Publications
Further development of this draft has ceased (June 06, 2017).
[Concept Paper] Identity and Access Management for Smart Home Devices
Documentation
Topics
Date Published: June 2016
Comments Due:
Email Questions to:
Author(s)
William Fisher (NIST), Sudhi Umarji (MITRE)
Announcement
The National Cybersecurity Center of Excellence (NCCoE) is seeking comments from industry on the challenges of identification, authentication, and authorization for devices in the Internet of Things (IoT) space; specifically requirements for authentication and authorization of autonomous non-person entities (NPE) found in smart home devices. Areas of interest include the following:
- models for the lifecycle of IoT and/or smart home devices;
- threat vectors and attack surfaces of smart home devices throughout their lifecycle;
- using commercially available technology, methods for the identification, authentication, and authorization of smart home devices including:
- core requirements in addressing these three capabilities;
- implementation challenges;
- potential security weaknesses or gaps;
- mechanisms for NPE-to-NPE, NPE-to-Network, and NPE-to-Cloud authentication;
- mechanisms for binding device, APIs, and user identity with applicable authentication contexts;
- privacy risks to individuals raised by improving smart home device identification and authentication;
- mechanisms that enable improved identification and authentication of smart home devices while maintaining individuals' privacy;
- models for handling encryption on constrained devices; and
- business cases for the identification, authentication, and authorization of smart home devices for which the NCCoE could build a demonstrable solution.
Based upon community feedback on these topics, the NCCoE will consider instantiating a project to engage in building an example solution using commercially available technology.
Comments due: None--comments accepted on an ongoing basis.
Submit comments using the link below.
The following concept paper identifies potential project topics for the NCCoE to explore with stakeholders and technology collaborators. Through research and discussion, the NCCoE has identified several areas of interest within a broader cybersecurity subject; in this case, improved security for connected devices, or the “Internet of Things.” Public comments on this concept paper will help the NCCoE understand specific challenges and needs, and may be used to help define a challenge statement, use cases, and/or a project description. Comments will be reviewed on an ongoing basis. Our hope is that stakeholders will help identify models, methodologies, protocols, best practices, or standards from other industries that may be relevant to securing smart home technology.
The following concept paper identifies potential project topics for the NCCoE to explore with stakeholders and technology collaborators. Through research and discussion, the NCCoE has identified several areas of interest within a broader cybersecurity subject; in this case, improved security for...
See full abstract
The following concept paper identifies potential project topics for the NCCoE to explore with stakeholders and technology collaborators. Through research and discussion, the NCCoE has identified several areas of interest within a broader cybersecurity subject; in this case, improved security for connected devices, or the “Internet of Things.” Public comments on this concept paper will help the NCCoE understand specific challenges and needs, and may be used to help define a challenge statement, use cases, and/or a project description. Comments will be reviewed on an ongoing basis. Our hope is that stakeholders will help identify models, methodologies, protocols, best practices, or standards from other industries that may be relevant to securing smart home technology.
Hide full abstract
Keywords
IoT; non-person entities; smart home; authentication; authorization; Internet of Things; identity and access management
Control Families
Access Control; Identification and Authentication