In the Internet of Things (IoT) there will be far more “multi-party” transactions occurring than in the Internet of old, where most transactions were intrinsically peer to peer. For instance, today many transactions involve a client and a server, where the client authenticates to a server for an application or service being provided by the server. This might be a banking service, or a retail purchase or a government service like filing a tax form.
But what happens when the application is a new generation of IoT service involving more than two supplying parties? It is a multi-party transaction or activity. How do you, as a risk and security manager, design such things? Do the current identity and security technologies scale?
The traditional way of dealing with nominally multi-party transactions is to look to the service provider (the server) to aggregate most or all of the suppliers and counter-parties into a single relationship for the client – and charge a fee for that as part of the overall price of the service. This is what a retailer or a travel agent might do: they have relationships with many suppliers and pull together a package of goods and services for the one client. Or sometimes they merely procure the good or service in bulk (wholesale) and distribute to clients. They then charge a mark-up or margin for this service – this is a well proven and time tested model going back to the emergence of the very first merchants thousands of years ago. This is what Amazon (online) or Sears (bricks and mortar) does today.
But the IoT and the technology underlying it allows for many new functions and value-added services to be created in thousands (if not eventually billions) of combinations among all the various sources of supply: aggregating service providers and merchants not necessary. Or it involves a service that requires the participation of literally thousands of different devices: aggregation not viable . For instance, location based services around detection and tracking will create many opportunity for services in the IoT. But the services and devices used to establish location will be constantly changing as a person or a device acting for a person moves around. (This is related to a operational requirement in the IoT referred to as “Context” – a topic for a later blog post, or email me for more info.) While it might be possible, it would be expensive and complicated for a third-party aggregator or merchant to try and broker all these location-services for a given client. It is not viable. Additionally, such aggregation creates an information base of highly personal data that you may wish not to create in the first place!
Alternately, an IoT service or a good derived from IoT-based capabilities, might be created or procured from different suppliers and vendors for differing prices at differing qualities at differing times: so clients or users might wish to re-arrange their IoT supply chain regularly or even automatically to take advantages of small differences in service profiles – resulting in more efficiency. This is a significant element of the evolving IoT anatomy– stratification of the supply chain into greater specialization and efficiency, with competition at many different “layer” of a service stack: physical device, physical network, network as a service, software as a service, service management, etc.
To maximize the potential of these IoT opportunities, new forms of multi-party authentication are needed.