Choosing a PKI service

What to Look For When Choosing a PKI Service

Posted On

By Prateek Panda


In the past decade, people have come to rely on smart devices such as phones and tablets, using them for work, communicating with friends and family, streaming shows, and more. What is rapidly becoming an even bigger presence in their lives, however, are automated devices such as smart thermostats, in-vehicle infotainment systems, smart home security systems, and smart medical devices that are controlled remotely or even run completely autonomously. 

The growth of IoT brings risk

Considering 75 billion IoT devices are expected to be connected by 2025, each household will have dozens of connected devices, all communicating autonomously with servers that collect and analyze data. Meanwhile manufacturers, utilities, and other businesses will increasingly employ industrial IoT to make their operations more efficient and safer.  But with this global glut of devices comes an ever-greater security risk of someone sending malicious commands to a device, or a rogue device wreaking havoc in a system or accessing services that it shouldn’t. Organizations need to protect the integrity of their business model by ensuring devices operate within their authorized context only.

Because devices can’t use usernames and passwords, they have to use a different mechanism when authenticating to services. The solution to keeping devices secure lies with using public key infrastructure (PKI). PKI creates trusted ecosystems and enables strong encryption of transmitted data while keeping devices safe from hacking attacks. With a variety of PKI services available, however, choosing the right one can be difficult. Here’s a look at some of the key questions you need to ask before selecting a PKI service. 

What to look for when choosing a PKI service

How secure is their process

Running a proper PKI service is a significant undertaking, it’s much more complex than hosting a server with a few HSMs. It’s a massive undertaking if done properly, and requires physical and logical security to be deployed, as well as strict policy and vetting of staff. The data centre holding the servers and HSMs needs to be a physically secured environment with access limited to authorized personnel only. Security measures might include guards, biometric authentication mechanisms for authorized individuals, and surveillance systems to monitor and record who enters and leaves the facility. Keys also need to be protected from insider threats, so they should employ multi-custody protocols that require two or more people to be involved in order to complete a sensitive operation. In addition, a strong, secure and reliable disaster recovery process needs to be in place.

Can they help you navigate PKI for IoT

Setting up a PKI is a daunting task, it’s not just the infrastructure, hardware security modules, secured facilities, policies, auditing etc., it’s also the expertise required. Is your PKI vendor willing to help you define your specific infrastructure, do they have a team of world-class PKI and security experts willing to assist you in defining a solution to meet your specific needs. Defining a device identity that works for you, not just  today but also in the future is a complex task, and many PKI vendors don’t have a great deal of experience doing this.

Does it provide flexible key provisioning options?

The process of providing a device with an identity is referred to as provisioning. Devices go through various stages designed to fulfill different security and key provisioning requirements. Once manufactured, the device identities need to get from the manufacturing source to the devices and services. There are two main approaches to provisioning device identities: factory provisioning and cloud-based field provisioning.

Increasingly, organizations are concerned about untrusted factory environments, especially by third parties in low cost geographies, where not all factory floor workers can be trusted to have access to sensitive keying material. With factory provisioning, the device identities are bound to the device in a factory during the manufacturing process. The primary reason to employ factory provisioning is to take advantage of secure hardware. Many modern chipsets have specialized hardware features such as one-time programmable memory (electrical fuses) and other on-chip storage which can be used to store cryptographic keys securely.

With cloud-based field provisioning, the device is given some minimal identity at manufacturing time, but it does not receive a complete identity until it is installed by the end user in the field. This is required if the identity of the device cannot be completely known until it is deployed. For example, the IoT service provider may choose an OEM or chipset provider well after those devices have been manufactured. In order to participate in the IoT service’s trusted ecosystem, the device needs a more complex identity than it was initially given.

How easy is it to scale?

The scale of IoT presents a variety of new challenges when it comes to taking devices to market. Manufacturers often aim to bring hundreds of thousands of devices at a time. And these numbers can go much higher when you factor in hardware revisions and device generations.
Each of one these devices has to be provisioned with unique secure device identities before they are ready for consumers to buy off the shelves. To maintain an effective and trusted ecosystem, each device identity must be different to help define capabilities and permissions for each device as well as enable compromised devices to be shut out. This can mean that as a company grows, they run the risk of outgrowing either their in-house PKI capacities or their third-party PKI provider. While many organizations implementing PKI start small, as they continue to grow they will need something that meets their expanding requirements.There are different ways to manage and handle this scale—multiple root CAs, single root CA with a hierarchy of subordinate CAs, etc. Irrespective of the strategy, the basic objective here is to set things up correctly from the beginning, so that increasing needs can be easily addressed. It’s sensible for you to question if a PKI service provider can keep up with your future demand without delays, cost increases, or a drop in service availability.

With Intertrust’s Seacert, we’ve created a system that is built to grow as our clients do, allowing us to provision up to 10 million device identities a day. We’ve already provisioned over 1.5 billion IoT device identities around the world.

What is the track record of the PKI Service?

In the field of trust and privacy management, longevity and experience indicate that a PKI service delivers what they promise and customers receive value from the service. With a well-established key provisioning service, you have the advantage of being able to research their performance and success with similar customers. If you serve an industry that requires compliance with strict regulations, such as medical devices, a solid reputation can be critical. While a newer service may be perfectly satisfactory, when it comes to trust, experience and a proven track record are a plus.

How much is it going to cost?

Having an in-house PKI service can give an organization greater control, but also means that they have to maintain a department with the skills and expertise to monitor and manage it, rather than focusing on their core objectives of device creation and innovation. A managed PKI service can replace an in-house operation, although the relationship, services, and scalability can differ depending on their capabilities. Calculating the costs of an in-house vs. managed PKI service is vital when pricing security into P&L projections and identifying potential synergies and savings.

Intertrust’s Seacert is one of the leading PKI services, used by manufacturers across the world to ensure the security of their trusted ecosystems. We offer a full range of key provisioning services, such as mutual authentication, access control, and secure over-the-air updates to create an incredibly safe infrastructure that allows you to focus on what you do best. 

Moreover, our service scales with ease and provides cost savings of 50% – 85% over an in-house PKI. To find out more about how Seacert can keep your devices secure at every stage of their lifecycle, get in touch with our team today.

seacert CTA Banner

About Prateek Panda

Prateek Panda is Director of Marketing at Intertrust Technologies and leads global marketing for Intertrust’s application shielding and device identity solutions. His expertise in product marketing and product management stem from his experience as the founder of a cybersecurity company with products in the mobile application security space.

Related blog posts

Blog

OWASP’s Top 10 IoT vulnerabilities and what you can do

Read more

Blog

Strategies to improve healthcare app and device security

Read more

Blog

Five tips for securing your connected devices

Read more