As enterprises continue to rely on more and more strategic IoT and edge devices, establishing trust with this growing landscape of mission-critical devices has become paramount. It’s no longer enough to simply accept a default machine identity and largely ignore it for the lifecycle of the device. The success of modern enterprise applications of IoT and edge devices depends on actively managing machine identities throughout delivery, configuration, deployment and continuous development.
Today’s enterprise IoT devices now include sophisticated manufacturing equipment, smart point of sale (PoS) terminals, transportation components and state-of-the art medical devices. All these devices maintain continuous communication with an edge device or a cloud environment. That means they are constantly transmitting timely and sensitive data. And that data is extremely valuable to cybercriminals, which makes these devices, and the software that runs them, a very attractive target. This is particularly true for edge devices or software, which control communications and updates for larger groups of IoT devices.
Any organization using sophisticated IoT devices needs to have a plan in place to protect the identities of these devices. Organizations need to be sure that when IoT devices connect to the cloud or the edge, those communications are secure and can be trusted to be authentic. Machine identities are the way that these high-value, high-risk IoT devices authenticate themselves as trusted machines and authorize particular uses or functions.
But with the explosion of devices being used in industries like manufacturing, transportation and retail, it has become increasingly difficult to effectively manage the increased scope of machine identities throughout their lifecycle. And this rapid scaling of machine identities has specific impacts on authentication and authorization throughout the lifecycle of the IoT device. And this may result in more than one machine identity for each IoT device – but they must all co-exist seamlessly.
When the device is first delivered, authentication validates the manufacturer, specification and configuration. Then a distributor, systems integrator or internal IoT team may have to configure the device for a specific use case. These configurations also require a machine identity to ensure that they are valid and have not been tampered with for nefarious purposes. During regular usage, machine identities will help perform authorization to verify that the IoT device (and the edge or other software that it connects with) should be trusted within mission critical environments.
Over time, these devices will require periodic updates. Those software updates will also need to be validated by a code signing machine identity to verify their authenticity. But the reality is that today there is a severe lack of integration of IoT machine identities with existing enterprise systems. As a result, machine identities for IoT devices and their software updates may be easily available within enterprise IoT workflows. And existing IoT code-delivery processes may not be readily integrated with code-signing workflows.
Automation is key. But that automation also needs to be sophisticated enough to protect IoT and edge machine identities in the way that’s best suited for every phase of their lifecycle. That’s where Machine Identity Management Development Fund partner Device Authority comes into play.
Device Authority’s KeyScaler platform provides an automated solution to manage the lifecycle of updates that are delivered to an IoT or edge device. Provisioning unique certificates, establishing trust between a device and server, signing code using a pre-configured Certificate Authority with policy-based authorization, and delivering encrypted assets to IoT devices—without requiring any human intervention.
Device Authority has been working closely with Venafi since 2019 when Venafi funded Device Authority to create an innovative solution to protect against supply chain attacks on software updates. This first joint solution allows IoT teams to easily sign software updates with KeyScaler and then instantly deliver them from the cloud with Venafi CodeSign Protect. And most recently Venafi, along with its group company, Jetstack, have begun collaborating with Device Authority to bring machine identity management powered by Kubernetes to the IoT edge.
Together, Device Authority and Venafi can close the gaps open to exploitation by integrating with Venafi to secure machine identities throughout the lifecycle of machine identities for IoT and edge devices or software.