Build or buy your PKI for IoT?

Public key infrastructure (PKI) is an essential element of global digital infrastructure. At its most basic level, a PKI platform works by combining the public and private keys held by two parties so that only they can read the encrypted data that they exchange. For example, when a website is visited on a browser, the two parties perform a “handshake” that authenticates both of them to each other and swaps public keys so they can seamlessly send and receive data. One party knows they can trust the other because a secure digital certificate, issued by a trusted certificate authority (CA), underwrites their authentication.

As the need for secure digital interactions has grown, so has the range of security uses of PKI. Initially, PKI was primarily used to issue and manage website SSL certificates. Today PKI underpins most of the digital world, from secure code signing to encrypting communications to authenticating and securing IoT devices.

Companies can create their own PKI systems, but many organizations will be hard-pressed to create a PKI that can match today’s security threats. For manufacturers and distributors of IoT devices, this is critical, as the security, reliability, and efficiency of an entire IoT ecosystem are compromised if devices and the data they gather and transmit can’t be trusted. Setting up and managing a PKI has also become more complex, requiring specialized skills and resources to ensure successful deployment and management of the PKI solution. As such, many organizations have turned to managed PKI services to handle the implementation and ongoing operation of their PKI infrastructure.

What is needed for a secure PKI?

PKI requires multiple elements to deliver the security organizations need while being flexible enough to not inhibit growth. Here’s an overview of what goes into making a successful, ongoing PKI implementation:

Well-defined certificate policies and procedures: To ensure both security and confidence, a PKI must have clear certificate policies and procedures that outline the PKI, its participating systems, and the duties of each participating system. The certificate policy governs factors such as the PKI architecture, certificate enrollment, key generation, revocation, and how each entity involved in the PKI handles its responsibilities throughout the certificate lifecycle.

Logical and physical security: PKIs should use some form of hardware security modules (HSMs) to securely perform cryptographic operations and protect private keys. However, that’s only the first step. HSMs and servers need to be located in a secured facility, with access limited to authorized personnel, clear security clearance procedures, and control processes and protocols to ensure root keys are kept safe from compromise or theft. 

Back-up and disaster recovery: There is no way to 100% guarantee any security system, even if they are extremely difficult to break. A PKI manager needs to have operations in place to recover these systems or mitigate these risks. Plans should include key and certificate backup and the security of those backup sites, key and certificate revocation procedures, and how to quickly restore service in case of downtime. 

Buying or building a PKI? The questions to ask

Companies considering a PKI deployment have two options: create an in-house solution or choose a third-party managed PKI service. To decide which is the better fit, identify your current capabilities and what your precise needs are. Here are some questions that can help clarify the direction you should take:

• Do you have dedicated expertise and resources?

Deploying and maintaining a PKI requires personnel with knowledge of digital certificate management, key generation, server maintenance, backup and recovery, PKI audits, and more. Most companies with a fully in-house PKI lack the knowledge and resources to manage it securely. Only 38% of IT and security professionals say they have sufficient IT security staff dedicated to their PKI deployment. Understanding your own team’s capacity for PKI implementation is a major factor in deciding whether to buy or build.

• Will you be able to scale securely as needs grow?

A major difference between an in-house solution and a managed PKI service is the capacity to scale the implementation. This is particularly true when talking about manufacturing and provisioning IoT devices where the PKI infrastructure might need to support thousands, or even millions, of certificates on a daily or weekly basis. A PKI service vendor that specializes in IoT devices will have the systems and processes in place to meet this kind of demand. However, for internal platforms, an increase in system pressures can severely test their team’s capacity, requiring even greater investment.

• How will you handle legacy devices?

The issuing and management of certificates for devices that are being deployed currently are not the only challenges that a built PKI will have to handle. Previous versions and older,  “brownfield” devices are a latent risk wherever they are in their lifecycle, especially if they lack the proper credentials or identification. Any organization with these devices will have to find a way to provision these devices and bring them up to security standards or replace them, a difficult if not impossible prospect for most in-house teams.

• What’s it going to cost?

All of this adds together to the central problem of cost. Run the numbers. The high initial outlay and ongoing resource costs of an internal PKI deployment often can be significantly higher than a managed PKI service. Organizations with extremely small deployments and that have few security concerns, however, may find it more cost-effective to manage their own PKI.

What to look for in a PKI vendor?

If you decide to go with an external managed PKI service, there are still several factors that should be considered.

Strength of security

Make sure the processes, systems, and facilities a vendor employs are held to the strictest security standards with multiple layers of protection. For example, biometric authentication mechanisms to control access and authorization, security guards, and surveillance of internal and external areas. They should also maintain comprehensive audit logs and have a strong, secure, and reliable disaster recovery process in place.

Scalability and configurability

PKI infrastructure needs to remain relevant and secure as your business grows. Look for a managed PKI service that can easily or automatically increase its provisioning without presenting major hurdles in terms of price or performance. Also make sure that it includes mechanisms to embed rich identities that can enable complex authorization statements and which can be updated and reconfigured as market needs and regulations demand. This is particularly critical for IoT device provisioning.

Speed to market and flexibility

The length of time it takes a managed PKI service provider to get devices provisioned and to market should be a big factor in whether to go with them or not. They should also be able to provide considerable flexibility in terms of the means of provisioning and technology used. Vendors should be compliant with standards such as NIST, WebTrust, and ISO to not only provide assurance but make sure your devices are using secure identity protocols that comply with regulations for your industry.

Recognized expertise

A vendor should have not only the expertise to design and secure a PKI system, but also the knowledge to develop and deploy their product regardless of customer needs. Choose a vendor with a history of recognized experience and expertise in industries similar to yours. A reputation for responsive, high quality support is critical.

Seacert managed PKI service

Intertrust’s managed PKI service for IoT devices provides world-class security that can be flexibly provisioned and easily scales to grow with your business. It’s also the only PKI system that integrates with advanced white-box cryptography solutions, to securely provide credentials to brownfield devices already deployed in the field. To find out more about how Intertrust PKI can meet your PKI security needs, you can read more here or get in touch with our team.