The creation of trusted ecosystems has never been more important. The massive growth in mobile applications and IoT devices means that many organizations now operate networks with potentially millions of points of communication, either for sending data such as updates or receiving data in the form of usage metrics or personal account information.
While the uptake in new technologies has seen tremendous innovation and enabled extraordinary growth for companies that have harnessed new technologies and data sources, there are also considerable risks. This huge and widely diversified network of data receptors and sensors creates a minefield for potential data theft and malicious interference by hackers.
One of the most powerful tools to counter the multitude of threats that face IoT device networks is the implementation of Public Key Infrastructure (PKI). PKI provides a well-defined, secure system for authenticating and encrypting critical information. When used properly, a PKI deployment can create a secure, trusted ecosystem that facilitates secure data exchange and extends the life of an IoT device. However, too many organizations often fall prey to common PKI deployment mistakes, making their PKI infrastructure more difficult to manage and less secure than they realize.
In a recent Ponemon study, 73% of the participating security professionals said mismanaged digital certificates caused unplanned downtime and outages. Here we’ll take a look at some of the common mistakes that hinder PKI deployments for IoT devices.
Top five PKI deployment mistakes
Lack of planning and tracking
The first port of call for ensuring PKI deployment best practices is to have a structured and well-considered plan of implementation from the start. Taking a mix-and-match approach to a PKI system will not only lead to vulnerable “creases” and security risks but also increase costs due to teams needing to engage in reactionary security firefighting rather than proactive scaling and implementation.
Once a system has been in place for a while, if it hasn’t been built in a structured and easily-traceable manner, an organization can lose track of what certificates it has issued. This is one of the most common PKI deployment mistakes. That same Ponemon study found that 74% or organizations do not know exactly how many keys and certificates they have, where to find them, or when they expire. The consequences of such mismanagement range from failed audits to certificate and key misuse that can ultimately compromise an organization’s systems. Such as happened when attackers pushed a malicious version of ASUS Live Update using ASUS security certificates to install backdoors on over a million PCs.
Root certificate authority security
In PKI deployments, all trust stems from the certificate authority (CA). It issues the root certificate that underpins the validity of the security keys used to verify and authenticate identities. Outlining and following specific security guidelines—such as who can obtain a certificate and when a certificate is revoked—is crucial for establishing and maintaining trust in CAs and avoiding PKI deployment mistakes.
Unfortunately, most organizations do not conduct sufficient or regular audits of relevant certificate authorities to ensure that they are actually implementing the Certification Practice Statement (CPS) they have committed to. If they are not doing so, the entire network could be at risk. This is what happened with the major hack of the DigiNotar certificate authority. The hack led to false certificates being issued for the websites of AOL, Microsoft, the CIA, and others, all of which had to be later tracked down and revoked.
Not allocating sufficient internal resources
Running an in-house PKI takes a lot of time, effort, and money. Probably the most prevalent mistake made when deploying PKI is underestimating the resources needed. It requires specialized skills and a dedicated team so that your PKI does not get sidelined by other pressing IT and security initiatives.
A lack of clear ownership and sufficient resources can lead to vulnerabilities through unpatched software, non-updated revocation lists, lack of policy enforcement, and the inability to respond effectively to an outage or security incident.
Not considering the entire lifecycle
The rollout of your PKI is just the beginning. A frequent PKI deployment mistake is lack of forward planning for the entire certificate lifecycle. Certificates expire, or may need to be revoked. Poor handling of the expiration of certificates can cause widespread outages and significant expense. You also need to include mechanisms for key archival and retrieval.
Not adequately protecting keys
For devices and software applications, the storage of the security keys that are used in the PKI is a major vulnerability. Assuming that the CA you use takes all the necessary precautions regarding theft and infiltration of the HSMs that store keys, you still must ensure your own systems are protected from insider threats, running regular employee security checks, and employing multi-custody protocols to complete sensitive operations.
Moreover, hackers can use a variety of techniques to analyze and detect keys while they are in use or transit. Once in control of these keys, they can decrypt private data or pose as authenticated users to access systems. The issue is especially pronounced when it comes to provisioning older devices that are already in the field and that lack a secure update mechanism. Additional software based cryptography should be used to make sure keys never appear in the clear.
How to tackle your PKI problems
Keeping an organization’s ecosystem secure is essential for consumer trust, regulatory compliance, and corporate risk reduction. Using a PKI can present excellent value for money in terms of outlay versus protection and can be one of the most strategic weapons in a company’s arsenal against malicious actors seeking to steal information or compromise IoT devices. However, PKI deployment mistakes mean that many organizations end up spending more on a system that fails to adequately secure.
That’s why many organizations turn to managed PKI services, such as Intertrust Seacert, whose specialized expertise allows them to create safe and flexible ecosystems for device provisioning to ensure that every step of the journey from factory floor to the end of life is protected by secure cryptographic protocols. Not only does a managed PKI service remove the need for keeping specialist skills in-house, but it’s also easily scalable to grow as your company does.
Download our white paper to find out more about Seacert managed PKI and how you can use it to create secure IoT device ecosystems.
About Prateek Panda
Prateek Panda is Director of Marketing at Intertrust Technologies and leads global marketing for Intertrust’s device identity solutions. His expertise in product marketing and product management stem from his experience as the founder of a cybersecurity company with products in the mobile application security space.