Topic:

Identity Access Management

&
Security management in Iot

Group Members:

Akash Rasheed Anjum (19-CS-07)

Muhammad Hassan Sardar (19-CS-14)
Muhammad Ali (19-CS-23)
What is identity and access management (IAM)? 
Identity and access management provides control over user
validation and resource access. Commonly known as IAM,
this technology ensures that the right people access the
right digital resources at the right time and for the right
reasons.
IAM in IOT:
Identity Access Management (IAM) in the context of
Internet of Things (IoT) refers to the process of
managing and securing access to IoT devices,
applications, and data based on the identity of users
or entities involved in the IoT ecosystem. It involves
controlling and monitoring the permissions and
privileges granted to individuals or entities for
interacting with IoT devices and data, to ensure that
only authorized users or entities are able to access,
control, or manipulate IoT resources.
IAM in IoT typically includes the
following key components:
 Authentication
 Authorization
 Access control
 Identity lifecycle management
 Auditing and monitoring
 Security and privacy
 Integration and interoperability
Authentication:
This involves verifying the identity of users or entities attempting to
access IoT devices or data. It may involve various methods such as
passwords, biometrics, digital certificates, or multifactor authentication
(MFA) to ensure that only legitimate users or entities are granted access.
Authorization:
Once the user or entity is authenticated, authorization determines the
permissions and privileges granted to them based on their roles,
responsibilities, and access policies. It involves defining and managing
access controls, such as read, write, execute, or delete permissions, to
ensure that users or entities are only able to perform actions that they are
authorized to do.
Access control:
IAM in IoT includes managing access controls at various levels,
such as device-level, application-level, and data-level. It may
involve using techniques such as role-based access control
(RBAC), attribute-based access control (ABAC), or dynamic
access control to dynamically enforce access policies based on
changing conditions or context.
Identity lifecycle management:
IoT Device Identity Lifecycle Management is how internet-
connected devices are controlled and managed by receiving a
unique digital identity. When an IoT device is first manufactured
and issued it receives a unique ID bound to a PKI certificate to
keep it secure..
Auditing and monitoring:
IAM in IoT involves monitoring and auditing access events,
permissions, and activities related to IoT devices and data. This helps
in detecting and mitigating security breaches, identifying potential
risks, and ensuring compliance with security policies and regulations.
Security and privacy:
IAM in IoT also includes implementing robust security measures, such
as encryption, secure communication protocols, and privacy controls,
to protect IoT devices, data, and communications from unauthorized
access, tampering, or data breaches.
Integration and interoperability:
IAM in IoT may involve integrating with existing IAM
systems, directory services, or identity providers to ensure
seamless interoperability and consistency in managing
identities and access across the entire organization's IT
infrastructure, including IoT devices.
The importance of identity and access
management (IAM)
Protecting against unauthorized access:
IAM helps prevent unauthorized access to IoT devices and
resources, which can include sensitive data, critical
infrastructure, and control systems. By implementing
strong authentication mechanisms, access controls, and
authorization policies, IAM ensures that only authorized
users and devices can access and interact with IoT devices
and resources, reducing the risk of unauthorized access
and potential security breaches.
Ensuring data privacy and confidentiality:
IoT deployments often involve the collection and transmission of
sensitive data, such as personal information, location data, and
sensor readings. IAM plays a critical role in ensuring that access to
this data is controlled and limited to authorized users and devices,
protecting data privacy and confidentiality.
Managing identities and access at scale:
IoT deployments can involve a large number of interconnected
devices and users, making identity and access management complex
and challenging. This ensures that identities and access are managed
effectively at scale, reducing the risk of unauthorized access and
ensuring proper access control.
Enabling secure device provisioning and
management:
IAM facilitates secure device provisioning, authentication, and
lifecycle management in IoT deployments. This includes
mechanisms such as device onboarding, secure bootstrapping,
and credential management, which help ensure that IoT
devices are securely provisioned, authenticated, and managed
throughout their lifecycle.
Some of the key challenges of IAM
Limited computing resources:
Many IoT devices have limited computing resources, such as
processing power, memory, and storage. Implementing robust IAM
