Securing the Identity and Access Management of ‘Things’

IoT DevOps For Continuous Integration
June 22, 2017
Data Encryption Is Mission-Critical
July 6, 2017
Show all

The new security

This is the seventh in a series of Arrayent blog posts on IoT security. The series is written for employees of companies who sell connected products, especially those new to IoT. With this series, we hope to bring a basic level of awareness and understanding of key issues that face everyone who develops connected consumer products. We also hope to stimulate an ongoing dialog that helps move the conversation about connected products security forward.

Identity and Access Management (IAM) is one of the important considerations IoT platform security teams must address. The challenges are that it is complex, continuously evolving, and must be implemented on a massive scale.

IAM originally referred to the relationship between a human and a device, covering IP addresses, embedded keys, electronic tags, user accounts, unique numbers, and authentication. With the arrival of IoT, IAM has grown to include both devices and services—thus it is sometimes referred to as the IDentity of Things (IDoT).

The Cloud Security Alliance (CSA) now defines IAM as the relationships between ‘devices and humans,’ ‘devices and devices,’ ‘devices and application/services,’ or ‘a human and an application/services.’ The CSA IoT Working Group (WG) issued a whitepaper entitled “Identity and Access Management for the IoT Summary Guidance,” which provides an excellent overview of what you need to know about IAM. In the CSA’s ‘Cloud Controls Matrix 3.0.1,’ they further describe the control specifications for Identity and Access Management which helps provide fundamental security principles to cloud vendors, while also assisting platform customers in assessing the overall security risk of a provider. It outlines these areas:

  • Source Code Access and Restriction
  • Third Party Access
  • Trusted Sources
  • User Access Authorization
  • User Access Revocation
  • User ID Credentials
  • Utility Programs Access

For the purposes of this post, we’ll look at how Arrayent handles device identity and user access management, and what we consider to be ‘best practices’ in AIM.

Arrayent IoT cloud platform-as-a-service provides a secure end-to-end solution for consumer brands to develop, deliver, and support connected devices that can be remotely managed from anywhere in the world via the Internet. Arrayent’s platform is like a secure IoT operating system that hosts cloud-based virtual devices, which serve as digital copies of physical devices that are managed remotely through mobile apps.


Device identity management is a core feature of Arrayent’s platform. It provides device management using unique ID, AES-keys, user binding, firmware version control, and much more. One difference of Arrayent’s platform is that each device is embedded with unique security credentials. This means the device’s identity is pre-populated in the Arrayent cloud and only needs to be claimed by the user when they create an account, usually through a mobile app.

Let’s use an Arrayent-connected garage door opener as an example. It comes loaded with an ID that is unique to the device at the time of manufacturing. If this identity isn’t recognized when the product tries to connect to the Arrayent cloud, it cannot connect. If it is recognized, it makes a connection with its virtual digital twin that resides in the Arrayent cloud, waiting to be claimed by the user who creates an account—usually via a mobile app—and either scans a QR code or who’s phone passes a key to the device for authentication.

By contrast, there are other cloud platforms that take a different approach to credentials. Some use dynamically created credentials where a device can come to the cloud and ask for an identity, and then an identity is provided to the device. This approach can lead to cloning. Amazon AWS also uses a different approach with ‘client certificate’ (i.e. similar to a server certificate) as a replacement for the user identification and password.


For customer account passwords, Arrayent cryptographically hashes all passwords and supports characters for usernames and passwords that include letters, numbers, and special characters. Arrayent utilizes two workflows to register (i.e. create) new Customer Accounts: 1) Self-registration Workflow, and 2) System Account Registration Workflow. The Self-registration Workflow enables applications to securely create new Customer Accounts directly from a client device, like a smartphone, and is the preferred registration workflow for all applications. With the System Account Registration Workflow, a customer’s System Account creates the User Account from a secure server. User Passwords Workflow Management covers new registrations and password resets. Details appear on Arrayent’s developer guide here.


Multiple administrative roles need to be taken into account for developers, product managers, and support staff. If an IoT platform doesn’t have appropriate access controls, it can have dire consequences. The Arrayent platform ensures level on-boarding with appropriate authority and access controls for each.

For example, in a production environment, you need to closely guard your system account credentials. Applications should only login with System Account privileges when necessary (such as when needed to create a new user account) and only from a secure server. The System Account should never be exposed to any customers. If an unauthorized user were to gain access to System Account credentials, they could potentially cause great damage.

Another example of best practices for access control is restricting platform company employees who work remotely to connect to the company’s network via a Virtual Private Network (VPN). This provides an added level of administrative security control, allowing termination of VPN credentials in addition to account and password when employees leave the company.

When running an IoT business, security for devices needs to be planned for the long term. By having administrative controls in the cloud, it’s much easier for Arrayent customers to maintain and update devices, ultimately making them more reliable and secure, and easier for consumers to install and use. By hosting virtual devices and managing application code in the cloud, Arrayent helps optimize overall product cost, extensibility, and scalability. This is particularly important for large global brands that need to operate connected products across multiple regions and brands with varying privacy and security regulations.


Other Reading on IDoT and IAM:

Developers Guide – Web Services” – Arrayent Inc.

Identity and Access Management for the Internet of Things – Summary Guidance
– IoT Working Group, Cloud Security Alliance

The Internet of Things Demands a New Identity Management Approach
– Steve Shoaff, UnboundID

A Double-Edged Sword: IAM Meets IoT” – Angelika Steinacker, SecurityIntelligence

Identity and Access-Management Solutions for the IoT
– Brian Russell, Packt Publishing

Gartner Says Managing Identities and Access Will Be Critical to the Success of the Internet of Things” – Gartner Press Release