How to Protect IoT Applications with Role-Based Access Control
The Internet of Things, or IoT, is what allows us to take the power of computing beyond desktops, servers, and smartphones. The goal of IoT is to integrate all the “things” in the world and enable them to send or receive information, or both. If you use devices like Amazon Alexa or Google home, you’re already interacting with IoT on a basic level. But IoT extends well beyond household devices: International Data Corporation (IDC) estimates that by 2022, global expenditure on IoT devices will exceed $1 trillion.
In this article, we’re going to look at some of the IoT systems in use within our world. We’ll talk about the security considerations with these systems, and finally, we’ll look at how CyberArk’s Conjur can be used to create more secure and well-managed IoT applications.
Managing and Understanding the World with IoT
IoT applications allow us to send and receive information from devices. For example:
- Agriculture: Particularly for crops which have specific irrigation needs, an array of hygrometers can report the moisture content within the soil. The monitoring system can automatically signal IoT devices which control the irrigation system and ensure that water is applied appropriately.
- Office Buildings: Motion sensors, light sensors, and temperature sensors report on conditions within a building, including whether the buildings are occupied, and can adjust the temperature control and lighting system to optimize occupant comfort and energy savings.
- Smart Energy Grids: As power grids can draw from multiple systems, including hydroelectric, wind and solar, IoT devices can manage how much energy is required, adjusting for temperature, weather conditions, and the needs of the service area. Expanding the connections between different grids can further optimize resource usage.
Other examples include city infrastructure monitoring, personal devices known as “wearables”, and transportation applications. Our adoption and reliance on IoT applications are in their infancy and continue to increase over time.
When we consider security for IoT applications, we need to consider it from multiple angles. The most obvious danger is that with large-scale projects to develop smart infrastructure, such as power grids and transportation systems, we need to consider the potential danger of these systems being compromised by foreign agents with malicious intent.
On October 12th 2016, a DDoS attack against Dyn, a DNS provider, resulted in massive Internet outages across the United States. The source of the attack was a botnet of IoT devices with lackluster security and default access credentials. The attackers built the botnet by marshaling thousands of small, seemingly insignificant devices and using them to orchestrate a large-scale assault against commercial interests.
IoT devices can be hacked to gain control of the systems they are a part of, or to divulge personal information. Moreover, as IoT applications and systems expand, their attractiveness to entities with evil intent grows as well.
Protecting Your IoT Application
Protecting your application from intrusion, exploitation, and data theft requires a comprehensive approach.
- Secure all devices with strong, unique and regularly rotated passwords.
- Encrypt all data before transmitting between devices and application controllers.
- Control access to the network and application through role-based access controls.
At the heart of your strategy should be a security service which can integrate with all aspects of your application to provide access control, data encryption and identity management. Conjur from CyberArk is an example of such a system and provides a policy-based approach to implementing and managing your security strategy.
Using Conjur RBAC to Secure Your Application
Role-based access control allows you to define roles, assign entities to those roles, and define the resources which a role can access, and the nature of that relationship. The entities which fulfill each of the roles are the users of your system, devices, and components of the infrastructure. A central system simplifies security management, making it easy to onboard new resources and remove expired resources as needed.
Identity management is particularly crucial with IoT networks, as keeping track of multiple devices could become an administrative nightmare, especially with large-scale systems. Conjur uses a service known as a Host Factory, which simplifies the process of adding new devices to the systems in a secure manner.
Conjur policies collect devices or hosts into a logical grouping, known as a layer. A host factory for the layer generates tokens for new devices for the layer. A provider process passes the token to a new device, which in turn can authenticate the token with Conjur before being securely added to the layer. This process allows the system to be configured and scaled automatically.
When another entity such as a user or another system needs to interact with a device within a layer, it submits a request to Conjur via its API. Conjur uses the RBAC policies in effect to determine whether the entity is eligible for access to devices in the target layer. A successful transaction allows the requesting entity to acquire information about the target layer, including access to provided secrets, labels, and other metadata relating to the devices which belong to it.
Conjur is also invaluable in creating and assigning strong and secure passwords for resources within your application and ensuring that only those with validated credentials have access to those resources. Additional functionality enables users to set password and encryption key rotation requirements.
IoT applications are here to stay and are becoming an integral part of almost every industry. As the adoption of these applications accelerates, we need to ensure that the networks are built to be secure and resilient. Conjur provides the tools to build resilient and secure networks. You can find out more about Conjur from conjur.org, and if you would like to evaluate Conjur as a solution for your projects, you can sign up for a free, temporary Conjur account to try it out.