leowolfert - Fotolia

How to use IoT authentication and authorization for security

IT administrators can determine which IoT authentication and authorization type, such as one-way or three-way, will serve them best based on their latency and data requirements.

IoT authentication and authorization are essential components of cybersecurity, whether consumers implement them on smart home devices or an enterprise on hundreds of IoT devices that track and monitor large-scale workflows and resources.

At their core, IoT devices simply connect to share data. With so many devices in use, it's vital to secure these connections. IoT authentication and authorization can do that. Given the number of devices that connect to an organization's network, IT administrators can't afford to forget about this part of a security strategy.

An IoT authorization and authentication strategy begins with understanding how an organization uses IoT devices and how devices communicate with their network.

What is authentication and authorization?

Authentication is the process of device identification, while authorization provides permissions. IoT devices use these processes to do role-based access control and ensure that devices only have access and permission to do exactly what they need. Only authorized devices can interact with other devices, applications, cloud accounts and gateways.

Administrators register each device when they deploy it on the system. The system validates devices when they connect and share data. Many organizations use public key infrastructure (PKI) to link devices with public key certificates from certificate authorities to assign and verify device identities. PKI establishes an IoT device's legitimacy on a network to share data.

Strong IoT authentication protects against control commands from unauthorized users or outside devices that attempt to access the network through a targeted device. The security measure prevents attackers from claiming their actions come from IoT devices on the network and therefore getting access to data in the broader network.

Organizations have multiple ways to authenticate and authorize IoT devices that depend on the device, location and nature of the data the device transmits or receives.

Understand 3 types of authentication and authorization models

Security falls into two main categories: distributed and centralized. In the distributed model, devices store certificates and identities and validate authorization. In the centralized model, a centralized server or trusted third-party application distributes and manages the IoT devices' authentication certificates. When devices connect to the network, the certificate's central repository performs the verification and authentication.

Depending on the nature of IoT devices, combinations of distributed and centralized models can ensure the most efficient and secure management.

Depending on the nature of an organization's IoT devices, combinations of distributed and centralized models can ensure the most efficient and secure management.

There are three main IoT authentication and authorization security protocols and options available that admins can deploy:

Distributed one-way authentication. Whenever two devices decide to connect, such as an IoT sensor and gateway, the protocol dictates that only one device authenticates itself to the other, and the second device is not authenticated. One device registers as valid with the second device through a password hash or digital certificate. When the first device tries to connect, the second device checks the password or certificate and compares it to the stored information. If the information matches, the device authorizes the connection.

One-way authentication works best for devices that only connect to one other device. These devices still need security mechanisms, but don't require constant monitoring.

Distributed two-way authentication. Also known as mutual authentication, this protocol is used when both devices authenticate each other before they communicate. Each device must have a unique digital identity stored for the other device and then compare identities. The devices can only connect when the first device trusts the second device's digital certificate and vice versa. The Transport Layer Security protocol exchanges and compares certifications.

Online e-commerce transactions and highly sensitive data transmissions typically use this protocol.

Centralized three-way authentication. In this approach, an admin registers the devices with a central authority or server and associates the devices with valid digital certificates. The central authority facilitates the secure handshake between the two devices that wish to communicate. In three-way authentication, the security certificates aren't stored on the devices and can't be stolen by criminals, yet the devices still have strong security.

This approach works best for always-connected devices or ones with on-demand internet access because it eliminates any authentication delay. A certificate and key lifecycle management service can manage the certificates centrally and connect to any device on a network that needs verification.

IoT authentication types and suggested uses

Consider communication protocols for IoT authentication and authorization

To choose the right approach to an IoT authentication and authorization strategy, organizations must consider the technology used to secure data and machine identification.

IT administrators must monitor the network for machine identities to ensure only authorized devices connect and communicate with the network. Admins can also get alerts when unauthorized devices try to connect.

The communication protocol a network uses to connect and share data is also critical for IoT device security. For example, an X.509 certificate provides security for certificates, but may use too much computing power, internet bandwidth and electricity to be useful for IoT devices.

The PKI that a network uses can create connectivity issues when the system authenticates and authorizes devices. Devices that use chained digital certificates may require more bandwidth to verify themselves and permit communication.

A more efficient and smaller footprint protocol that's quickly becoming the IoT security standard is Message Queuing Telemetry Transport (MQTT). As a centralized approach to IoT security, MQTT connects a client, such as the IoT device, to a broker that stores digital identities and certificates.

Organizations integrate MQTT into various network monitoring and management systems, which enables IT professionals to monitor thousands of IoT devices in a scalable way. The protocol offers customization options for communication bandwidth between devices and ensures that data transmits smoothly and securely between devices.

Dig Deeper on Internet of things security