mechanisms on such devices can be challenging due to resource
constraints, making it difficult to implement strong authentication and
access control mechanisms.
Device lifecycle management:
IoT devices can have complex lifecycle management requirements,
including device provisioning, authentication, and decommissioning.
Managing device identities and access privileges throughout their
lifecycle can be challenging, particularly in large-scale IoT deployments
with frequent device onboarding and offboarding.
Security and privacy concerns:
IoT deployments often involve sensitive data and critical
infrastructure, raising concerns about data privacy, security, and
integrity. Ensuring that IAM mechanisms protect against
unauthorized access, data breaches, and tampering requires
robust security practices, encryption, and access controls.
User management and consent:
IoT deployments may involve interactions with end-users, who
may need to authenticate, authorize, and manage their own
access to devices and data. Managing user identities, consent,
and access preferences in IoT deployments can be challenging,
particularly when users may interact with multiple devices and
applications.
Lack of standardization: IAM standards and protocols in
IoT are still evolving, and there is a lack of standardization
across different IoT platforms, devices, and applications. This
can make it challenging to establish consistent IAM practices
and interoperability across different IoT deployments.
Human error and insider threats: Human error, such as
weak passwords, misconfigurations, and insider threats, can pose
significant risks to IAM in IoT deployments. Ensuring proper
training, monitoring, and governance of IAM practices is
essential to mitigate these risks.
Security management
Security management in IoT (Internet of Things)
refers to the strategies, practices, and measures
implemented to protect IoT devices, applications,
and data from security threats, vulnerabilities, and
attacks.
 key considerations for effective
security management in IoT
awareness and training
Device security
Network security
Application security
Data security
User and access management
Patch management
Security awareness and training
• Device security
Ensuring that IoT devices are secure is crucial as they are the
entry points for potential attacks. This involves implementing
strong authentication mechanisms, secure booting, regular
firmware updates, and disabling unnecessary services or ports.
• Network security
Securing the network connectivity of IoT devices is essential to
prevent unauthorized access, eavesdropping, and other
network-based attacks. This can be achieved through
techniques such as network segmentation, virtual private
networks (VPNs), firewalls, intrusion detection and prevention
systems (IDPS), and network access control (NAC)
mechanisms to control and monitor network traffic.
Application security
Ensuring the security of IoT applications, including the
software running on IoT devices and the applications
interacting with them, is critical. This involves
following secure coding practices, conducting regular
vulnerability assessments and penetration testing, and
implementing appropriate authentication and
authorization mechanisms to protect against
application-level attacks such as remote code
execution, SQL injection, and cross-site scripting
(XSS).
Data security:
Protecting IoT data is essential as it can include sensitive
information such as personal data, business data, and operational
data. Data security measures may include encrypting data at rest
and in transit, implementing data access controls, data
anonymization, and data integrity verification mechanisms to
prevent unauthorized access, tampering, or data breaches.
User and access management:
Implementing robust user and access management
practices in IoT is crucial to ensure that only
authorized users or entities have access to IoT
resources. This involves implementing strong
authentication mechanisms, such as multi-factor
authentication (MFA), managing user roles and
permissions, and conducting regular user access
reviews to ensure that only necessary and
authorized access is granted.
Patch management:
Regularly applying security patches and updates
to IoT devices, applications, and systems is
crucial to address known vulnerabilities and
reduce the risk of security breaches.
Organizations should establish robust patch
management processes that include testing,
validation, and timely deployment of security
patches and updates across their IoT ecosystem.
• Vendor and supply chain security
Assessing and managing the security of third-party vendors,
suppliers, and partners involved in the IoT ecosystem is important to
ensure that they adhere to appropriate security practices. This may
involve conducting security assessments, due diligence, and
implementing contractual agreements to ensure that vendors and
suppliers meet the required security standards.
• Security awareness and training:
Educating and training employees, users, and stakeholders about IoT
security risks, best practices, and policies
Thank
You