Machine identity

Identity is the base layer for lifecycle management

IAM of things

IAM (identity and access management) consists in "giving the right rights, to the right people, at the right times". The IAM of things adds a component to this definition to help "give the right rights, to the right people and to the right things, at the right times".

Implementing solutions to allow appropriate management of the identities of connected objects therefore translates into the need to take into account:

1. Managing the identities of objects and their state, during the full lifecycle of objects

2. Management of access control and authorizations: information objects ; objects over other objects and their data; company employees / partners on the object and its data; end customers on the object and its data

3. Governance of object identities and the relevance of associated rights over time

Machine identity as a new category

Notice that this new concept based on object/machine identities is already deployed at scale in some geographies.

CAICT deployments in China

Gartner has identified this new category as "Machine Identity" (Source : Hype Cycle for Identity and Access Management Technologies, July 2020) provides the following insights:

• Market Penetration: 5% to 20% of target audience

• Maturity: Emerging

• Vendors: Amazon Web Services (AWS); AppViewX; CyberArk; HashiCorp; Keyfactor; Microsoft; Scytale; Sectigo; SSH; Venafi + our own research would add device authority to that list, as well as a few european players (Atos Idnomic, Thales cinterion).

One can notice however that this category is largely organized around cloud computing use cases, based on centralized networks and PKI, and would have difficulty managing the heterogeneity and openess of IoT networks. A concrete example is the prevalence of PAM (privilege access management) for machines which run in the cloud/hybrid/on-premise traditional IT infrastructures. Administrators are usually able to connect remotely, which wouldn't be something allowed for IoT objects in the field.

Note also that machine identity can't be separated from corporate identity, especially in order to follow up supply chain events.

What's the difference with what exists

By studying existing IoT platforms, we found that their priority is already to cover the essential services for the management of the fleet of connected objects:

• manage the multi-protocol connectivity of objects with telecommunication networks (SigFox, LoRa, nb-IoT, dash7, 5G, etc.). Non-IP protocols bring their own constraints, and advances such as SCHC may provide a convergence between telecom and IP networks which help manage security in a consistent manner

• control the inventory of deployed objects and ensure their configuration or update via a "Device Management" module (LWM2M, OMA-DM, TR-069 / CWMP, etc.)

• allow the reporting and provision of data generated by the objects (DTLS, CoAP, MQTT, AMQP, etc.)

• integrate with cloud data services

As an example cloud vendors are looking for economies of scale, and therefore tend to support one specific architecture (embedded linux) but are unable to support (or cross-compile) a wide variety of embedded targets.

What is not covered is the ability to manage zero-trust identities in open networks. This requires the use of decentralized identities (which we cover using DIF KERI), coupled with authorization (which we cover using IETF GNAP).