The Internet of Things (IoT) enables devices, sensors, and objects to interact with other devices in real time without human involvement, adding data-driven intelligence to cars, homes, medical devices, and more. The interaction and communication between different devices is usually engineered with the intention of elevating our standard of living. For example, IoT for homes lets us perform certain actions remotely, like switching electrical appliances on and off, managing heating or air-conditioning systems, and alerting us of security breaches.
IoT has become a focal point for technological advancement and research. Embracing IoT requires new ways of thinking, especially in regards to safeguarding your applications and devices. New threats are created and invented by the day. Building security into the roots of connected products and their applications will ensure devices are shielded from attacks through their entire lifecycle.
Secure identities for IoT devices — Why they are needed?
One of the major components of IoT involves large scale manufacturing and distribution of devices. In the midst of pressure, competition, and the massive potential IoT holds for revenue generation, security is often overlooked or it takes a back seat on the priority list. Instead, manufacturers tend to focus more on time to market. However, when so many devices are communicating back and forth with different elements in this ecosystem, ‘trust’ becomes a critical component in security. Every device should be able to securely authenticate itself to hosts, and that validate any instructions are from the appropriate trusted authorized service.
Secure device identity
So how do we know if the IoT devices and services we use are legitimate and not another trap door that leaves us vulnerable and exposed? As simple as it may seem, device identity is one of the most critical components in IoT security—and it is often overlooked.
To ensure that your IoT devices operate securely in an untrusted ecosystem, it is important to ensure that they are underpinned with a secure and trusted device identity. The device identity can comprise certificates, keys, policy documents and a variety of other custom data. For the identity to be trusted it needs to be securely generated and delivered, and one of the best ways to do this is through public key infrastructure (PKI) technology. The role of PKI is to generate and manage keys and certificates that are used to validate communication between two or more parties and ensure that data is transmitted securely. This helps create a trusted ecosystem that enables trusted communication between servers, devices, and users.
How do you implement a PKI?
There are many PKI services that you can choose from, both traditional and modern options. You could even acquire the capability and build one on your own. However, secure PKIs are complex to build and require vast experience and knowledge. Even if your business has the resources, time and money to build one, it may be more cost effective to make use of a proven, certified and reliable third‑party service.
It is important to keep in mind the scalability of your business. PKI may be comparatively easy to manage with a few hundreds of devices, but gets very complex when it scales to tens of thousands of them. Many PKI service providers haven’t had the opportunity to work on this scale as yet. Your team, your infrastructure, and resources would need to grow along with it. Let’s not forget the physical security of your infrastructure, data centers, the vetting of people going in and out and more. In addition, traditional PKIs are designed for corporate identity and access control, and SSL certificates are limited in function and may not be best suited to deliver complex device identities.
Most businesses’ core competencies lie in delivering value and benefits to different users. Since there are many components that make up a market-ready device, it is best to leave something like security, and especially the managing of PKI, to service providers that are experts. This ensures that your attention is primarily on delivering great services without compromising security.
Intertrust PKI solutions
It is important that you choose a security vendor that understands the role of secure provisioning in the context of the supply chain, manufacturing environment, cryptography, and cryptographic hardware.
Intertrust’s expertise in device identity provisioning and managed PKI services are demonstrated through Seacert. With a complete, full-service managed PKI that specializes in device identities at scale for trusted ecosystems, Seacert is purpose-built for businesses that want complete control over all the stakeholders in their ecosystem. Seacert has already provisioned well over 1.5 billion device identities and is recognized as a global leader in secure device provisioning. Built to scale effortlessly, Seacert currently provisions over 10 million devices daily.
Even though IoT is a relatively new industry, the technologies behind are evolving at a rapid pace. Many businesses are quick to adopt IoT services in order to stay relevant and expand their competitive advantage. However, in this whole ecosystem of interconnected communication, trust will constantly remain the underlying component for true uncompromised security. Ensuring secure identities amongst the billions of devices across the globe will help facilitate this trust. PKI will be at the forefront to enable this. Intertrust’s Seacert helps facilitate a playground where devices can securely communicate and mutually authenticate one another to ensure that only legitimate data and commands are passed through without fear of being compromised.
About Paul Butterworth
Paul Butterworth is an experienced payment and security professional, having spent almost 30 years in the card, payments and IT security industries. Paul is responsible for global product marketing for the Intertrust Secure Systems’ and device identity solutions.