forgerock.com

I'll have more to say on IoT vulnerabilities in the future, but some initial thoughts on what we saw last week: * IoT based attacks are not new and the security vulnerabilities of many devices are well known - the speed and scale of this recent attack will hopefully refocus attention to the identity and security aspects of many device-based deployments for both manufacturers and third party service providers. * Devices themselves need a baseline set of security principles - no hard coded user names or passwords, transport layer security where possible, update-able firmware (many devices are never updated) and with any computer deployment, have all non-necessary services and ports disabled. * When it comes to devices accessing a trusted back-end cloud service, the device should receive its credentials, perhaps in the form of a "pin and pair" style relationship with the device owner, using authorization standards such as OAuth2 to receive short-lived access tokens. IoT vulnerabilities are real, and as botnet based attacks become more frequent individuals and manufacturers need to be aware of the basic attack vectors that exist.

Ashley Stevenson, Identity Technology Director in ForgeRock’s office of the CTO, and head of our Federal business unit, was a panelist on the Federal Executive Forum radio show in late 2015. The future, which is happening right now, is that there’s a whole new class of identities joining the ecosystem, and that is connected devices. And so the predictions are, by people who make these kinds of predictions, that we’ll see 50 billion connected devices by 2020, which is gong to far outnumber the number of people for whom we need to manage identity. So, we need to be prepared – and prepare now – to manage the identities and the credentials and the access of these connected devices and things, and the relationships between the things and the people and the organizations.

The biggest news to hit the data privacy and regulatory worlds over the past few weeks is the European Court of Justice finding that undermined the Safe Harbor provisions between the EU and the US. * How can User-Managed Access (@UMAWG) help businesses address challenges related to #SafeHarbor and consent? If you have questions (or answers) you’d like to pose, throw them our way ahead of time. If you’re interested in reading up on #SafeHarbor and related issues, this backgrounder from the Court of Justice of the European Union is a good starting place.