30 likes | 158 Views
The answer to IOT security is to not re-invent 15 years of access management experience. The patterns and protocols that are now available to protect Web resources should be carried over to IOT. This would provide a solid foundation for incremental enhancements in security.
E N D
OAuth2 Chipse the answer to IOT Security? If you have been following the Gluu Twitter feed, you’ve probably noticed a lot of articles posted recently about Internet of Things (“IOT”) security (or lack thereof). If you bother to read any of these articles, you will discover that none of them provide any answers as to how a mobile application can share user data while calling APIs and web access management system, or how the API server can determine if a Request for an API by a certain person, using a certain client should be honored. It’s a weird situation where the people (and even some of the journalists) know that the emperor has no clothes, but the API developers and IOT experts are going about business as usual. Even though it would make sense to build in security from the ground up, the focus of IOT hardware vendors has been on connectivity and shipping fast. And why not? As long as IOT devices sell, the fact that they might have some terrible security flaw that requires replacement next year is just an extra bonus. Leveraging existing security standards for IOT has challenges. For example, IOT devices are more resource constrained than phones–they have slower CPUs and less memory.
They are disconnected from the Internet more often. Some devices might not ever connect to the Internet, although they may connect to a local network. Some devices might not even have IP: they may connect only via Bluetooth or some other wireless network protocol. Let’s take a simple example. You have a tablet, and you want to use it to choose a Netflix movie on your TV, pre-heat your oven for the brownies, and tell your robot-butler to take out the ice-cream. Luckily, your oven, TV and robot-butler have APIs. But how will they know it’s you who made this request (maybe your kids don’t have ice cream permission…)? And how will they know to trust your tablet, which communicates on your behalf? The answer to IOT security is to not re-invent 15 years of access management experience. The patterns and protocols that is now available to protect Web resources should be carried over to IOT. This would provide a solid foundation for incremental enhancements in security.
I think that security needs to built in at the chipset level. This may sound crazy, but the idea of embedding a web server into a hardware device seemed crazy in the mid 90′s. The two most promising APIs for IOT security are OpenID Connect and UMA. These profiles of OAuth2 provide open standards for authentication and wam software system. When people think about security, they tend to focus on all the bad stuff that can happen without security. Many wonder, “When will there be another 9/11 security event that forces user behavior to change?” I think this is the wrong way to look at it. We need security because it would enable us to lead richer, more productive lives. In other words, the opportunity cost of not having security far exceeds the costs of breaches. What could we do if we had security? Article resource:-https://www.smore.com/k410w-oauth2-chipset-the-answer-to-iot