Facing the new Big Bang: The IoT’s identity onslaught

In the future, nearly everything will have an identity. Seemingly ordinary objects will tell us when they’re lost, dry, wet, hot, thirsty, empty or broken. We’ll configure them, turn them on and off, and even engage in light conversation. People will talk to things, and things will talk to one another on our behalf.

As the intricacy of this web of things becomes increasingly complex, our concerns over their security, control and ownership will grow, as will the issue of identity.

The reality is that we have a lot of identity already. On the internet, we can identify routers, computers, cell phones, tablets, printers and, of course, you. But we can’t do it in a consistent manner. In some cases, it’s not the lack of identity that’s the issue, it’s the overabundance of identity. Take, for example, accessing websites. Because we have no universal notion of who you are online, every website has its own notion of who you are (much to our chagrin, since we all deal with a proliferation of user accounts and passwords).

It’s a tangled mess that needs identity

Today, we have a tangled mess of identities — usernames, IP addresses, a cell number —  that all need to be managed and secured. As internet consumers, we all feel a bit of this pain in our daily interactions. But nothing we’ve seen to date can prepare us for what’s about to hit us, the internet of things – the network equivalent of the Big Bang.

It used to be if you wanted to secure something, you didn’t need to worry about identity. You simply put it in a safe, protected place behind a door or wall, or behind firewalls.

But as users of the Internet, equipped with our own smartphones and tablets that access personal and business applications in the cloud, we can’t put a firewall around an increasingly dynamic set of devices, systems and services.

Security from the enterprise perspective

Rather than focusing on locking down the enterprise, we need to think about enabling access and creating new opportunities through an open, standards-based identity. When everything is identity-aware and end-users enjoy access from anywhere on any device, we will enter into a new digital world that provides superior security and freedom to realize the full potential of a digital economy.

This not-so-distant digital frontier will arise from today’s big-bang-like, massive explosion of Internet endpoints and the IT industry’s desperate problem of securing and coordinating those endpoints. The result: a more perfect digital world where identity is ubiquitous, embedded, standardized and secure. Here’s how we see it.

Everyone and everything will have an identity. If you can’t identify it, you can’t secure it. If you can’t secure it, you can’t control it. If you can’t control it, it’s not yours. We can’t scale a world that we can’t talk to, can’t control and can’t secure. Everything, including your toaster, you fridge and your car, will have an identity.

Authentication will be strong and flexible. Authentication confirms the identity of the user or device. A combination of authentication methods, such as a code sent to your phone or a fingerprint scan, will provide stronger security. (And if we eliminate the password from those methods, we will reduce risks of breaches and stolen identities.)

Access will be federated. Federated identity allows a user to access an application in one domain using the authentication that occurred in another. Extending this access across all connected things tied to your identity allows for easy, seamless and secure access.

APIs will be foundational. Organizations rely upon APIs, which enable access to data for non-browser, native mobile or cloud-connected desktop applications. APIs will facilitate interaction between applications, across enterprises and with customers and partners. While security architects today struggle with the seemingly unmanageable task of securing the plethora of APIs, in tomorrow’s more secure digital world, APIs will be ubiquitous and application registration will be dynamic.

Standards will be everywhere. Industry standards are vital. While OAuth, SAML and OpenID Connect aren’t household names, they help mitigate risk, simplify the end-user experience and ease system integration. When standards are universal, identity becomes portable, enabled via an identity-services layer that is leveraged by ALL applications, much like how the Internet is based on TCP/IP and email is based on SMTP. Most people don’t know what those standards do, they simply know that the Internet and email just work. The underlying standards enable the user experience we all expect.

Privacy will be a choice. Once identity is ubiquitous, companies can control who has access to what, when and from where, and individuals will gain greater control of their own identities. Greater control will lead to greater privacy as both people and companies take a more active role while eliminating the friction (e.g., user IDs and passwords) that presents vulnerabilities to exploit. Privacy and security are intrinsically intertwined around identity. The Internet of Things simply raises it all to an entirely new level.

This vision of a digital world of people, applications, and devices that all recognize and interact with each other is a 10-year mission requiring an industry of technologists working together to ensure everything is identity-aware and access is ubiquitous. We will need to add identity standards to devices and apps to enable frictionless interoperability and connectedness of everything. This will require a new framework that subtracts friction out of the Internet of Things and cross-domain interaction in order to take advantage of something that’s traditionally been viewed as an obstacle.

By automating as much as possible, we can create a more controlled digital world that harmonizes the highly distributed nature of mobile, cloud, big data and the vast expanding internet of things.

Such a digital world is within reach, and makes a future full of endless possibilities exciting to build.

Andre Durand is the CEO of Ping Identity. Read more of his posts at Ping Talk Blog.

Featured image by Shutterstock / alexmillos