Dan Geer asked me to write a piece for a special issue of the In-Q-Tel Quarterly. The theme was around prediction, where things are going and where time is best spent on security issues. The paper Reference Monitor for the Internet of Things looks at Building Visibility Into the thingfrastructure (meaning how to navigate security with all the points of control - network provider, Cloud provider, Service provider, App store, OS runtime- in current systems?).
"The information security landscape is dominated by access control technologies. Identity and access management standards and products have carved out a niche in every Fortune 500 Information Security Department. Two questions on IAM tools challenge information security: Are they effective security mechanisms and are they cost effective? Or, in keeping with the theme, what futures are available to us and how should we choose?">
The paper explores what does delivering visibility mean in Internet of Things with issues around Event Ownership, Assurance, Incentives, Occasionally Connected, Lack of standards, and the overall Quality of visibility? Given the sheer number of Points of Control that must be navigated, delivering access control in a world of conflicting policies, runtimes, incentives and capabilities creates tremendous challenges.