle the virtual and cloud environments, the addition of IoT world has made the problem only worse. While identities are the core part of a IoT ecosystem, organizations need to reanalyze their IAM policies to ensure safety of the IoT evolution. There comes the need of IoT identity and access management solution that can not only ensure security while the data transfer process but also protects the rest of the ecosystem from this new attack vector.

The trend of Internet of things is changing the whole way business and customers interact. Experts estimate, anywhere from 20 billion to 200 billion devices could connect to the internet by 2020. However, security is still the topmost concern with around 56% of executives expressing their concern about weak authentication built into most of the IoT devices. Not to say, every device connected to the internet is a huge door for hackers to get into your sensitive data.

Now deploying end-to-end decryption does help in keeping hackers away but the problem of authentication is still complex thanks to the increasing number of devices and the interaction of human, device and apps associated with IoT world. A modern IoT based IAM solution must understand that many of the IoT devices will still require digital identities and thus making it necessary for these devices to secure the interrelationships between the IoT ecosystem.

Traditional identity and access management solutions are entitled to manage human identities while controlling access to a network or resource based on the job and responsibilities which cannot be extended to the world of IoT. Those who will try will end up with weak security and ruined user experience. Moreover, IoT is bidirectional means along with data outputs, there are acceptance of commands and access requests across the networks too, each requiring authorized access.

The modern IoT based IAM  solution has to be more device centric rather than user centric, letting devices authenticate to each other themselves. Now IP address, device behavior will still play an important role in identification, security and device authentication will be enabled through an IoT security management plane using public key infrastructure certificates, API calls, etc  to authorize the entity no matter user, device or any application. Social Login, Single sign-on, biometrics login, etc features can be enabled for customer facing IoTs.

Another quality that is must in a modern IoT based IAM is to aggregate the data scattered across the devices into a single profile while providing users to ability to self manage the privacy preferences.

While implementing IoT, a strong identity and access management policy is must. For every connected device in the IoT ecosystem, a trusted identity must be  built. You should look for IAM solutions where user provisioning, authentication, registration, etc are the inbuilt features thereby balancing user experience and security.

But the increasing pressure of becoming the first one to adapt IoT is making organizations ignore many of the security challenges associated.


So are you also behind the curve? Let’s find out!

123456, qwerty, password, mynoob, etc were the list of the worst passwords of 2016. So why businesses are still overlooking the issue? The combination of username and password is no longer capable to keep you secure. Passwords are forgotten, stolen, written down and intentionally or unintentionally shared with other people. Multi-factor authentication, Biometric Login, etc are some of the methods that have proven efficient in providing robust security but still for a huge part of businesses, this is still not a norm. Here is what needed to be done.


  1. Strategic considerations:

The first step is to understand your use case. Based on its user base, the company may decide to use, buy and distribute a limited number of hardware devices to generate OTPs. While for a small number of users dealing with extremely sensitive data, higher security measurements are absolutely justified.

Alternatively, businesses who are SaaS based, may not find it comfortable to invest in specialized hardware services and will rely on applications instead. So before settling for one, you need to analyze how the authentication process will work with your existing identity infrastructure.

For eg, Single sign-on is a crucial part of authentication process so make sure your MFA solution integrates well with it. Is the MFA solution you are choosing is supported by your SSO environment? The next question is do you want to deploy your solution through the SSO provider if only a single application warrants MFA? This question is of more importance if you are dealing with a small number of users who need access to sensitive data that warrants MFA.

Moreover, you should know that a multi-factor authentication complements the password, doesn’t replace them. You still need to impose strong password policies including minimum length, character variety, password lifetime, reuse limitation and so on. A strong authentication must be the part of a broad set of security practices.


  1. Authentication technology:

The most common strong authentication requires generation of a dynamic OTP or certificate and context based authentication. Now there are two approaches of OTP generation, first one is time based while the other one is algorithm based.

In the time based approach, there is an IETF standard to generate short lived OTPs. While in the other one, you start with a seed value and hash function to create the password. Once the initial password is created, the prior password is used as the input to create the next password.

The certificate based authentication makes use of a public key cryptography to generate private and public keys. These private keys can be stored on any portable device as well as on a user’s computer.

While context based authentication, takes users information (geographic location, device, network) into consideration while imposing authentication process. Context based authentication is mostly used in conjunction with other authentication practices.


  1. Some challenges to avoid:

Now imposing a strong authentication policy doesn’t imply 100% security. No matter how robust authentication policy you choose, as it is employed and as the time changes, vulnerabilities will be introduced. Moreover, you need to educate your end users on how they can keep themselves secure. After all, awareness is the ultimate way to stay safe.



As IoT is emerging as the biggest trend, one cannot overlook the security vulnerabilities it brings along. So in order to leverage the benefit of IoT, make sure to sync your IAM policies accordingly.

Prince Kapoor

Prince Kapoor is Marketing Analyst Lead at LoginRadius, A leading CIAM Provider. While not working, you can find him in the gym or giving random health advice to his colleagues which no one agrees on :D. If you too want some of his advice (on health or on marketing), reach him out at Twitter.

Leave a Reply

Your email address will not be published. Required fields are marked *