Security is a constant concern in every facet of technology and this is especially true for the IoT. Rarely does a week (or even a day) go by that some sort of security breach isn’t front page news. Any company, at any time, can be in the victim of a breach. These days it’s not “if” it happens, but more like “when”. The IoT is opening up a whole new universe of possibilities, but is also opening up a ton of questions and speculation about security. As product companies begin their journey as connected product companies, it’s incredibly important for security to be a critical component to the overall plan. An important part of this is identity management.
All connected products have an end user and in many cases – more than one. Take the owner of the home that is running a Lutron lighting system, for example. There is the obvious issue of helping to manage the various identities that will want to access to the device. After all it’s likely that more than one person will want to be able to turn the lights on and off. Every member of the family needs access, maybe even a housekeeper, babysitter or dog walker. If the family moves, the new owners will need to be granted access and access will need to be shut off for the old owners.
Adding to that intricate ecosystem are the less obvious ID management issues like the need for a company to keep track of users’. Part of the power of the IoT is knowing who customers are and how they are using the product. Yet, storing that user information comes with a great obligation to keep it safe and away from prying eyes – Ashley Madison anyone?
Starting to sound more complex right? Now add the phenomenon of BYOI or bring your own identity to the mix. Part of the culture we are seeing with a lot of end users is the desire to use already existing online identities (see: Facebook, Google, Twitter, etc.) with their connected products. With this request, companies are now left managing identities they don’t even own.
No matter what the identity challenges or how complex the system, a good Identity Management posture is all about security and flexibility. Security for obvious reasons and flexibility because every use case is different and even within one use case there can be multiple different types of users each with different requirements. It can certainly feel mind boggling to try to balance strong security with a flexible, delightful customer experience, but it can be done. More and more solutions are being introduced to the market that are purpose-built for the IoT and are designed with these challenges in mind. When thinking about identity management for the IoT there are a two key areas to look for:
- Completeness: An identity management solution, like provided within Xively, should not only act as a secure store of all user information, but also provide all the functionality users will need. For example, user signup, email confirmation, Google reCaptcha support, password reset, Multi-Factor Authentication, profile management, and custom info fields to name a few.
- Flexibility for BYOI: For customers that want to BYOI, native OpenID Connect RP support lets users connect to any existing Open ID Connect provider as their identity.
Security and especially ID management is one of the most critical aspects to consider when building an IoT-connected device. It should to be baked into the product at the outset and have a perfect combination of robust security and ease of use. Definitely a tall order, but thanks to innovations in this space – very possible.