The Identity of Things

Limitations, Markets, and Future Vision

Isaac Potoczny-Jones - CEO of Tozny - ijones@tozny.com

Paul Madsen – Ping Identity – pmadsen@pingidentity.com

Agenda

•  Call to Action: Help define the Identity of Things

•  Level Setting: Current Markets, Limitations, and Vulnerabilities •  Future Visions: Strategy, Bootstrapping, and Sustainment

What we need from you

Participate, challenge, and question.

Help define the future of the Identity of Things.

Note: I’m including questions in each slide to seed the workshop discussion.

What is IoT? Here is a rough consensus

Lots of devices, many are low-power, they sense and control things

•  Consumer: Smart Home, Wearables, Transportation

•  Industrial: Control Systems (SCADA), Heating & Cooling (HVAC)

•  Health: Fitness Bands, Medical Devices

Questions: What areas are we missing? How closely do market segments align with risk?

The value of IoT is certain

•  Transportation improvements like self-driving cars will save lives

•  Fitness and health care wearables can drastically improve outcomes

•  Intelligent automation from thermostats to smart grid saves money

Question: What are the best examples of the value of IoT?

IoT Limitations

And Vulnerabilities

Why is IoT Different?

•  Low Power: Devices are cheap & batteries need to last for a long time •  Impacts strength of crypto and network connectivity

•  Large Scale: Lots of devices, distributed by various manufacturers •  Makes key distribution complex, other problems?

•  Lack of User Interfaces: Some devices have no screens or buttons •  How to use knowledge-based factors like passwords?

•  Security Updates: Disconnected systems or stuff that can’t go offline •  Patches don’t get applied leaving systems vulnerable

Question: How else is IoT different? How does it impact Identity?

Example: Cryptographic Authentication

•  Many IoT devices use hard-coded AES keys

•  AES is a symmetric protocol that’s suitable for low power

•  Public / Private crypto (PKI) would make key distribution easier

•  But the low-power nature of these devices makes using PKI hard

“IoT Risk” is hard to define

•  Low Risk: Some devices have low to moderate risk •  Smart home, Fitness bands, Entertainment

•  High Risk: Other devices have life & death consequences •  Medical, SCADA, HVAC, Vehicles

•  Challenge: How to understand risk in multi-device systems? •  A motion sensor in your house turns on the coffee pot in the morning •  The same motion sensor in your neighbor’s house calls the police

•  Blurred Lines: Composing different types of IoT in one system •  Your car entertainment system might not be properly segregated from breaks

Question: How do we handle “IoT Risk” when devices get composed into a greater whole?

Lack of Standards and Best Practices

•  Many IoT devices have almost no communication security •  Everything happens unauthenticated, in the clear

•  Others use standards with relatively weak crypto •  Zigbee and ZWave have not had the scrutiny of Wi-Fi and Bluetooth

•  Key distribution is far from solved •  I’ve seen AES keys printed in user manuals – security through obscurity •  Some vulnerable devices re-key on command - defeating auth altogether

Question: What standards and best practices would most help IoT?

Future Vision

And Planning

Future Vision: The IoT Should Be:

•  Authenticated and Secure: It should be a part of the internet… •  While maintaining appropriate segregation

•  Interoperable and Compositional: Protocols to work together •  Applies to auth, crypto, and wireless

•  Privacy-Preserving: Take users into account •  Including the wide variety of users that a single device might “see”

•  Risk-Based: How to balance the limitations of IoT with the risk •  Power, networking, crypto, and UI

Question: What’s important to you about the future of Identity of Things

Strategy Overview

•  Defining the Strategy: Where are we trying to go?

•  Bootstrapping: How can we get started?

•  Sustainment: How do we keep forward progress?

You have a unique opportunity to be part of this process!

Defining the Strategy

•  What existing technologies most closely align with unique IoT needs?

•  What are the unique IoT constraints that will impact technologies?

•  Who are the key stakeholders in industry and government?

Question: What are the most important aspects of the strategy to you and your org?

Bootstrapping

•  Surface best practices for enrollment and authentication •  Device-to-device, device-to-net, user-to-device

•  Develop protocols and standards •  How to make them widely deployed to improve interoperability?

•  Identify and fill gaps in cybersecurity and risk management standards •  Do existing standards effectively apply to IoT?

•  Experiment with innovative products •  Demonstrate best practices and unique opportunities

Question: How can we bring industry and government groups together with projects that will remove barriers and spur innovation?

Sustainment

•  Develop reusable and open infrastructure for auth and security

•  Incentivize hardware and software developers to build on that

•  Upgrade, augment or layer security on top of legacy infrastructure

Question: How can we leverage the growth of the IoT market to sustain robust shared infrastructure?

Workshop Structure – 4PM

Please come and help define the vision!

Workshop Groups: 4PM – Room 18-19

•  Group1: Current State •  IoT Challenges, Auth, Security, and Privacy

•  Group 2: Future Vision •  IoT Requirements: A Joint Future Vision •  IoT Opportunities and Technologies

Pre-Conference Paper: https://t.co/2YesLIxjlu

Workshop Outcomes

•  Post-conference papers to document what we learn •  Starting with these talks and discussions •  Plus the pre-conference papers

•  Volunteers to help provide input, write, and review

•  Remember: Chatham House Rule •  Participants are free to use information received, but neither the identity nor

the affiliation of speakers, nor that of any other participant, may be revealed.

Last Question:

What Questions Did We Miss?

The Identity of Things

Thank You!

Isaac Potoczny-Jones - CEO of Tozny - ijones@tozny.com

Paul Madsen – Ping Identity – pmadsen@pingidentity.com