Connected devices, Internet of Things, Internet of Everything are all coming. One way or another our every day utilities and devices we use will be connected to the Internet for one reason or another. The information security community sees thunderclouds, tsunamis and hurricanes in the horizon when the number of connected devices explodes. This concern is justified as previous examples have shown. Manufacturers and vendors are in a rush to add this connectivity, and could overlook even the most obvious security measures.
The Internet already has a working trust framework - PKI. You see it daily when you conduct business online. Just look at the browser address field, and if you see a green box on the left, you can be 99.9999% sure that you are dealing with the correct site. Why not 100% - well, I'm an infosec professional, so I know that every system can be broken given enough time and resources. The point is that PKI and properly vetted certificates are the building blocks for a trustworthy infrastructure.
A certificate can be used to properly identify [something: device, app, server, person, etc.]. The trust is anchored to the Certificate Authority (CA) that issued and signed the certificate. There are multiple widely trusted CAs in the world, GlobalSign being one of them. On a daily basis millions of Internet users trust our certificates.
In IoT, certificates are very good alternatives to identify devices amongst other things. When a manufacturer produces a device, a device certificate should be issued to the device itself, preferably into a tamper resistant environment. The issuing CA certificate must also be installed. This enables the device to determine if a software update that it received is good to install through code signing certificates. When the device is communicating with the vendor systems certificates are used to identify the communicating parties, and even for encrypting the data.
Securing the device communication is the first step. Securing the user access to a device would be the next step. And, here is a part where many vendors still struggle. Devices are shipped with default passwords. Users are not forced to change these credentials. And, if they are, nothing is done to prevent them from using "password1." The password itself is already a poor choice. We have too many of them, and when the number of connected devices grow we will get frustrated when we have to create and maintain a bunch of passwords for each of our connected devices too.
Alternatively, the device could support new protocols such as OAuth to easily implement support for third party authentication sources from social identities to trusted identities. Installing and activating the device could utilize a vendor portal where the owner could link their existing identity to the device, in essence pairing the device certificate to the user identity. The ease of use and user experience is the key. When users can utilize their existing identities to access devices, or the data they've generated using something familiar and easy, it will increase satisfaction. Identity and Access Management (IAM) solutions will provide that ability for IoT.
In some cases, there are several users for a device, but typically only a single owner. So, the owner should be able to authorize others to accomplish various things. A smart lock is a good example. The owner of the lock, lets say Dad, needs to authorize other identities to get the lock open. Not just family members, but maybe an electrician, friend of the family etc. Maybe the family fridge is a smart one and is connected to Internet and your local eGorcery. Dad needs to authorize others in the family to order items for the next delivery, but maybe also restrict these orders to avoid the freezer being filled with ice cream. Connected devices and online services linked to these devices need flexible authorization functionalities.
The trinity? Authorization - Identity - Device security - AID.
GlobalSign combines high-volume PKI technologies with an award winning IAM solutions to offer a comprehensive package to any IoT stakeholder to secure their solution, improve customer experiences and satisfaction, and ensure scalability. Talk to us today to learn more.