Think of a world where billions of devices constantly communicate with servers and each other, receiving instructions and updates while transmitting user data and executing functions. A technophile’s dream—and cybersecurity nightmare—this Internet of Things (IoT) is now rapidly taking shape, becoming ever more integrated into our daily lives.
With 75 billion IoT devices set to be rolled out by 2025 being utilized in virtually every sector, including healthcare, automotive, and home appliances, the potential for IoT to improve lives is clear. But, the downsides from a security perspective are also apparent. Unsecured devices can become vectors of attack for hackers, giving them plentiful opportunities to steal sensitive data, transmit false information, take control of a device’s functionality, and compromise entire development and manufacturing systems.
Public Key Infrastructure (PKI) is used by manufacturers to create trusted ecosystems for devices. They allow for devices to be provisioned with identities that govern their access to services, giving vendors greater control over security, even after the devices have left the safety of the manufacturer’s environs.
A PKI solution can either be created in-house or delivered by a third party as a managed PKI service. As creating an in-house PKI is a significant undertaking in infrastructure, engineering resources, security processes, and cost, many manufacturers opt for managed PKI services. What are the primary benefits of using a managed PKI solution? Let’s break it down.
1. Speed to market and scalability
One of the major advantages of a managed PKI solution over an in-house model is how much quicker and more cost effectively you can begin implementing device provisioning. There is no need to go through the entire hiring of personnel and set-up of facilities, technology, and processes, in order to be up and running. In addition, because an in-house PKI requires significant planning and infrastructure, it can be difficult to respond to changes in either the market or a company’s goals. A managed PKI service, on the other hand, provides scalable identity provisioning that can be increased or reduced on demand.
2. Hardware Security Modules
Managed PKIs use hardware security modules (HSMs), which come in the form of custom peripheral cards or appliances where secure cryptographic operations are performed. HSMs are expensive but necessary pieces of equipment to ensure keys and cryptographic operations are fully protected and never appear in the clear. Creating an in-house PKI solution requires absorbing the cost of initial CAPEX investment associated with HSMs. However, when subscribing to a Managed PKI service, the IoT platform providers can take advantage of a flexible as-you-grow business model with no initial cost for HSM for key storage
3. Lifecycle certificate management
Managing device identities over the lifespan of an IoT device is a complicated task when building an in-house PKI platform. To maintain trust in the public key infrastructure, a managed PKI service can carefully monitor the issuing, renewal, use, and potential misuse of digital certificates throughout their lifecycle. Compromised certificates could allow hackers to infiltrate secure ecosystems. To prevent this, a managed PKI service maintains a Certificate Revocation List, which identifies compromised or misused certificates that should no longer be trusted.
4. Secure facilities and protection from insider threats
The physical security of the infrastructure used in a managed PKI is an essential concern for full-service certificate authorities. It requires the implementation of a variety of security systems to protect against theft or infiltration risks. These layers of protection can include biometric authentication mechanisms to control access and authorization, security guards, and surveillance of internal and external areas. They should also have a strong, secure, and reliable disaster recovery process in place.
Managed PKI services also take strong measures to ensure their systems are protected from insider threats, including extensive and regular security checks of employees and the use of multi-custody protocols that require two or more people to complete sensitive operations. In addition, comprehensive audit logs must be maintained and managed.
5. Providing complex device identities
Some PKI services can provision device identities with complex digital certificates that offer more flexibility, functionality, and protection than standard X.509 certificates. While X.509 certificates provide authentication and allow for secure communications, they cannot, for example, enable the device to verify the authenticity of code or firmware updates, provide authorization statements to define what the device is allowed to do, or securely store sensitive data. The ability to provision complex device identities is particularly critical for IoT devices.
6. Flexible provisioning options
A managed PKI service should be able to offer both factory provisioning and cloud-based field provisioning. In factory provisioning, the device identities are bound to the device in a factory during the manufacturing process, with cryptographic keys inserted into hardware through one-time programmable chips. Increased security can also be added by limiting access through the key injection process to authorized personnel.
As there can be several stages along a device’s supply chain which increase complexity or decrease security (such as the use of third-party manufacturers with suboptimal security standards), a managed PKI can also provision identities remotely through cloud-based field provisioning. To do this, a device is first given a minimal identity (a bootstrap key) at production time. Later on, once it is deployed in the field, it can be authenticated and receive its full secure identity through cloud-based delivery.
7. Certificate Authority oversight
To ensure that managed PKIs are following best practices with regards to certificate provisioning, management, and revocation, the WebTrust Program for Certification Authorities was established by the Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA). Possessing this level of validation reassures you the certificate authority is performing all necessary steps to protect the infrastructure and processes.
Trust a service designed for IoT
The Internet of Things has the potential to change the world but also presents massive security challenges for device manufacturers. A managed PKI service can help you deliver a trusted ecosystem for the development, manufacture, and monitoring of an IoT device network. Secure authentication enables the participation of millions of devices in a network without the risk of one break compromising the system.
At Intertrust, our Seacert full-service managed PKI has been designed specifically for the needs of the IoT industry, providing the security and flexibility needed to protect millions of devices. As a leading provider of managed PKI services, Seacert has provisioned nearly two billion devices with unique identities. To find out more about what’s needed to embed secure IoT device identities download our whitepaper, “Creating Secure IoT Device Identities,” or , get in touch with our team directly.
About Ali Hodjat
Ali Hodjat is a Director of Product Marketing at Intertrust Technologies. He has extensive experience in leading product management and product marketing activities in the fields of content protection and pay-TV security, anti-piracy, and IoT security solutions.