As consumers add more and more connected devices to their personal IoT networks, security and privacy are paramount. These networks are only as secure as their weakest link – which is why Isabelle Noblanc, UL, says organizations making connected devices must practice security and privacy by design. Here’s how Noblanc says organizations must rethink identity management and why it’s time to put control in consumers’ hands.
A connected world is a convenient world for both work and play. Too often, however, the price of convenience is privacy. If data within the Internet of Things (IoT) is not secured properly, it puts people’s overall safety in jeopardy — and it’s not just about loss of sensitive personal data.
In fact, according to UL, the even greater threat is that an attacker could take over the functionality of poorly secured devices. Imagine if someone hacked into a connected home and cranked up the heat through the IoT thermostat, took over appliances or, worst of all, gained control of medical devices, such as pacemakers and insulin pumps that could create a life-or-death scenario in the wrong hands.
Isabelle Noblanc, VP and general manager, Identity Management and Security at UL, said the answer to these concerns is to practice security and privacy by design, not as an afterthought. When developing IoT technologies, she said, go-to-market time is much too late to think about security.
“Security isn’t the hot sauce you add on the side,” Noblanc said. “It’s a key ingredient to any system, and it’s something IoT manufacturers need to think about from the very beginning.”
In a recent interview with PYMNTS, Noblanc explained how traditional identity management and authentication models must be rethought and re-engineered, moving control from enterprise contexts into the hands of end users.
The Evolution of IoT
The phrase “Internet of Things” may be a relatively new term, but the concept, said Noblanc, is anything but new. The world has long been transforming into a more connected place. Today’s dramatic transformations are just increasing the trend and adding more complexity to it.
This complexity is the reason traditional identity management must be rethought, Noblanc said. It was once enough for people to use resources within an enterprise context — managed by, for instance, Microsoft Active Directory and similar solutions — but now, she said, it is necessary to bring resources into the end consumer environment, where machines are connected to machines and mutual authentication is needed.
Since there are so many devices by so many brands, Noblanc said communication and authentication protocols must be interoperable — that is, they must be able to handle things produced by multiple vendors. This gives end users self-control and freedom of choice in terms of brand, rather than presenting options that are either convenient or secure and forcing consumers to pick one.
Today’s privacy and security solutions must be both convenient and secure, said Noblanc, and they must be that way by design, from day one.
Pros and Cons of Regionalization
Many organizations take different approaches to security depending on the region, product or business line. A customized approach, Noblanc explained, enables them to meet compliance and regulatory standards, which vary by region.
It also makes it possible to adapt the protection level to match the potential consequences of a security breach. Situations where a breach could have massive repercussions require greater security, driving a need for a stronger customized approach, she said.
However, when everything is connected, the network is only as strong as its weakest link. In the IoT, data that’s generated is held and accessed by third parties, which can open new attack angles for organizations that fail to take a holistic approach.
Therefore, even if individual elements are secure, the system, as a whole, may not be. Noblanc said organizations must now apply an end-to-end approach and move toward looking at things globally rather than individually, considering systems rather than products.
Digital Identities Must Be Trustworthy
Whether in business or in personal life, people are growing more dependent on tech, to the point where it becomes a handicap if the devices in their lives can’t trust them or each other. For instance, if a smart car can’t definitively authenticate a driver, then that person will not be able to get in or drive it.
People today have digital versions of themselves and are entrusting more valuable interactions to those digital selves, particularly in the payments space — where, Noblanc noted, banks are taking more risks than they once did due to the trust they have in those digital identities.
Strong security and identity management are about creating trust, she said, and that must be done from the ground up. Only when the core of trust is in place should an organization consider innovation and expansion from that core to introduce higher-value services.
In other words, digital identities are the foundation or base for the IoT, and the foundation or base for digital identities is trust. Therefore, said Noblanc, the whole system suffers and falls apart if digital identities are not managed securely. She reiterated that this must be at the forefront of developers’ minds.
“The minute a digital product starts interacting with others,” Noblanc said, “digital credentials become paramount.”