Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

Ericsson Technology Review: Cross-domain identity of things

700 vues

Publié le

With the spread of the Internet of Things (IoT) into almost all areas of life, IoT security is set to become one of the most important technology development areas in the coming years. Identity management systems (IDMSS) that are based on sound identity principles and intra-domain identity lifecycle models have an important role to play in ensuring IoT security. Due to the heterogeneous setup of IoT end-to-end solutions, an IDMS that can only support one domain is not adequate for the complete identity management of IoT devices. Devices that must be identified in multiple domains need to have their identities managed across them. The use of technologies like GBA and specific identity management systems for the IoT will substantially reduce the complexity of these activities.

Publié dans : Technologie
  • Soyez le premier à commenter

  • Soyez le premier à aimer ceci

Ericsson Technology Review: Cross-domain identity of things

  1. 1. CROSS-DOMAIN IDENTITY OF THINGS ✱ NOVEMBER 23, 2016 ✱ ERICSSON TECHNOLOGY REVIEW 1 ERICSSON TECHNOLOGY C H A R T I N G T H E F U T U R E O F I N N O V A T I O N | # 0 9 ∙ 2 0 1 6 CROSS-DOMAIN IDENTITYOFTHINGS
  2. 2. ✱ CROSS-DOMAIN IDENTITY OF THINGS 2 ERICSSON TECHNOLOGY REVIEW ✱ NOVEMBER 23, 2016 THOMAS WEIDENFELLER, CLAUDIA BAUSCH The rapid expansion of the Internet of Things (IoT) calls for a clearer common understanding of how identities function in the digital world. The numerous domains that make up the IoT result in single entities having multiple overlapping identities. In order to operate successfully in this environment, a company must be able to manage related identities across domains in an efficient manner. To do so, it needs to determine which cross-domain identity management solution best meets its own specific requirements. Identity is a concept used in fields ranging from philosophy to mathematics, with a variety of definitions. Even within the fields of ict and IoT, the interpretation of the terms identity and identity management can vary widely, depending on the specific application and particular school of thought. ■ Formany,identitymanagementinvolves nothingmorethangivingathingatraceablename ornumber,andperhapsaddingapasswordora publickeycertificate.Forothers,itmeansapplying aconsistentnamingschemeorusingaparticular protocoltoprovideacomputerwithahostname,or asystemuserwithaconvenientsign-inexperience. Accordingtoiso/iec 24760-1:2011,anidentityis “asetofattributesrelatedtoanentity”,andanentity isdefinedas“anitem…thathasarecognizably distinctexistence”[1].Thesedefinitionsarevery broad,andclearlycovermorethanjustdevicesand people.Forexample,notonlyisanIoTdevicean entityaccordingtothisdefinition;allofitsphysical andvirtualcomponentsarealsoentities,asareall oftheactorsthatinteractwiththem.Thedefinition alsocoverspartsandgroupsofsuchitems,aslong astheyhavearecognizablydistinctexistence. Fromthisperspective,evenasmallIoTdevice consistsofmanyentities.Noteveryentityneeds tohaveoneormoreidentities,however;nordo allestablishedidentitiesneedtobemanaged throughoutthecompletelifetimeofthedevice. Definingthesetofidentitiesthatneedtobe IdentityOF THINGS CROSS-DOMAIN
