Share risk by extending identity to IoT devices – but letting people control their data: ForgeRock

Tools providing citizens with control over their personal data will help increasingly security-conscious companies better manage exposure to the growing identity challenge posed by a flood of devices and the Internet of Things (IoT), one industry expert has predicted as the latest international Data Privacy Day rekindles awareness of personal privacy online.

Control over personal data has become increasingly challenging for online users and solutions for sharing data – and controlling access to data sources – have been limited in scope in the past, as with the way that Google manages access to a shared Google Docs document. But with online sharing only increasing, security vendor ForgeRock is hoping that broader support for the User-Managed Access (UMA) standard will improve cross-service control over data.

Broader use of UMA – implemented within ForgeRock's newly-minted ForgeRock Identity Platform (FIP) – will allow organisations and online services to verify user credentials regardless of the service in use, or the service where they are managed.

“A lot of companies are telling us they have consumer data that they're storing, but that they really don't want to have ownership of that data,” vice president of product management John Barco told CSO Australia.

“Things like medical records or even Spotify playlists should be something that consumers own, and they should be able to manage it – but companies are responsible for the security of that data. UMA allows users to manage their own data and select whom they want to share it with, how to control it, how to authorise it, and how to manage the revocation of access to that data.”

ForgeRock last year wrapped its efforts to promote UMA into the Kantara Initiative, an open working group promoting implementation and broader use of compatible APIs.

Yet UMA is only one of the ways ForgeRock is working to expand the notion of identity. Conventional models use user ID and password combinations to confirm identity at the door of the network but rarely if ever challenge users again: “once you're in they lost track of you and don't really care what you do”, Barco said.

To address this weakness, ForgeRock this designed FIP with identity-management capabilities that not only extend the notion of identity to IoT components and nearly anything else, but enforces it through 'continuous security' that revalidates user and device identity at regular intervals.

This approach is particularly important as IoT drives a higher degree of interconnection that will expose corporate networks to a broader range of inputs and, potentially, vulnerabilities.

Read more: The week in security: Windows servers, iOS, Macs softer targets than you want to believe

“We are creating a management problem by having so many IoT devices that require identity,” Barco explained. “Any time you have a number of diverse applications and devices, it does get complex – and the same things that happened in managing growing numbers of users is happening with devices and IoT. But now, instead of talking about tens of of thousands of users, we're talking about tens of millions of devices.”

ForgeRock isn't alone in trying to rein in the explosive growth of the IoT, which is challenging conventional security approaches and raising new implications for the privacy of user data. Chipmaker ARM recently acquired an IoT security specialist, for example, while Verizon Enterprise Solutions last year scaled its digital-certificate tools to cope with IoT volumes.

US legislators have introduced legislation for managing IoT security, while security-industry group ISACA released a guide to evaluating IoT security risk after a survey found 43 percent of organisations would be using IoT or deploying it within 12 months. And Gartner, warning of the need to secure the Identity of Things (IDoT), has already highlighted the importance of better identity management.


Participate in CSO and Gigamon's survey on Security Priorities today!

Go into the draw for a chance to win an Apple iWatch Sports or the equivalent of $500 Visa Cashcard. For full terms and conditions click here.

Start survey NOW!

Join the CSO newsletter!

Error: Please check your email address.

Tags ForgeRockInternet of Things (IoT)IoT devicessecurity-conscious companiesCSO AustraliaUS legislators

More about AppleARMCSOFIPForgeRockGartnerGigamonGoogleISACASpotifyVerizonVisa

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place