IoT, the “Illusion of Trust” — Moving Trust from the Network to Users and Devices

Our always on, always connected world has fundamentally changed how businesses operate. Communicating with customers and employees will never be the same again with cloud solutions bringing many benefits by making things easier for businesses, and it’s happening whether we like it or not.

But many businesses are placing trust in the cloud like they did for internal networks, without proper consideration for the challenges and deeper issues at hand. The added convenience of cloud applications also comes with a potential downside, such as potential security threats and surrender of control.

Many people are familiar with the acronym “IoT,” and we understand it to mean the Internet of Things. This is a catch-all term nowadays all things cloud and smart connected devices. We believe there’s another meaning for these three letters — “Illusion of Trust.” We call it the Illusion of Trust because business owners don’t realize that cloud security is an issue. When businesses move their intranet services and data to cloud providers, they are likely placing “blind trust” in a traditional network security model that is not entirely reliable anymore.

Leading organizations like Google, Coca-Cola, Verizon Communications Inc. and Mazda Motor Corp however are showing us examples that when they move their corporate applications to the Internet, they are also taking a new approach to enterprise security. It means flipping common corporate security practice on its head, shifting away from the idea of a trusted privileged internal corporate network secured by perimeter devices such as firewalls, in favor of a model where corporate data can be accessed from anywhere with the right device and user credentials.

Bring Your Own Device (BYOD) is no longer a debate — it’s a responsibility. We are now at the point where BYOD has become “YOD.” Thanks to cloud computing, employees and staff no longer need to bring devices into an office in order to access business data. The workplace is now everywhere — we live in an age of business without walls. Telling staff not to use their own smartphone for work purposes is not an option. Digital natives demand it.

The new enterprise security model should hence assume that the internal network is as dangerous as the Internet. Access should depend on the employee’s device and user credentials. Using authentication, authorization, encryption, and biometric strong authentication, the model grants employees fine-grained access to different enterprise resources. Our vision is a new model that dispenses with a privileged corporate network and maintains an identical user experience between local and remote access to enterprise resources — relying on secured, trusted users and devices.

With this approach, trust is moved from the network level to the device level. Employees can only access corporate applications with a device that is procured and actively managed by the company. In this setup, organizations need a device inventory database that keeps track of computers and mobile devices issued to employees as well as changes made to those devices.

After the device is authenticated, the next step involves securely identifying the user. Enterprise directories tracks and manages all employees in a user database and a group database that is tied into the company’s human resources processes.

Then comes a cloud identity service that performs single sign-on, a user authentication portal that validates employee use against the user database and group database, validates correct device security posture against the device inventory database, then generates short-lived authorization for access to specific resources and steps-up to strong authentication using mobile MFA for critical resources.

The level of access given to a user or a particular device can change over time. For example, an employee with a device whose operating system has not been updated with a recent patch may be given reduced trust, according to the paper. Specific models of phones can also be assigned different levels of trust based on the security inherent in those devices. If an employee suddenly decides to access corporate applications in a new physical location — much like when someone suddenly uses a credit card in a foreign country — he or she may be denied access to some resources.

As companies adopt mobile and cloud technologies, the perimeter is becoming increasingly difficult to enforce, and it has made control and security harder — business owners are demanding solutions from their IT partners and providers, and this is where cloud identity providers play an important role to win the trust of businesses and cloud application providers.