  3. 3. CROSS-DOMAIN IDENTITY OF THINGS ✱ NOVEMBER 23, 2016 ✱ ERICSSON TECHNOLOGY REVIEW 3 established,andworkingouthowtomanagethem, aretheresultofdecisionsmadeonmultiplelevels atdifferenttimes.Forexample,someidentitiesare theresultofdesigndecisionsaboutcommunication technologiesorhardwarecomponentselectionfor aparticulardevice. Itisalsoimportanttonotethatanidentitydoes notnecessarilyhavetobeunique.Forexample,an identitycanrefertoagroupofdevices,suchasin multicasting.Anentitycanalsohave–andtypically has–morethanoneidentity. Entities,identitiesanddomains Theapplicationandvalidityofanidentitytendtobe finite,andareoftendictatedbytechnicallimitations. Forexample,aprivateip addresshasnoglobal meaning;itonlyhasmeaninginaprivatenetwork, andcannotbeusedontheinternet.Itisalsopossible tolimittheapplicabilityofanidentityevenfurther bydesign.Theresultingdomainofapplicability describeswhereanidentitymaybeused. Acarisanexampleofanentitythathas multipleidentitiesthatarevalidindifferent, partlyoverlapping,domains.Acarreceives itsvehicleidentificationnumber(vin)during themanufacturingprocess.Thevin isusedby governmentagenciestotrackthecarthroughout itslifetime.Thevin’sdomainofapplicability istypicallylimitedtoadministrativepurposes. However,atsomepointthevehiclewillalso receivealicenseplatenumber,whichisusedto identifyitinpublic.Itsdomainofapplicabilityis thepublicrealm.Boththevin andthelicense platenumberidentifythesameentity:aparticular vehicle.Bothshouldberegisteredtothesame owner.Dependingonthetypeofoperationtobe performed,aparticularoneofthetwoidentitiesor identifierswillbeused.Insomecases,bothmight berequired.However,rarelycanoneidentitybe providedinplaceoftheother. Althoughtheyareseparate,identitiesin differentdomainsarerelated.Inthecarexample, therelevantidentitymanagementsystems(idmss) aredesignedtomakeitpossibleforgovernment authoritiestofindoutthelicenseplatenumber fromthevin,andthevin fromthelicenseplate number.Whenalicenseplatenumberisissued, identitymanagementactivitiesaffectbothdomains toensuretraceability. Understandingidentitymanagement Thetermidentitymanagementisdefinediniso/ iec 24760–1:2011as“theprocessesandpolicies involvedinmanagingthelifecycleandvalues,type andoptionalmetadataofattributesinidentities knowninaparticulardomain”[1]. Thecarexampleclearlyillustratesthatidentity THE APPLICATION AND VALIDITY OF AN IDENTITY TEND TO BE FINITE, AND ARE OFTEN DICTATED BY TECHNICAL LIMITATIONS Abbreviations euicc — embedded Universal Integrated Circuit Card | gba — Generic Bootstrapping Architecture idms — identity management system | iip — identity information provider | IoT — Internet of Things | lwm2m — Lightweight M2M | m2m — machine-to-machine | OAuth — open standard for authorization | OpenID — open standard and decentralized authentication protocol | saml — Security Assertion Markup Language | sso — single sign-on | uicc — Universal Integrated Circuit Card | vin — vehicle identification number
  4. 4. ✱ CROSS-DOMAIN IDENTITY OF THINGS 4 ERICSSON TECHNOLOGY REVIEW ✱ NOVEMBER 23, 2016 managementisnotaboutmanagingtheentity itself(thatis,performingoperationsontheentity). Rather,itisaboutmanaging“asetofattributes relatedtoanentity”–datathatdescribesor identifiestheentity.Identitymanagementis fundamentallyasecuritytechnique–notanentity managementone.Assuch,identitymanagement supportstheidentity-baseddecisions[1]thatmust bemadetoensuresecurity. Typical identity-based decisions that are related to security include device authentication, controlling authorizations (typical authentication, authorization and accounting functions) and the categorization of data. For example, identity- based decisions can be used to ensure that the data returned by an IoT sensor (such as a temperature measurement) is associated with the correct entity (the machine from which the temperature was taken). In general, the routing of input and output data to and from an IoT device is based on identities. Thedistinctionbetweenmanaginganentity andmanaginganentity’sidentityisimportant. Managingidentitiescanhavesideeffectsthat impacttheentity,butwon’tnecessarily.For instance,anattempttomanageanentityvia identitymanagementwillatbestbeindirect,and atworstacompletefailure. Forexample,ingeolocationapplications,an entity’slocationmightbeoneofitsidentities. Theentitymightevenbeaddressed(identified) byitslocation.Performingaparticularidentity managementactivitycouldaffectthelocation dataattributeintheidentityregister.Butthis changewouldhavenoeffectontheentity’sactual position.Inthebest-casescenario,therewouldbe additionalmechanismsinplacetotaketheidentity managementdataandtranslateitintoaction thatwouldinturnaffecttheentityitself,suchas commandingittomovetothenewlocation.This couldworkiftheentitywasamobilemachine,but wouldobviouslyfailifitwereafactorybuilding(the worst-casescenario). Thelimitationsofidentitymanagementare particularlysignificantforIoTdevices.Identity managementisnosubstituteforproperdevice management;rather,thetwoneedtowork inparallel.Devicelifecyclechangesmustbe supportedbyidentitymanagementactivities. Theidentitymanagementlifecycle Figure1providesanexampleofthelifecycleofan identityintermsofstatesandstatetransitions. Thisexampleisamodifiedversionofthereference lifecyclemodeliniso/iec 24760–1:2011[1].Other lifecyclemodelsmayalsobeused,dependingon thespecificpurposeoftheparticularidentity. Anidms supportsthecreation,provisioning, maintenanceanddecommissioningofidentities throughoutthelifecycleofaparticulartypeof identity[1]followingitslifecyclemodel. ThelifecycleexampleinFigure1managesan identitywithinaspecificdomain.However,we knowanentitycanhavemorethanonerelated identitywithinthesamedomain,ormultiple identitiesspreadoverseveraldomains.Asaresult, therequirementsforareal-worldidms extend beyondmerelytransitioningthroughthestatesfor anidentity. Thescenarioinvolvingmultipleidentitiesthat iseasiesttomanageiswhentherelatedidentities arewithinthesamedomainandunderthecontrol ofthesameauthority.Attheotherendofthe spectrumarescenariosinwhichtheidentitiesare indifferentdomains,andarecontrolledbydifferent authorities,andtherelevantidmssarenotableto communicatewitheachother. Figure2illustrates the relationship between idms couplinganddomains,anditsimpactonthe relativedifficultyofmanagingidentitydata. Incaseswherethereisnocommunicationbetween idmss, manualinterventionandhandlingare mandatory.Suchcasesarethereforebestavoided. Cross-domainmanagementarchitectures Twocommoncross-domainidentitymanagement architecturesareparticularlyrelevanttoIoT identitymanagement.Thefirst,showninFigure3, usesoneidms forcoordination,givingitspecial authorityamongitspeers.
  5. 5. CROSS-DOMAIN IDENTITY OF THINGS ✱ NOVEMBER 23, 2016 ✱ ERICSSON TECHNOLOGY REVIEW 5 Figure 2 Relative difficulty of managing related identity data Figure 1 Example of an identity lifecycle IDMScoupling Domain weak tight same same other difficult simple Identity unknown enroll activate maintain enroll/restore archive suspend reactivate adjust delete delete delete delete Established Active Archived Suspended
