IoT devices are getting cheaper by the day. One can easily deploy a robust sensor network for under $100 in their organization. The user experiences that can be delivered due to these services can change how customers view your brand. They can also be used for good and restore freedom and mobility to an aging population.
Many organizations are moving to a Zero Trust model, most publicly discussed implementation is Google’s BeyondCorp.
We trust nothing and build up profiles on the users and devices that connect to our networks and services. Even 20 person companies are able to built perimeter less security solutions that span their on premise and cloud services.
Ideally we are moving away from just a password beyond MFA to true assertion of a user, the devices they use and the patterns by which follow every day.
Better definition of corporate identity that aligns with how employees operate today
Access decision making is done with the right contextual information
Access controls are centralized with better visibility into employee activity
Enforced security measures encourage better corporate security posture
The network no longer defines trust, eliminating common attack vectors
Very quickly, through our user’s devices the behaviors by which people are following Geolocation, Gait Analysis, Temperature, Barometric pressure, voice recognition, facial recognition, connected devices, biometrics, connected accounts.
Mindwave headset
But also the user’s devices utilizing Device Profiling, Certificates, Patch Levels, Velocity Checks, IP Address, Time of Day, trusted devices, fingerprinting, open ports, known software versions, and the combination of these devices working together in proximity from the same places.
People have become the new perimeter.
With all of this movement, it’s always bugged me that in so many companies the logical access control systems are completely separate from the physical access control systems. Badge readers, security cameras and security personnel are rarely integrated into the IAM governance solutions. Contractors and visitors are managed here but never connected to our internal systems for account provisioning or tracking them around the building.
When we get an itch as a company we tend to do things that also solve a problem we personally have. In 2013 we wanted to learn more about AWS so we built a scalable cloud native web application to help us and up to 10,000 of our closest friends at a time to plan, rate and drink more beer at festivals across the country. There is nothing like 10,000 drunk people hitting your app within a 20 minute period to make sure your auto scaling works.
This project was no different, but this one was for a much more noble cause. We’d been scratching an itch on how to manage IoT devices that aren’t directly tied to humans, the rapid lowering of costs to acquire and deploy devices, advancement in BLE technologies for positioning (we tried this with our beer event application) and facial recognition APIs from Google and Amazon. We also realize how cheap and easy it is to clone a RFID based access card with only a few hundred dollars in hardware and proximity to your readers.
This is Chris. Additionally, Chris was mentioning that his mother in law was struggling with dementia, she and her husband were currently living with them and soon to move into a new retirement community. There was worry that she would get lost and not deal well with the transition. Quickly upon moving into the new environment these worries turned out to be true. Not being familiar with the new environment she struggled to adapt. She could not easily find where she was supposed to be going, was getting lost, and started to just stay in her room and not enjoy life.
When Chris talked with her he asked why she didn’t use the facility’s call button to ask for help when she was stuck and she felt that she was a bother to the staff with the button and they treated it like an emergency. She also wanted a way to more discretely ask for help from friends and family and not cause a stink.
Initially we tried addressing some of this through giving her shortcuts on her phone to call specific people, update here google calendar to remind her where she was going, but the biggest challenge was she couldn’t describe where she was if she was in trouble or how she could get to the actual places that were on her calendar.
We were close, but had to turn it on it’s head to overcome these issues. We started using active readers (first raspberry pi’s then ESP32s about $10 each) and dummy tokens. We built a mesh network of the devices so they all communicated with each other on beacon locations. We found that BLE enabled badges and fobs are down to $1 a piece at scale. Some of these even have an ability to broadcast a different identifier when a button is pushed. Able to control the antenna/signal strength to get better positioning. We had a working prototype of one person and their family.
We were close, but had to turn it on it’s head to overcome these issues. We started using active readers (first raspberry pi’s then ESP32s about $10 each) and dummy tokens. We built a mesh network of the devices so they all communicated with each other on beacon locations. We found that BLE enabled badges and fobs are down to $1 a piece at scale. Some of these even have an ability to broadcast a different identifier when a button is pushed. Able to control the antenna/signal strength to get better positioning. We had a working prototype of one person and their family.
Then something happened. Other people started asking questions, she shared the cool tracking with her friends. They wanted it too. The facility asked us about it because they could see her demeanor change.
All of a sudden we had an identity problem brewing.
Multiple devices, people registration, fob registration, needed to associate those fobs to humans. Needed to only track allowed fobs. Their friends needed to register for the platform. They had to authorize their friends to see their locations. Had to register staff members. Everyone needed authentication for the UIs
Distributed readers needed to be managed to the platform. We had to manage certificates on the devices, control software push updates from afar.
Show user interfaces, show architecture diagrams, show some of the devices, discuss the standards being used in each level / layer of the architecture. (certificates, mqqt, oauth, oidc, social login, etc.)
Discuss how this not only applies to a nursing home, but how these factors can contribute to additional factors for authorization policies and tracking behavior patterns. Easier to detect badge cloning without expensive camera systems (but that would add more context).
Talk about simple things like what was done at CIA. If you aren’t in the building you can’t log into the network directly. No more tailgating. When you leave you badge out and we remove your access.
Your badge is in the office with you laptop, but your phone is at home. What is the policy and access risk on this?
You customers are in the store, where are they? Are they a VIP? What were they looking at on your website last night? What should you sell them today? What did they leave in their cart?
A car pulls into the service bay, know what car it is and what you need to schedule before you even approach the window of the vehicle.
Greet the customer by name when they pull up to the speaker to order lunch, ask them if they want the grande frappucino again.
When the customer walks in just hand them their pizza from the shelf. It’ll amaze them.
You are watching TV with your significant other and go to bed, your set top box should know when you left the room and where to start the show when you get up in the morning (even though they stayed up and finished the show)
These devices are getting cheaper every day, the best practices are emerging and providing exciting new opportunities in for our businesses can help power your digital transformation. With the power of identity we can change the lives of our customers for the better and give them a much more memorable experience.