IoT IAM is the basis of IoT security

The recent cyber-attack that paralyzed the Colonial Pipeline, the largest pipeline system for refined oil products in the U.S., reminds us of how important cyber security is in a world where everything is connected. It will take time to find out the cause of this incident, but such attacks on the national mission-critical infrastructure are not limited to recent events.

The Saudi Aramco's drone accident in 2019 is well known. The Saudi Arabia's state-owned oil company stopped oil production due to a drone attack. As a result, international oil prices soared, which had a significant impact on the world. This is an important incident in that it demonstrated how drones could be used for military attacks.

One of the important issues in drone security is safe communication between control devices and drones. If the communication signal is hijacked to give a manipulated command or to establish its goal and route in advance, it can cause serious problems. It is also important to ensure that the drone and the control device communicate accurately without crosstalk of numerous communication signals in the air.


The IoT IAM market grows at an annual average of 60.2% until 2025.

These issues are not solely applicable to drones. There is also a potential risk with all the Internet of Things (IoT). In a hyper-connected society in which a vast amount of IoT devices are used, we need technology to find an accurate signal among a number of communication signals in the air. IoT communication must be protected from leakage of confidential or personal information. In particular, IoT security has become paramount as a result of strong regulations imposed by the EU GDPR.

IoT Identity & Access Management (IAM) is drawing attention as a solution to these problems. It detects and takes action on unmanaged devices, granularly controls connected devices, and provides device identity management and access control.

IoT IAM is becoming more and more important due to COVID-19. As physical movement is restricted, communications between machines without human intervention have increased. In addition, as 5G proliferation enables wired and wireless high-bandwidth communication, it is possible to smoothly support large-scale traffic environments in which billions of devices communicate. As a result, the use of IoT is widening.

With numerous devices being connected, device identification and access management have emerged as an urgent issue. The Quadrant Knowledge Solutions predicted that “IoT IAM will become the most important technology within 4~5 years” in SPARK Matrix: IoT IAM in 2020. The report expects that the IoT IAM market will grow at an annual average of 60.2% from 2020 to 2025 and reach $2.34 billion in 2025 from $137.9 million in 2019. It is foreseen that almost all industries will adopt IoT IAM including manufacturing, healthcare, and medical devices, energy and utilities, automobiles and sports, smart cities, and telecommunications.


A wide range of scalability and IoT protocols must be supported.

IoT IAM is different from IAM in enterprises. The IAM of enterprises is controlled based on user or IP address, but IoT cannot be controlled by IP due to it using dynamic IPs. Some devices cannot apply not only MFA but also ID/PW. If they use IoT-specific protocols such as MQTT, CoAP, and XMPP, they cannot interoperate with existing IAM.

IoT IAM must support scalability to manage millions of devices and various IoT protocols. It verifies identity and integrity over the lifecycle of IoT devices and protects data with end-to-end encryption. It handles communications between billions of IoT devices and other entities including networks, other devices, people, and applications.

The most basic and essential function of IoT IAM is to distribute and manage device security keys and certificates. Even when an authentication key is embedded in the hardware manufacturing stage or a security key is inserted into the OS or firmware by software, it must be possible to verify that the device is actually correct, issue a legitimate command, and verify that the command was properly received and executed.

Encryption keys should never be duplicated with other devices, and the possibility of decryption should be eliminated when it is stolen. As a result, longer and stronger encryption algorithms are needed, and more resources are inevitably required to handle them. If one of the IoT devices cannot provide sufficient resources for encryption authentication, the device cannot be identified and controlled in an environment where a large amount of IoT is used. Eventually, we have no choice but to face up to the reality of an IoT security incident.


How to identify and control IoT with non-duplicate one-time ID

SSenStone's One-Time Authentication Code (OTAC) solves the core problem of IoT IAM by creating a one-time ID that is not duplicated. The OTAC applies ultra-small algorithm codes, so it can be sufficiently applied even to IoT devices that require very few resources.

Devices can be identified and controlled with a one-time authentication code that is generated immediately without a network connection and without the hassle of registering the terminal on the server. It provides the advantages of an authentication system such as ID/PW, authentication code generation, RSA HW·SW, and tokenization. A simple and seamless integration service can be provided to IT managers through API·SDK.



Leave a Comment