It is amusing to see the marketing currently attempted by using an offshoot of the phrase “Internet of Things”. Of course, as an analyst I am no different, so I will propose to you yet another concept that several of us at Gartner have been discussing the past year in IoT security, and that is the concept we refer to as the “Identity of Things”. Here is our premise.
The IoT trend is part of the digital business trend Gartner believes is transforming enterprises today. It works under the assumption that business, people and ‘things’ are equal partners in delivering business value. More importantly, the trend identifies a key concept of “relationships” between businesses, people and things. There is an art to defining those relationships to ensure that policy and process can be articulated properly, and that the technology of things can be configured to reflect those relationships. I realize that may sound confusing, so let me give you an example.
The automobile industry is a business. When a consumer buys a specific automobile, a relationship (at the very least contractual) is established between that consumer and the business that sold them the automobile. A relationship may be established with a specific dealer, a specific maintenance provider, a specific insurance company– all of the businesses that the person interacts with at some point in the relationship lifetime of the automobile. The person also has a relationship of sorts with the automobile (as a device) as well. The instruments and environment of the automobile may be tailored to that person’s specific driving habits, such as seat position, steering wheel tilt, temperature, and even radio station. The devices that make up an automobile may even have defined relationships with one another, since a modern automobile is a traveling IoT ‘cloud’. Weather conditions may inform sensors on the automobile to talk to other devices to automatically perform certain functions to the make the ride safer, for example.
My point is that we have a vast number of interacting entities in the world that can be assigned identities. These identities can be used in a formal way to define a business, part of a business, a person, a device or device collection, all with the purpose of enabling and specifying the “rules” of engagement between these different entities. Think about how identity and access management (IAM) systems work today for human users of applications and data. A unique ID is assigned to the human and a set of attributes effectively defines the digital version of the human. Another set of attributes can be created to define the relationship that person may have with an application. Those particular attributes are then used in the authentication and authorization phase of the person engaging with the application. In essence you want that human to have a relationship with the application, so you provide the means to do so in a formal set of policies and rules.
Now, imagine that you work within a universe of the entities (businesses, people, things) in countless combinations of relationships. At some point we will be faced with the task of determining just how we will identify those entities just enough to be able to articulate those relationships effectively for transacting business. We must ask ourselves whether our existing technology such as IAM and asset management can be combined and/or extended to accommodate such an effort, or will something radically new be necessary to handle the complexity of those relationships. We will also need to determine how much information is enough information for executing on the relationships, how dynamic will they be, how we might ‘log’ the relationship event– the list goes on.
Fortunately, there are companies that have already begun to tackle this issue, developing conceptual models for the Identity of Things and testing them. IoT application developers and integrators are also driving efforts to ensure their solutions have a world in which they can operate. Standards groups are debating this problem and possible solutions and formulating different identity data models to be tested.
I believe the IoT is forcing an inflection point in the industry that manages assets and user identities. It will generate a lively debate around the Identity of Things (maybe we’ll call it the IDoT, who knows) and ultimately will result in an updated view of identity management. Perhaps we will even see a day when the Identity of Things will evolve into a form of identity relationship management. The future is full of possibilities.