Authentication – Rob Tiffany

February 27, 2020October 16, 2022

The Digital Twin Instance

It’s time to create a #DigitalTwin Instance of a physical entity that is derived from a Digital Twin Model. #IoT #IIoT

If you’ve worked with any of the Internet of Things platforms, you probably registered an IoT endpoint or device to make its identity known to the system. In the smallest way possible, this is what it means to create an instance of your digital twin that is entangled with a physical entity.

Like most things in the digital world, you start with Identity. You give your digital twin a name & perhaps a brief description. The IoT platform you’re working with will assign a unique identifier used to access & identify the digital twin and its physical counterpart throughout its life cycle. Next, some type of security token or X.509 certificate will be bound to the unique identifier of the digital twin in order to facilitate authentication & authorization. It’s possible that you might assign a date in the future when the security token or certificate is no longer valid. You should also have the option to enable or disable the twin if you need to blacklist incoming data from a compromised physical entity. Lastly, you bind it to the digital twin model that it’s derived from.

December 9, 2016October 16, 2022

It’s Time to Dump your 1990s App Authentication

Migrate Win32 applications secured by client/server #database logins to #mobile apps that use OAuth & enterprise #cloud directories for authentication instead.

Do you know Scott Tiger? Are you familiar with SA and no password? If so, you probably worked with client/server database security mechanisms from companies like Oracle, Microsoft, IBM and others. Anyone who’s built client/server, multi-tier database systems over the years has worked with Oracle Net Listener, TNSNames, Sybase DBLIB, ISAM and VSAM drivers plus a revolving door of Microsoft drivers. App logins were typically the same as the database login. DBAs were in control and app developers worked with what they were given. Sometimes data access was secured through the use of views or stored procedures. Things improved when databases started supporting integrated authentication where data access could be controlled by users and groups found in the company Active Directory.

Today’s mobile apps don’t connect to client/server databases this way. Win32 apps connecting via the LAN or VPN can kick the can down the road a bit longer. Everything else talks to databases with web APIs or sync. While these mobile-friendly APIs use database authentication to connect, the services they expose must be secured by an enterprise directory. This pattern provides identity management to mobile apps. Furthermore, cloud-based enterprise directories must be kept in sync with existing on-premises directories to keep the login procedures seamless for employees. Add multi-factor authentication to boost security and avoid consumer auth providers like Facebook or Twitter.

Reduce risk to your organization by decoupling app security from database authentication and make the move to company-wide directory services. Has your employer switched all its enterprise apps to modern authentication methods yet?

Learn how to digitally transform your company in my newest book, “Mobile Strategies for Business: 50 Actionable Insights to Digitally Transform your Business.”

Click here to purchase a copy of my book today and start transforming your business!

October 31, 2016October 16, 2022

12 Steps to Stop the Next IoT Attack in its Tracks

Distributed denial-of-service (DDoS) #IoT attack against DNS are a wake up call to how fragile the #Internet can be.

The IoT attack against Domain Name Servers from a botnet of thousands of devices means it’s way past time to take IoT security seriously. The bad actors around the world who previously used PCs, servers and smartphones to carry out attacks have now set their sights on the growing tidal wave of IoT devices. It’s time for consumers and enterprises to protect themselves and others by locking down their devices, gateways and platforms. While staying secure is a never-ending journey, here’s a list of twelve actions you can take to get started:

Change the default usernames and passwords on your IoT devices and edge gateways to something strong.
Device telemetry connections must be outbound-only. Never listen for incoming commands or you’ll get hacked.
Devices should support secure boot with cryptographically signed code by the manufacturer to ensure firmware is unaltered.
Devices must have enough compute power and RAM to create a transport layer security (TLS) tunnel to secure data in transit.
Use devices and edge gateways that include a Trusted Platform Module (TPM) chip to securely store keys, connection strings and passwords in hardware.
IoT platforms must maintain a list of authorized devices, edge gateways, associated keys and expiration dates/times to authenticate each device.
The telemetry ingestion component of IoT platforms must limit IP address ranges to just those used by managed devices and edge gateways.
Since embedded IoT devices and edge gateways are only secure at a single point in time, IoT platforms must be able to remotely update their firmware to keep them secure.
When telemetry arrives in an IoT platform, the queue, bus or storage where data comes to rest must be encrypted.
Devices and edge gateways managed by an IoT platform must update/rotate their security access tokens prior to expiration.
Field gateways in the fog layer must authenticate connected IoT devices, encrypt their data at rest and then authenticate with upstream IoT platforms.
IoT platforms must authenticate each device sending telemetry and blacklist compromised devices to prevent attacks.

Keeping the various components that make up the IoT value chain secure requires constant vigilance. In addition to doing your part, it’s important to hold the vendors of the IoT devices, gateways and platforms accountable for delivering technology that’s secure today and in the future.

August 16, 2016October 16, 2022

Improve Employee Productivity at your Company by Implementing a Hybrid Identity Strategy

#Identity and Access Management is key to facilitating employee access to corporate and 3rd party resources from any #mobile device on any #network.

Most of you are well-versed at entering user names and passwords to access social media and banking sites from your desktop browser. Based on the identity you provide; you’re given access to those sites. Some of you in the corporate world might know what it means to join your computer to a Domain. Your company has you do this so you only have to enter your credentials once, while getting access to multiple servers. This is called single sign-on (SSO) and it uses a directory service.

With people moving to myriad mobile devices and enterprise workloads moving to the cloud, the SSO technologies of the past require retooling. To make this work in a heterogeneous world, security tokens using Security Assertion Markup Language (SAML) that work with any operating system are needed. A Secure Token Service (STS) is employed to issue tokens to clients on behalf of a secure software service.

Today, you need a cloud-based directory service to manage users, groups and roles. It must provide hybrid identity by synchronizing with on-premises directories so users can seamlessly authenticate whether they’re inside the corporate WLAN or roaming on mobile data networks. Additionally, it must provide users with SSO to apps and services residing in other clouds. Finally, this service must support multi-factor authentication (MFA) which requires something a user has (a phone), something they know (a PIN) or something they are (biometrics) to secure corporate resources.

Reduce risk and improve user productivity by restricting corporate access to those employees with credentials found in cloud and on-premises directories. What is your company doing to provide secure access to its business systems from any device?

Learn how to digitally transform your company in my newest book, “Mobile Strategies for Business: 50 Actionable Insights to Digitally Transform your Business.”