  6. 6. ✱ CROSS-DOMAIN IDENTITY OF THINGS 6 ERICSSON TECHNOLOGY REVIEW ✱ NOVEMBER 23, 2016 ThearchitectureshowninFigure3issimilar toanarchitectureusedinnetworkmanagement, inwhichindividualelementmanagersareeach responsibleformanagingaparticularnetwork element,andanetworkmanagementsystem coordinatesnetwork-wideissuesabovethe elementmanagementlayer.Thearchitecture canbeenhancedbyaddinghierarchylevelswith intermediatecoordinatingidmss. Figure4showsthesecondcommonarchitecture, inwhichthevariousidmsscoordinatewithother idmssonapeer-to-peerbasis.Notethatnotevery idmscoordinateswitheveryotheridms;thisdepends onwhetherthereisanyneedforthemtocoordinate, aswellastechnicaloradministrativelimitations. Therearenohardandfastrulesdictatingwhich architectureispreferable.Otherarchitecturesalso exist,includinghybridversionsofthearchitectures presentedinFigures3and4.Practitioners needtoconsidertheirexistingsystemsandany administrativebarrierstheymayhave,andmake compromises,adaptingtheirintegrationsto suittheirparticularcircumstances.Ideally,they shouldestablishoneofthearchitectureoptions astheprimaryoneandadddivergingidmsand managementsubsystemsassatellitesystemsin isolatedareas. Techniquestobuildacoordinatingsystem Therearetechnicalandadministrativeissuesto overcomewhenbuildingacoordinatingsystem. Thetechnicalissuesbeginwiththecommunication layer.Theindividualidmssthatshouldtakepart incross-domainidentitymanagementasshown inFigures3and4needtocommunicateinsome way–typicallyviathetcp/ip suite.Whenfaced withlegacyprotocolsonthenetworklayer[2],an adaptationtoip shouldbeconsidered.Which protocolstouseonlayersabovethetransport layer(particularlytheapplicationlayer)isbotha technicalandanadministrativedecision. Administrationofcross-domainidentity managementincludesthecreationofanidentity federation:“[an]agreementbetweentwoormore domainsspecifyinghowidentityinformationwill beexchangedandmanagedforcross-domain identificationpurposes.”[1]Thesystemthatis subsequentlybuiltaccordingtothisagreementis typicallyalsoknownasanidentityfederation. Singlesign-onidentityfederation Onehighlysought-afterfeaturewhenbuilding identityfederations–especiallywhenhumans areinvolved–issinglesign-on(sso).Withsso, theidentityofanentityinonedomaincanbeused forauthenticationofthesameentityinanother domain.Thepurposeofsso istoavoidhaving toperformidentitymanagementintwoormore domainsinparallel.Thisisachievedbyhaving fullyautomatedprotocolsandprocessesinthe identityfederationagreementforhandlingthedata processingandexchangebetweenthedomains. Enterpriseandcloudsystemarchitecturesare goodexamplesofhowcryptography-basedidentity federationscanbeusedtoprovidesso services. saml,Openid andOAuth2.0(withorwithout additionalapplicationprogramminginterfaceslike OpenID Connect)aretypicalprotocolsusedto buildsso identityfederationsforauthenticationor authorizationpurposesinthiscontext.Essentially, theseprotocolsareusedtoexchangetrustinan identity–andbyassociation,anentityorgroupsof entities–betweendomains. Forhumans,sso isahighlyvaluedconvenience featurethatremovestaskslikerememberinguser logincredentials.Butfornon-humanIoTentities, whichconnecttoaratherlimitednumberof services,theuseofidentitiesandidentity-based decisionsinIoTdevicecommunicationdoesnot necessarilyrequiresso. AtypicalIoTdevicemight,forexample,make useofthefollowingservices: 〉〉 anetworkservicethatprovidesbasiccommunication 〉〉 adevicemanagementserviceprovidedviatheLightweight m2m (lwm2m)managementprotocol[3] 〉〉 aservicemanagementserviceprovidedvialwm2m, eitherseparatefromorincooperationwiththedevice managementservice 〉〉 apayloadorapplicationservicetowhichtheIoTdevice deliversdataandfromwhichitreceivesapplication information.
  7. 7. CROSS-DOMAIN IDENTITY OF THINGS ✱ NOVEMBER 23, 2016 ✱ ERICSSON TECHNOLOGY REVIEW 7 Coordinating IDMS Individual IDMS Individual IDMS Individual IDMS Figure 4 Peer-to-peer coordination Individual IDMS Individual IDMS Individual IDMS Individual IDMS Figure 3Centrally coordinated idmss
  8. 8. ✱ CROSS-DOMAIN IDENTITY OF THINGS 8 ERICSSON TECHNOLOGY REVIEW ✱ NOVEMBER 23, 2016 Sincethenumberofservicesusedisrelativelystatic overthelifetimeoftheIoTdevice,andthereisno humanconvenienceadvantage,ansso-capable identityfederationisnotabsolutelynecessaryin thistypeofcase.Infact,forsmallIoTdevices,the useofenterprisesso protocolsaddsconsiderable overheadtothedevicefirmware.Whensso is neededonanIoTdevice,lightweightsso protocols shouldbeconsideredinstead. TheGenericBootstrappingArchitecture (gba)[4]isamobilenetworktechnologythat makesitpossibletoreuseanidentityfromwithin themobilenetworkdomaininotherdomains. Solutionsbasedonthegba architecturemake useofmobilenetworksubscribers’identities, associatedcryptographickeymaterialand cryptographicalgorithmstoestablishatemporary, cryptographically-securedsecurityassociation betweenanIoTdeviceandaserviceinthe applicationlayer,forexample.Thesecurity associationcanthenbeusedfortaskssuchas authenticatingtheIoTdevicebeforegranting accesstotheservice.Onepromisingrealization ofanidentitymanagementsolutionusinggba asafederationtechniqueisatrialprojectfor agriculturalapplicationsknownastheConnected Vineyardsproject[5]. gba uses well-known mobile network identity information providers (iips). A uicc/euiccwith a sim application suitable for gba is used in the IoT device, while the corresponding identity information on the mobile network side is provided by the Home Location Register/Home Subscriber Server. Notethat,althoughthe3gpp identityandgba arecurrentlyassociatedwithcellularnetworks,this technologycanalsobeusedfordevicesconnected toanetworkusingother,non-3gpp technologies. Theidentitycredential(sharedsecret)and associatedsoftwaremayinthiscasebeprotected byhardware-specificisolationandprotection mechanismstoavoidtheextracostof(e)uicc in IoTdevices.gba canalsobeusedtoextendthe federationbeyondsso –forexample,toprovide cryptographicallyderived,temporarypre-shared keystosecurecommunication. Itisimportanttorecognizethatsettingupan identityfederation,forsso purposesorotherwise, requireseffort.Theneedtomanageidentities inmultipledomainsisreplacedwiththeneed tomanagethefederation.Moreimportantly,an identityfederationrequirestrust.Anenrollment inonedomainaffectsallfederateddomains, whichmeansthatimproperidentityproofingin onedomaincreatesapotentialsecurityriskin allfederateddomains.However,insomecases– suchasgba –amobilenetworkoperatorwithan establishedtrackrecordofmanagingsignupand accesstonetworkservicesisinagoodpositionto providethenecessarytrust. Mapping Thesso identityfederationprotocolspresented aboveallrelyonsoundcryptographicprinciples. Theoriginalidentitydata,includingpasswordsand cryptographicmaterial,arenotcopiedbetween thedomains.Onlythetrustinsomeidentity–an identityassertion[1]–isexchanged,enablinga federateddomaintoauthenticateanentity,and,if desired,bootstrapitsowncryptographicmaterial. Thisisnottheonlywaytobuildanidentity federation,however. THE 3GPP IDENTITY AND GBA ARE CURRENTLY ASSOCIATED WITH CELLULAR NETWORKS, [BUT] THIS TECHNOLOGY CAN ALSO BE USED FOR DEVICES CONNECTED TO A NETWORK USING OTHER, NON-3GPP TECHNOLOGIES
  9. 9. CROSS-DOMAIN IDENTITY OF THINGS ✱ NOVEMBER 23, 2016 ✱ ERICSSON TECHNOLOGY REVIEW 9 Anothercommonwaytobuildanidentity federationisbymapping.Identitydatavalidin onedomainismappedtosomeotheridentitydata inanotherdomain.Themappingcanbe1:1(the dataiscopiedasis)orwithsomeadaptations. Forexample,themappingcouldincludeadding supplementaryidentitydata,oraddinganidentifier asanattributetoone’sownidentitydata. Onewaytoperformmappingistosynchronize atregularintervals.Atcertainpointsintime,the contentsoftwoormoreiipsarecomparedwith eachother.Algorithmsarethenusedtoresolveany detecteddiscrepanciesandgenerateaconsistent stateacrossdomains. Trackingchangesisanotherwaytoperform mapping.Whenthismethodisused,eachofthe statetransitionsshowninFigure1iscommunicated tothefederatedidmss.Theidmssthenmapthe receivedeventdataandaddtheresulttotheir identityregisters.Amessagebusisonepossible softwarearchitecturethatcanbeusedfor communicationandexchangeofeventsbetween theidmss. Regardlessofwhichofthesetwomapping methodsischosen,itisvitaltoaddresstheissue ofconcurrentchangestothemappeddatain thefederateddomains.Thiscanbedealtwith byconsideringonedomaintobethemasterfor particularidentitydata.Thatis,onedomainalways hasprecedence,ormayevenbetheonlydomainin whichthedataisallowedtoactivelybechanged. Ifthissolutionisnotpossibleinaparticularcase, operationaltransformationtechniquescanbe usedtohandleissuesofconcurrentchanges, especiallyinthecaseoftrackingchanges.Three- waymergeordifferentialsynchronizationare othertechniquesforresolvingissueswhentracking changesorsynchronizing. IdentitymanagementdomainsintheIoT Theselectioncriteriaforidentitydomainsinan IoTidms arelargelytechnical,buttheyarealso Figure 5Four identity management domains in the IoT One or more IDMSs Service user domain Service management domain Device management domain Network domain
  10. 10. ✱ CROSS-DOMAIN IDENTITY OF THINGS 10 ERICSSON TECHNOLOGY REVIEW ✱ NOVEMBER 23, 2016 influencedbyorganizationalfactorsandsometimes evenindividualpreferences.Domainscanbequite smallorratherbroad,containingonlyafewor manydifferenttypesofidentitydata. Figure5 illustrates four identity management domains that capture the technical and organizational properties of an IoT system at a high level: 〉〉 serviceuserdomain–wheretheIoTsystemisexploited forbenefits.ServicesontopoftheIoTdevice(s)are providedhere.Theysupplyamachineorahumanwith accumulateddataandvalue-addedservices. 〉〉 servicemanagementdomain–wheretheapplication(s) and/orservice(s)runningontheIoTdevicearemanaged, alongwiththeirassociationwithenterpriseapplication serversresponsiblefordealingwiththepayloaddata. Aservicedeliveryplatformwouldworkinthisdomain, forexample. 〉〉 devicemanagementdomain–wherebasicdevice functionsaremanaged,includingthedevicelifecycle andfirmware(operatingsystem).Servicesbasedonthe lwm2m protocolwouldrunhere,forexample. 〉〉 networkdomain–the“I”inIoT,wherethecommunication happens,suchasacellularnetworkoranothertypeof wan,oralan. Identitymanagementandsecurity Thereisanotherpointthatmustbeconsidered whencouplingidmsstomanageidentitiesacross domains.Identitymanagementitselfneedstobe performedsecurelytofulfillthepromiseofhelping tosecuresystems.Itcanonlydosowhenidentity managementisperformedinsuchawaythatthe managedidentitiesarenotcompromised.For example,duringenrollment,therightentitymust bepairedwiththerightidentity.Thisisthemost importantaspectofthisactivity. Thebasicsecurityrequirementsforidentity managementarenearlyidenticaltothesecurity requirementsofmodernict systems.Bothdataat rest(storage)anddatainmotion(communication) needtobeprotected;andineachcase,commonict securitytechniquesandtechnologiesarerelevant. Thisappliesparticularlytotheexchangeofidentity informationinidentityfederations,inthose caseswhereidentitydata(suchasaccess credentials)aresimplycopiedormappedfrom onedomaintoanother. Therecanbeadditionalsecurityrequirements foridentitymanagement,dependingonthe particulardomainorsystem,andonthesystem providers’levelofcommitmenttoofferingasecure system.Ingeneral,thesecurityofthemanagement processandthesecurityoftheidms willhave adirectimpactonthetrustworthinessofthe managedidentities. Conclusion With the spread of IoT systems to almost all areas of life, IoT security is set to become one of the most important technology development areas in the coming years [6]. IoT systems will need to be able to support large-scale field applications comprising a diversity of connected things. This will require massive enrollments of identities at an early stage of the device lifecycle, as well as the maintenance of those identities throughout the devices’ lifetimes. The use of technologies like gba and specific identity management systems for the IoT will substantially reduce the complexity of these activities. Itisclearthatidentitymanagementsystems –basedonsoundidentityprinciplesandintra- domainidentitylifecyclemodels–havean importantroletoplayinensuringIoTsecurity. DuetotheheterogeneoussetupofIoTend-to- endsolutions,anidms thatcanonlysupportone domainisnotadequateforthecompleteidentity managementofIoTdevices.Devicesthatmustbe identifiedinmultipledomainsneedtohavetheir identitiesmanagedacrossthem.Thereareseveral waystoachievethis,dependingonthesystems andtechnologiesavailable,andtherelationship betweenthedomainsandthedomain-specific identitydata.
