Identity management is coming to the Internet of Things
The security of IoT Devices matters.
If we’re to actually live in a world where we reap the full potential from Internet-connected devices, those devices will need to be reasonably secured. Device makers will need to take the secure design and development of their gear seriously. Device owners, meanwhile, will have to take the effective management of their IoT devices just as seriously. They’ll need to be able to patch and update these devices, change passwords or authentication methods, and effectively vet these devices to make sure they are trusted and can be given access to the network.
However, today’s IoT devices are typically shipped with minimal security design and management capabilities in mind. Considering this, two security industry organizations recently announced efforts they hope will bring more security to space, most notably bringing identity management to IoT.
For starters, the Trusted Computing Group recently announced an initiative to create what it is calling the “world’s tiniest” Trusted Platform Module (TPM). A TPM is a standard for building secure crypto-processors that can secure hardware — making them “trustable” via a cryptographic key implementation.
While it’s relatively easy to include crypto-processors on larger hardware devices, the small IoT device form-factor can make it impractical to install full-sized, power-hungry TPM chips. To develop TPM’s specifically for IoT devices, the Trusted Computing Group founded the Measurement and Attestation RootS (MARS) subgroup to develop specifications that will guide manufacturers on how to build chips that will demand very little overhead.
“In a nutshell, we want to specify what the tiniest TPM needs to be so it can be integrated directly within the host chip,” said Tom Brostrom, Chair of the MARS Subgroup. “This will ensure that devices that aren’t big enough to integrate a separate TPM will still be able to retain the required RTS/RTR capabilities. In turn, this will allow the greater reach of trusted computing technologies over a wider set of devices and use cases,” he said.
The first prototype for such a TPM (codenamed: Radicle) was exhibited during TCG’s members’ meeting held in Warsaw, Poland.
“As we put greater trust in things like autonomous cars, smart homes, and healthcare sensors, and connect them to the Internet, we need to take steps to make sure connected devices are ubiquitously secure to protect them from data breaches and hackers,” said Joerg Borchert, president at Trusted Computing Group.
In related news, the FIDO Alliance, a trade group dedicated to improving authentication and reducing reliance on passwords, announced two new standards and certification initiatives regarding IoT device verification. The new efforts will strengthen identity verification assurance to support better account recovery, and automate secure device onboarding, the group says.
The efforts will be spearheaded by two working groups: the Identity Verification and Binding Working Group (IDWG) and the IoT Technical Working Group (IoT TWG).
*** This is a Security Bloggers Network syndicated blog from Cybersecurity Matters – DXC Blogs authored by Cybersecurity Matters. Read the original post at: https://blogs.dxc.technology/2019/08/08/identity-management-is-coming-to-the-internet-of-things/