“Edge” Identity and Access Management
The premise of “fog” or “edge computing” is that some processing of Internet of Things (IoT) device data occurs near the device rather than being communicated up to the cloud for analysis there. A key advantage for such local processing is the potential for more dynamic and timely analysis. Would you want your self-driving car sending up road conditions for a decision to be made in the cloud about the optimally safe speed? Bandwidth limitations may be an issue as well. Billions of sensors sending every bit of data up to the cloud, even if much of it could have been analyzed closer to home, could clog the network quickly. And if a device is connected to the cloud only intermittently, being able to perform some meaningful analysis of sensor data even in the absence of the cloud can enable a graceful failure model.
Edge computing could also offer security and privacy advantages. By not sending all data to the cloud, an edge architecture might serve to limit the impact if the cloud server is breached. In a sense, the FIDO model of user authentication, in which the biometric validation of a user happens on a local device and not on a server (and so mitigates the risk of bulk compromise), is a privacy-enhancing example of edge computing.
So if edge computing is the idea of pushing the application processing of device data out to the edge of the network, how do we do it within the existing best practices of identity management in the cloud. If the cloud platform is unavailable, the fundamental identity management operations of authentication and authorization of edge actors clearly can’t rely on the cloud-hosted endpoints. As a concrete example, if a device obtains an OAuth access token from a cloud-hosted authorization server which is then later offline when that access token expires (which good security practice would require), how can the device continue to securely operate against other local devices and endpoints? Or how can a local API endpoint validate a security token presented to it on an API call if the cloud verification endpoint is unavailable, or can’t be reached in a timely manner?
Fog or edge computing distributes data, storage and processing in a more logical and efficient manner than the more simplistic ‘all cloud, all the time’ model. But identity management functions must follow–and be correspondingly distributed between–the edge and the cloud. Certain endpoints (by which IoT devices access authentication and authorization functions) must be mirrored out to the edge. And the edge and cloud must be kept in sync when next possible.
The eternal dynamic between distributed and centralized computing has swung back once more, and identity management must follow. If you’d like to talk more about the idea of edge IAM at Cloud Identity Summit, please track me down at the parties. I’ll likely be swinging back and forth myself, between the bar at the center and the tables out at the edge.
Haven’t registered yet? Hurry and check out the Tweet Jam recap blog to get a limited-time 50% discount code, which has been extended to May 5th.
By Paul Madsen, Ping IdentityView More Posts