The state of IoT security
IoT devices are everywhere. Some of them even control electrical grid switches and public water systems, monitor road traffic in real time, track patient health in hospitals, and monitor and control servers for all our favorite media sites and much more. The prevalence of these devices make them a prime target for digital attacks. This risk is augmented by many devices’ insufficient build-in security. The Mirai and not Petya malware incidents are prime examples of how damages resulting from IoT attacks might not be just financial. These attacks can target electrical grids and other critical infrastructure putting millions of lives at risk.
As more devices are connected online, companies are being exposed to crime in novel ways. Many industry leaders in the tech industry recognize the importance of security as IoT expands. Security and authentication need to be priorities for corporations because IoT is a breeding ground for malicious surveillance and attacks. How can companies establish trust across connected devices on such a massive scale?
PKI Certificates and Security
The expansion of IoT and the developments in data privacy regulation such as GDPR emphasize the direct relationship between keeping devices secure and safeguarding the corporate reputation. This is where PKI (Public Key Infrastructure) certificates bring real added value.
According to William Stallings’ “Cryptography and Network Security”, the public key is a coded value that has both a public and private part; it allows information to be encrypted and decoded by one person/object only, and it operates as a digital certificate. “Public key infrastructure” refers to the entire ecosystem devoted to digital certificates and encryption. This ecosystem encompasses not just the software and hardware but all of the people involved with the digital certificates. PKI certificates are issued from a CA (certificate authority), which creates and manages them. Each PKI certificate is a unique cross-platform, cross-organizational identifier and greatly aids in creating trusting relationships between customers and businesses. The creation and management of PKI can be handled in-house or via a management company.
Regarding security, IoT has two requirements: trust and control. While this is hard to achieve on the scale of IoT, PKI technologies have been relatively successful in securing large-scale systems like the global payments network. However, securing IoT brings new challenges that force us to rethink traditional assumptions about key management and the impending security threats.
High integrity messaging, secure communications and mutual authentication at an internet scale will be absolutely necessary for IoT to succeed. Having secured network-connected devices for decades, digital certificates with PKI are well-situated to serve as the online identity for IoT.
Automated PKI Management
In-house PKI seems like the best solution in cybercrime prevention since PKI certificates can be issued and managed in a very efficient and effective manner. This is true for companies with a small footprint, but it can become problematic for those who either experience rapid growth or have many locations, resources, and employees. Assurance, scale and technology are some factors that need to be taken into account.
Once you have set up a PKI environment, you will have to manage day-to-day operations like issuing certificate for users, helping users unblock their device PIN, etc., duties which are time-consuming even for small installations. The larger your deployment size, the greater your need for automating some of these tasks. Manual PKI management is size-sensitive: the larger or heterogeneous an infrastructure is, the more complex and error-prone manual PKI management becomes. If you have a large population with different groups of users who need certificates based on different templates and certificate types, management could quickly get out of control without having a tool that allows you to automate most of lifecycle management. In a vastly expanding IoT landscape, the task of manually on-boarding and provisioning each individual device quickly becomes unmanageable.
Automated provisioning of those PKI certificates, securely, without human intervention is the best solution to the challenges discussed above. Certificates are like blood cells in a real biologic organism - they are being created, and they live and die. Their life should follow specific rules, be consistent and shouldn’t take up too much resources. Otherwise the whole organism gets sick or dies.
Automated PKI management, like the one offered by the Venafi Control Plane for Machine Identities, orchestrates the entire certificate lifecycle - from provisioning and rotation to replacement – and comes with many advantages, such as faster and economic operation, better response to changing requirements in a flexible manner, greater observability and auditability, and the possibility of being managed centrally across locations and domains. What is more, you can automatically validate that PKI certificates are properly installed and configured. In the event of a compromise, automation dramatically accelerates remediation, allowing you to replace certificates in seconds.
Digital certificates are a common basis for establishing trust between communicating entities, both on the Internet and within private networks, and they are increasingly important for securing IoT. As IoT expands, no company can discount the tremendous security risks associated with having a multitude of possible infrastructure weaknesses. Digital PKI certificates with automated management will not resolve all security problems, but they are an important part of the equation that you need to assess and tailor to your organizational needs.