Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

IoT security gaps: what identity and access controls are missing?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 11936
Topic starter  

TL;DR: IoT device numbers are projected to rise from 9.7 billion in 2020 to more than 29 billion by 2030, while the article argues that encryption, authentication, and testing are now essential to keep connected devices and their data resilient, according to GlobalSign. The governance challenge is no longer device growth itself but proving identity, limiting trust, and managing access at scale.

NHIMG editorial — based on content published by GlobalSign: a guide to the Internet of Things, its use cases, and security considerations

By the numbers:

Questions worth separating out

Q: What makes IoT devices difficult to govern like normal endpoints?

A: IoT devices are difficult to govern because they often rely on embedded credentials, fixed certificates, and long-lived trust relationships that are hard to rotate or revoke at scale.

Q: How should organisations secure IoT devices before deploying them at scale?

A: Organisations should treat IoT onboarding like identity onboarding.

Q: What do teams get wrong about IoT certificate management?

A: Teams often treat certificates as a deployment step instead of a lifecycle control.

Practitioner guidance

What's in the full article

GlobalSign's full article covers the operational detail this post intentionally leaves for the source:

  • The article's full list of IoT application areas across homes, cities, vehicles, healthcare, agriculture, retail, and industrial systems.
  • The vendor's explanation of IoT fundamentals and history, including how connected devices collect and exchange data.
  • The specific security measures the article recommends for connected devices, including encryption, authentication, and penetration testing.
  • The vendor's framing of IoT certificates and related services for protecting connected objects and data.

👉 Read GlobalSign's guide to IoT security, use cases, and device protection →

IoT security gaps: what identity and access controls are missing?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11491
 

IoT security is now an identity governance problem, not just a device hardening problem. Connected devices create their own credential estates, and those estates need provisioning, rotation, monitoring, and offboarding discipline. The article correctly points to encryption and authentication, but the deeper issue is whether each device has a bounded trust relationship that can be managed over time. In that sense, IoT governance overlaps directly with non-human identity control, especially where certificates and API-style device access are involved.

A question worth separating out:

Q: Which controls matter most when IoT devices are retired or replaced?

A: The critical controls are inventory accuracy, certificate revocation, decommissioning validation, and removal of any stored secrets or remote access paths linked to the old device. Retired devices should not retain network trust or authentication authority, because reuse and cloning are common sources of residual access in IoT environments.

👉 Read our full editorial: IoT security gaps are widening as device populations scale



   
ReplyQuote
Share: