Security administrators have traditionally been concerned with managing the identities of people and controlling access to systems that interact with their technology infrastructure. The concept of Bring Your Own Device (BYOD), for example, can allow authorized individuals to associate mobile phones or laptops with their corporate account to receive network services on their personal devices. The allowed network services may be given once minimal security assurances are deemed to have been satisfied on the device. This may include using strong passwords for account access, application of virus scanners, or even mandating partial or full disk encryption to help with data loss prevention.

The IoT introduces a much richer connectivity environment than BYOD. Many more IoT devices are expected to be deployed throughout an organization than the usual one or two mobile phones or laptops for each employee. IAM infrastructures must be designed to scale to the number of devices that an organization will eventually support, potentially orders of magnitude higher than today. New IoT subsystems will continually be added to an organization as new capabilities arise to enable and streamline business processes.

The IoT's matrixed nature also introduces new challenges for security administrators in industrial and corporate deployments. Today, many IoT solutions are already being designed to be leased versus owned. Consider the example of a leased radiology machine that records the number of scans and permits operations up to a certain number of entitlements. Scans are reported online, that is, the machine opens up a communications channel from the organization to the manufacturer. This channel must be restricted to allow authorized users only (that is, the lessor or its agents) and allow only the specific machine(s) associated with the lessor to connect. Access control decisions can potentially become very complex, even restricted to specific device versions, time of day, and other constraints.

The IoT takes this further by the basic need to share information. This is true not only for sharing data collected by IoT sensors with third-party organizations, but also with sharing access to IoT sensors in the first place. Any IAM system for the IoT must be able to support this dynamic access control environment where sharing may need to be allowed/disallowed quickly and at a very granular level for both devices and information.

Finally, security administrators must take into account personal IoT devices that attach to their networks. This brings about not only security concerns as new attack vectors are introduced, but also significant privacy concerns related to safeguarding personal information. We have, for example, begun to see organizations support the use of personal fitness devices such as Fitbit for corporate health and wellness programs. In 2016, Oral Roberts University introduced a program that required all freshmen to wear a Fitbit and allow the device to report daily steps and heart rate information to the university's computer systems: http://www.nydailynews.com/life-style/health/fitbits-required-freshmen-oklahoma-university-article-1.2518842.

IoT and Bring Your Own Device (BYOD) is a growing issue for corporate and government system security as many employees continue to bring in new, potentially untrusted devices into the workplace (https://www.securitymagazine.com/articles/88620-why-organizations-should-still-care-about-byod). These devices frequently reach out over internet services to share information. Smart devices are frequently designed by manufacturers to connect with the vendor's device-specific web services and other information infrastructure to support the device and the customer's use of it. This typically requires an 802.1x type of connectivity. Providing 802.1x-style network access control to IoT devices requires some thought, since there are so many of these devices that may attach to the network. Vendors are currently working on solutions that can fingerprint IP-based IoT devices and determine whether certain types should be granted access through DHCP provisioning of IP addresses. We may do this, for example, by fingerprinting the operating system or some other characteristic of the device.

IoT IAM is one aspect of an overarching security program that must be designed to mitigate this dynamic new environment, where the following applies:

• New devices can be securely added to the network at a rapid pace and for diverse functions
• Data and even devices can share not only within the organization but with other organizations
• Privacy is maintained despite consumer data being collected, stored, and frequently shared with others
• Cheap IoT devices, such as sensors containing authentication material, must be easily and securely disposable at the end of life (that doesn't expose security-relevant identity material such as private keys)

The following figure shows a holistic IAM program for the IoT:

As noted in in the preceding diagram, it is important to line up the new IoT IAM strategy with the existing governance models and IT systems in your organization. It may also be worth considering integration of authentication and authorization capabilities for your IoT devices with your Physical Access Control Systems (PACS). PACS provide electronic means of enabling and enforcing physical access policies throughout your organization's facilities. Frequently, PACS are also integrated with Logical Access Control Systems (LACS). LACS provide the technology and tools for managing identity, authentication, and authorization access to various computer, data, and network resources. PACS/LACS technologies represent the ideal systems for an organization to begin incorporating new IoT devices in a relatively controlled manner.