Technology And FM: Identity And Access Management

By Petteri Ihalainen
From the January/February 2015 issue

In a crowded shopping mall in Nevada, suddenly all the doors lock, security gates come crashing down, and air circulation comes to a grinding halt. The heating system kicks in even though it’s 95˚F outside. The shopping mall is turned into a sauna. How did this happen? The Internet of Everything could bring us this scenario—and more—as connected devices proliferate in the coming years. HVAC systems, electronic locks, heating, and many other technologies under a facility executive’s purview now have Internet connectivity or are connected to a control center that has Internet connectivity.

Reports indicate the recent cybersecurity breach involving retailer Target at one point involved unauthorized access via an HVAC system. Add the fact that almost every business is expanding its online services to its constituencies, and it’s clear that the boundaries on the facility are blurring.

From an IT security perspective, each of these connections is a risk. If a connection is poorly protected, it can potentially provide access to all the other systems that are connected to the same network. As with physical breaking and entering, the easiest path to IT unauthorized access is through the back door with a poor lock. A connection will have no virtual lock at all, especially if the default password of the manufacturer has never been changed.

To continue the metaphor, identity and access management (IAM) has always provided a rugged lock on the door to enterprise IT resources. It secures facility systems via the use of proper authentication, and in many scenarios, proper authorization. Authentication only gives us information on who is coming through the door, but authorization will tell us what they can do. When operating multiple facilities, the complexity grows for facility managers, and simple mistakes can lead to problems of massive proportions.

IAM can reduce complexities in authentication and authorization. If one can build a central system through which every party (inside or outside) is properly authenticated and authorized using tested access policies, not only will this minimize the risk of “targeted” attacks, but it will also make life easier for facility stakeholders through technologies such as Single Sign-On (SSO) and federation.

SSO technologies eliminate the need for multiple password logins. Identity providers act as gatekeepers who authenticate users, then allow them to access appropriate services at the same level of assurance. Meanwhile, federation is a mechanism for creating trust relationships between different networks—such as when a user moves from his or her own network to a customer or partner network.

Traditional IAM solutions have focused on provisioning employee identities and providing SSO to internal applications. These focus on internal resources, since traditionally it was presumed that only insiders within an organization or within a facility are permitted access to IT resources. But IT traffic these days is often from external sources, including remote employees, networks of partners, subcontractors, vendors, and customers. Automated systems run by computers with embedded operating systems add to this as well, and may enable connections to other systems within the facility.

What’s more, some manufacturers of connected consumer devices may be more focused on winning the “arms” race to lock in consumers to their brands and less on promoting hidden features of identity and security that in themselves do not sell products.

And while there are both commercial and open source standards in existence for implementing proper access control, such as SAML (Security Assertion Markup Language) and OAuth, implementing these is often not a high priority for equipment vendors—although certainly it should be. SAML is a nearly 10 year old standard specifying components that are necessary to exchange identity information between the identity provider and the online service. OAuth is a newer authentication protocol that is in some ways easier to apply although less specific to identity authorization.

An expanding view of IAM has emerged that encompasses external resources and the imperative to extend the enterprise to encompass business ecosystems with multiple stakeholders including partners, subcontractors, customers, owners, and investors. Virtually all facilities have multiple areas where operators would want to secure access to digital information or facility controls at varying levels. The National Institute of Standards and Technology (NIST) describes four levels of identity assurance combining the registration process of the authentication token and the strength of the token. (The most recent document from NIST can be found here.)

Petteri Ihalainen.

Cybersecurity controls must act as a primary means of letting only the good guys in and providing effective audit trails. At the same time, facility executives can apply this same infrastructure to create new business services—such as system maintenance to be monitored, utilities to be metered, and perhaps opportunities not yet identified.

Ihalainen is identity and access management (IAM) product manager at GlobalSign, a provider of identity services for the Internet of Everything, mediating trust to enable safe commerce, communications, content delivery, and community interactions for online transactions. GlobalSign’s IAM portfolio includes access control, single sign-on (SSO), federation, and delegation services to help organizations and service providers create new business models for customer and partner interactions.