IoT is H-O-T! But, it is still at its nascency. The "things" in IoT vary based upon domain, environment, and context, and we are only in our earliest days understanding where they can be applied to reducing risk in identity management. In this blog, I will try to pull together the elements needed for industry to be able to use IoT across channels and domains. You will see the greatest challenges in provisioning devices to individuals. Next, you will get to see my simplified view of the lifecycle of IoT devices and how it impacts provisioning. Finally, I'll describe the art of disambiguation, without giving away too many secrets, as the crux of using IoT in the world of identity management. Bottom line, we have an opportunity to look at IoT as not a confusing array of gadgets, but a better model to serve our users, while also increasing the integrity of the transaction without as much customer friction.
Following up on my last blog, "Cybersecurity: Machines Don't Do Bad Things, People Do", I discussed the use of IoT to help connect activities back to individuals, this blog entry will dive deeper into IoT and its role in identity management in our ever-evolving risk landscape. For clarity, we are addressing the larger "identity management" and not solely the technical art of enrolling, authenticating, and authorizing access to data. I think of the first hard step in deploying IoT is provisioning. In provisioning, we associate the IoT sensor or device with a person or a machine. Looking at it from the people point of view, there are three underlying challenges:
- Specificity: Does the IoT device represent/measure a "single" individual - like an access badge, or a cell phone - or does it represent/measure a group of individuals - like your cable TV box, your refrigerator, or a shared blood pressure cuff at a nurses station?
- Temporality: It the IoT a shared device that is either changing the individual it represents - think of a portable thermometer in a hospital where each portable EKG reading has to be associated with a specific (and correct) patient; an example of high temporality. Alternatively, is it low-temporality like the status of an Apple Watch that I may give/sell to someone different?
- Bonding: How strong is the bond of the IoT device to be representative of the individual or group of individuals? Accounts with email addresses and passwords with no other need for identity attributes would have weak bonding and that is only to the account, not the individual. Whereas, an example of strong bonding occurs when a pacemaker is put in your chest.
The measures of specificity, temporality, and bonding (STB) are adjusted to the risk of the application for which it is intended. When IoT is used as part of the larger identity management, we combine different STB measures for the new data - some may be appropriate for your objective, while others are not (use "Connect" if you would like us to help). While we have outlined baseline terminology and measures related to provisioning, we still need to look at the IoT provisioning process as a lifecycle. For example, when do we provision the identity(ies) and associate the IoT device readings with an individual, and how do we change them, and does this impact STB.
- Build: The device has an ID it was given by the factory, usually the serial number, and then there are a series of other enumerators appended to the device that are also representative of it - the MAC address, the IMEI, PKI key(s), even an international standards unique registration.
- Distribute: The device is moved through resellers to its destination. During that time, it may very well be OEM'd into another larger, more complex system.
- Use: Then it is integrated into the use cycle. The family installs the "intelligent" refrigerator, the Amazon Echo, the Google Home, Apple TV. The bank sends a card, adds an app to your phone, puts a secure certificate on your browser. The hospital deploys the thermometer to the nurses station where it is used on lots of patients on the floor, the CAT scanner in the basement, the mobile imaging set, the intravenous infusion controller to a room.
- Attach: The enumerator and management system for the individual device (and therefore its signal) are attached to an individual. An example, Admissions gives the patient a wrist band (the serial number for the wrist band is attached to the patient's record enumerator). Then, the nurse scans the wrist band and attaches (with high temporality) the reading of the thermometer.
- Maintain: Sometimes the devices need cleaning, updating, service, or even an upgrade to close a vulnerability in their OS.
- Dispose: Finally, the device is done, and it can be disposed as out of service, transferred to an alternate individual, or returned to stock for re-use.
At a high-level, every one of those steps occurs in the IoT lifecycle - whether short or long. Lastly, we have to understand "disambiguation". In this context, it is the art of removing, or at least reducing, the risk that you are 1) measuring the wrong individual or 2) measuring multiple individuals with the signal (knowingly or unknowingly). In some industries, like online marketing, we are just trying to classify the individual (or most likely the household. The nice part about this...if there is a solid provisioning process, and a good control over the lifecycle, disambiguation is much easier.
- Exclusion Disambiguation: Identifying a single individual behind an IoT device known to represent multiple individuals by excluding all other potential candidates. Think of a cable box. This is an example of strong "bonding", we know what house in which the cable box rests. Because of weak "specificity", we can't tell who is watching TV and changing the channels. We do know all of the family members because they created emails and profiles. Exclusion occurs by ruling out those individuals who are not at home watching TV because, they have other IoT devices that increase the likelihood that they are elsewhere.
- Falsification Disambiguation: Identifying the likelihood that the single person associated with an IoT device is truly associated with the IoT device at the time of the transaction. Simple examples of this are voice print verification, fingerprint on a phone, stride pattern detection, or even a phone call challenge. More complex solutions to include using Exclusion Disambiguation method described previously to exclude the fact that the real individual could not possibly be represented by the device.
Little of what I have written about is new, this is simply a proposed new taxonomy to integrate IoT within the identity management process, particularly for risk reduction. As an example, the Falsification Disambiguation is currently used by the large banks...but they don't call it that. The bank constantly reviews and categorizes your historical card transactions (e.g. those of an elderly individual with low mobility). They compare it to a new transaction, buying a surfboard in a completely different town, causes bank fraud systems to seek validation that you are in possession of the credit card and you authorized the change - this is customer friction. Every item in this taxonomy has an analog in current practice; however, current practices need a new framework in which they can be analyzed faster and more accurately to support the broader base of transactions, block-chain currencies, globalization, etc. given the overwhelming amount of data available. As the transaction base increases, and we continue to seek less customer friction in the transactional markets, we will use these IoT-based principals to increase the trust that the individual that is intended to be conducting the transaction is actually doing it.
As always, please use the "Connect" section of our home page if we can provide you support in your IoT objectives.