  11. 11. CROSS-DOMAIN IDENTITY OF THINGS ✱ NOVEMBER 23, 2016 ✱ ERICSSON TECHNOLOGY REVIEW 11 Thomas Weidenfeller ◆ is a master systems designer at Portfolio & Systems within Customer Group Industry & Society. He has more than 20 years of experience at Ericsson, starting in telecommunication management systems. Over the years, he has worked in such diverse areas as software design, systems management, mobile packet backbone design and software architectures. He is currently working on IoT security issues. He holds a degree in electrical engineering from the Cologne University of Applied Sciences (now called the Technical University of Cologne), Germany. Claudia Bausch ◆ joined Ericsson in 1998. She holds a degree in computer science from rwth Aachen University, Germany. Her expertise covers several areas of software design, configuration management and project management. She is currently working as senior systems designer at Portfolio & Systems on IoT studies and end-to- end solutions within the Customer Group Industry & Society. theauthors References 1. International Organization for Standardization, iso/iec 24760-1:2011, Information technology – Security techniques – A framework for identity management – Part 1: Terminology and concepts, available at: http://standards.iso.org/ittf/PubliclyAvailableStandards/c057914_ISO_ IEC_24760-1_2011.zip 2. International Organization for Standardization, iso/iec 7498-1:1994, Information technology – Open Systems Interconnection – Basic Reference Model: The Basic Model, available at: http://standards.iso.org/ittf/PubliclyAvailableStandards/s020269_ISO_ IEC_7498-1_1994(E).zip 3. Open Mobile Alliance, Lightweight Machine to Machine Technical Specification. oma-ts-LightweightM2M-V1_0-20160407-D. Draft Version 1.0. 07 April 2016, available at: http://member.openmobilealliance.org/ftp/Public_documents/DM/ LightweightM2M/Permanent_documents/OMA-TS-LightweightM2M-V1_0- 20160407-D.zip 4. 3gpp, Generic Bootstrapping Architecture (gba). 3gpp ts 33.220, available at: https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails. aspx?specificationId=2280 5. Ericsson, Connected Vineyards, available at: http://www.ericsson.com/res/docs/2015/iot-connected-vineyards.pdf 6. Gartner, Gartner Identifies the Top 10 Internet of Things Technologies for 2017 and 2018, available at: http://www.gartner.com/newsroom/id/3221818 The authors would like to acknowledge the support and inspiration they received from their colleagues Per Ståhl, Patrik Teppo, Dhruvin Patel and Gustavo Tanoni.
  12. 12. ✱ CROSS-DOMAIN IDENTITY OF THINGS 12 ERICSSON TECHNOLOGY REVIEW ✱ NOVEMBER 23, 2016 ISSN 0014-0171 284 23-3293  | Uen © Ericsson AB 2016 Ericsson SE-164 83 Stockholm, Sweden Phone: +46 10 719 0000

×