How to secure IoT devices of the future
The identity market is moving fast, whether it’s in artificial intelligence, regulatory changes, IoT, or helping identity managers to make better decisions. To get a sense of what these new trends mean ahead, Núria Barceló i Peiró, NXP team leader and manager of identity and access management for NXP Semiconductors NV.
What’s your involvement with identity management at NXP?
“I’ve been at NXP for the past three and a half years. I’m leading the identity management department, which is managed under the infrastructure organisation here. At the identity management department, we provide the central management of identities and authentication, authorisation, and biometrics. Over the past few years, our organisation has focused on integrating and divesting a number of companies, and we have used this time to put into place identity management improvements.
One of the recent things we’ve achieved is to move more of our identity management efforts to SailPoint. One of the companies we acquired was using SailPoint, and it looked more mature than the tools we were using. We took a closer look at SailPoint and decided to move forward.”
As you moved forward with SailPoint, what have you achieved?
“We started at the same time with IdentityIQ and IdentityNow because we had to replace our single sign-on portals, and we also had to enhance our identity management system overall. We first implemented IdentityNow because it was straightforward to implement.
IdentityNow is cloud-based and helps us to unify identity management across systems and devices. When it comes to identity, we have been replacing our old systems; in one environment we are complete, and we are right now finishing the second environment.
Something that we are quite proud is our being able to offer our people the ability to reset their passwords while not being physically on NXP premises. We are also increasing our use of strong authentication. Other improvements have been simplifying aspects of our identity management. For example, we used to have a lot of attributes defining a user, and there was a lot of historical data that we no longer needed. We decided to take this opportunity and simplify those attributes. This simplification will also help us in the future if we have to upgrade. We also simplified some of the processes, and we have also automated some things that we had to do manually before.
Also, I think the solution right now is much more highly available than what we used to have. For example, in the single sign-on portal, we are much faster now to introduce new applications into the single sign-on portal. So that for us a win-win situation where we are very happy.”
What do you think are the most important identity management trends?
“For us especially, I think it’s going to have a major impact in coming months. Luckily, we don’t have too much private information held on our users, so that will help limit its impact on us, but we still need to asses which changes we will have to apply.
The other thing we need to think about is automation and artificial intelligence to provide better security and to help users get the right access. I am interested to know how the market develops in these areas.”
How do you approach identity when you have a lot of legacy systems?
“Yes, but also sometimes it’s unifying. One of the things I’ve explained, especially when it comes to applications, is that if they could rely on a central identity for roles that they could define, then they will not have to store identity information at all. And it would then be much easier for identity management and governance because we would only need provision to one system, and all other applications are centrally managed. Then, you can give users the freedom to set their own identities.
The only thing application owners would then need to take care of is when they have a new application. They’d then have to define which groups or roles they’re going to have for that application and then link the required identity management system for provisioning.”
Will IoT eventually change how enterprises have to approach identity management because of the sheer scale of devices?
“We define what we call personal identities and functional identities. I’m the owner of identity management. I really don’t care whether it’s a person or a device or a system. I don’t feel that at the end of the day we put many different roles or different entitlements to our Internet of things identities. At the end of the day, what NXP will define is that each identity has an owner or a manager. If it’s a person, it’s a manager; if it's a functional identity, then it’s an owner. But once that is defined, there is not much difference.
I think the difference will be more in the applications, but the application then will make us depend on the roles that the identity has, or, depending on the type, you may decide to allow or not to allow system access. Scale will be a factor here because there will be many more functional identities in the future.”