📓
mediam
  • doc.mediam.dev
  • D1 - Specification
    • Introduction
      • What are the risks?
      • What is specific to healthcare?
      • New regulations
      • Regulatory requirements
    • Market study
      • Competitive landscape
        • Features
      • Market characteristics
      • Interviews
    • Use cases
      • Healthcare IT
      • Connected medical devices
      • BMS
    • References
  • Prototypes
    • Hardware prototype
    • Technical issues today
    • Solution architecture
    • D2 - Network management
      • HTTP3
      • SCHC
      • End to end encryption
    • D3 - Lifecycle management
      • Machine identity
        • Decentralized identity
        • DIF KERI
      • Remote updates
    • D4 - User access
  • perspectives
    • D5 - Final report
      • How to implement regulatory requirements
      • Next steps
Powered by GitBook
On this page
  • IAM of things
  • Machine identity as a new category
  • What's the difference with what exists

Was this helpful?

  1. Prototypes
  2. D3 - Lifecycle management

Machine identity

Identity is the base layer for lifecycle management

PreviousD3 - Lifecycle managementNextDecentralized identity

Last updated 3 years ago

Was this helpful?

IAM of things

IAM (identity and access management) consists in "giving the right rights, to the right people, at the right times". The IAM of things adds a component to this definition to help "give the right rights, to the right people and to the right things, at the right times".

Implementing solutions to allow appropriate management of the identities of connected objects therefore translates into the need to take into account:

  1. Managing the identities of objects and their state, during the

  2. Management of access control and authorizations: information objects ; objects over other objects and their data; company employees / partners on the object and its data; end customers on the object and its data

  3. Governance of object identities and the relevance of associated rights over time

Machine identity as a new category

Notice that this new concept based on object/machine identities is already deployed at scale in some geographies.

Gartner has identified this new category as "Machine Identity" (Source : Hype Cycle for Identity and Access Management Technologies, July 2020) provides the following insights:

  • Market Penetration: 5% to 20% of target audience

  • Maturity: Emerging

  • Vendors: Amazon Web Services (AWS); AppViewX; CyberArk; HashiCorp; Keyfactor; Microsoft; Scytale; Sectigo; SSH; Venafi + our own research would add device authority to that list, as well as a few european players (Atos Idnomic, Thales cinterion).

One can notice however that this category is largely organized around cloud computing use cases, based on centralized networks and PKI, and would have difficulty managing the heterogeneity and openess of IoT networks. A concrete example is the prevalence of PAM (privilege access management) for machines which run in the cloud/hybrid/on-premise traditional IT infrastructures. Administrators are usually able to connect remotely, which wouldn't be something allowed for IoT objects in the field.

Note also that machine identity can't be separated from corporate identity, especially in order to follow up supply chain events.

What's the difference with what exists

By studying existing IoT platforms, we found that their priority is already to cover the essential services for the management of the fleet of connected objects:

  • manage the multi-protocol connectivity of objects with telecommunication networks (SigFox, LoRa, nb-IoT, dash7, 5G, etc.). Non-IP protocols bring their own constraints, and advances such as SCHC may provide a convergence between telecom and IP networks which help manage security in a consistent manner

  • control the inventory of deployed objects and ensure their configuration or update via a "Device Management" module (LWM2M, OMA-DM, TR-069 / CWMP, etc.)

  • allow the reporting and provision of data generated by the objects (DTLS, CoAP, MQTT, AMQP, etc.)

  • integrate with cloud data services

As an example cloud vendors are looking for economies of scale, and therefore tend to support one specific architecture (embedded linux) but are unable to support (or cross-compile) a wide variety of embedded targets.

What is not covered is the ability to manage zero-trust identities in open networks. This requires the use of decentralized identities (which we cover using DIF KERI), coupled with authorization (which we cover using IETF GNAP).

full lifecycle of objects
CAICT deployments in China