Keys to securing the Internet of Things

By Dan Timpson, DigiCert CTO

A recent observation that Chevron Corp. CIO Bill Braun made about his company’s use of Internet of Things (IoT) devices encapsulates how it has become a primary source of invaluable business information. “The IoT area is probably one of the fastest growing data types we have in the company,” Braun told the Wall Street Journal. “You can’t buy a motor or a valve now that doesn’t come with four or eight sensors on them, even if you don’t want them.”

As the number of IoT devices enterprises deploy continues to grow, so too does the risk of a data breach. Mitigating that risk requires manufacturers to adopt a “secure by default” approach to the design process.

Too often, security is an afterthought, and the result is that manufacturers must retrofit their devices after a vulnerability or threat is identified – an expensive and time-consuming process. That is why security built into design is the superior approach. Correctly implemented, secure IoT deployments ensure that the basic security requirements for data confidentiality, data integrity, and data accessibility are properly configured.

This is where the incorporation of Public Key Infrastructure (PKI) using digital certificates plays such an important role in the development of a secure IoT device.

A PKI framework supports the distribution and identification of public encryption keys, enabling users and computers to both securely exchange data over networks such as the Internet and verify the identity of the other party.

In a similar way, PKI can provide assurances for IoT devices and the people who use them. Despite common misconceptions, PKI is a perfect match for the exploding IoT sector, providing trust and control at scale and in a user-friendly way that traditional authentication methods like tokens and passwords can’t do.

Digital certificates used for mutual authentication can be used to authenticate users to devices behind the scenes with nearly no user interaction. As more devices come online, scalable PKI also encrypts confidential data, and maintains data and system integrity.

Digital certificates enable safe authentication without the friction to the user experience that comes from user-initiated factors such as tokens and password policies. This protects all your devices and networks from malicious actors, even if a data stream or data source were captured or compromised.

Modern-day PKI using up-to-date cryptography should serve as the foundation for security providers’ efforts to scale the authentication of the ever-growing ecosystem of IoT devices.

PKI has many benefits, but deploying a trustworthy system that is reliable and safe is not for amateurs. Managing a web PKI requires adherence to industry standards, policies that establish trusted roles and ensure compliance, and maintenance of robust architecture to support fast issuance and quick, secure connections.

Setting up a PKI framework involves key ceremonies and data storage policies, providing reliable uptime and best-in-class revocation and renewal capabilities. As IoT communities and devices continue to grow and emerging markets realize the benefits of PKI, these industries can provide greater security for their users by applying the standards-based approach that has been developed over many years for the web PKI. Whether IoT device security relies on private PKI systems or requires public trust that only comes via a publicly trusted certificate authority with wide ubiquity in online root stores, the principals of web PKI standardization equally apply.

For scalability purposes, many companies will choose a cloud-hosted PKI that provides the flexibility to manage certificates as they come online and avoids the expenses of maintaining on-premise servers and other hardware. Some heavily regulated industries want more control and choose an on-premise solution Still, this requires expertise in managing PKI systems and adhering to industry standards and modern protocols. There are advantages and limitations of each approach, and it’s not a one-size-fits-all proposition.

One key difference is control over the PKI issuance process. An organization that hosts an on-premises implementation directs that process, and can make configuration and development changes on its own schedule. Working with a hosted provider gives that control to the provider. However, organizations that choose an on-premise solution need to also consider the resulting costs and other complications that decision will create.

Acquiring the necessary hardware, training, and resources needed to implement, run, and maintain an on-premise PKI solution may introduce substantial costs beyond the initial hardware and software acquisition to ensure device integrity throughout the lifecycle. Organizations need to decide if they are ready to stand up an internal CA and operate it according to industry best standards, or if they would be better served by a hosted solution from a company exclusively focused on providing hosted services to customers.

A hosted IoT PKI solution offers the flexibility to use both a private PKI and publicly trusted certificates. Beyond the advantages of security and scale, another key consideration is the fact that cryptography is constantly changing. Certificates require quick turnaround when standards shift or cryptographic properties change.

A solutions provider solely focused on PKI can anticipate these changes to curves, algorithms, and hashes years before they become mainstream. In some cases, organizations may look for a hybrid solution that gives companies the control of on-premise appliances but the scalability of the cloud via a trusted gateway that serves as a proxy between the cloud and the on-premise hardware.

A recent Forrester Research survey found that 90 percent of companies are expecting to see their volume of connected devices increase, and 77 percent are concerned over the resulting significant security challenges. One key concern is their struggle to authenticate all their network-connected devices. Securing these devices and their connections to corporate networks and other systems is an issue manufacturers – and the security industry as a whole – needs to address immediately.