There is no hotter tech sector right now than the Internet of Things (IoT). Everybody and anybody who is offering an internet connected device has an IoT story. As with many hot technology markets, there comes a lot of noise and confusion. Just in the consumer IoT market alone, there are multiple competing platforms and not all of them enable devices to interconnect with each other. In the industrial IoT (IIoT) market, not only are there competing platform vendors, but there are many industry organizations trying to define IIoT interoperability. Confused yet? Just wait…
Now, when we start to talk about security, there is even more confusion on where to get started and how to implement a security strategy. There are no fully defined or adopted standards, or security architectures for either consumer IoT or IIoT today. Many consumer IoT device manufacturers are sacrificing strong security measures to get devices to market. This could create serious issues down the road if vulnerabilities are exploited and devices cannot be secured. In the IIoT market, industry groups such as the Industrial Internet Consortium (IIC) and Trusted Computing Group (TCG) are actively working with security vendors on frameworks for IIoT security. But, these frameworks are still in the early stages and interoperability will need to be tested and addressed before they can be fully rolled out and implemented.
Before I discuss how you can get started with an IoT security strategy today, I just want to reiterate why we want to connect things. The benefits are simple – greater access, control, efficiency and optimization. When everything is connected and communicating, things work together, we can access these things from everywhere and anywhere and collect, share and analyze data to better manage our homes, our health, our cars, the environments where we work and operations of industry. All of this connectivity leads to higher performing systems, cost savings and new revenue streams.
How Can You Start Securing IoT Today?
Good question! As mentioned earlier, there is a lot of confusion here with no set standards or widely adopted frameworks that provide guidelines for securing IoT ecosystems. There is also such a diverse and disparate set of things that are being connected that all need varying degrees of security. Just think about the different vertical markets and specific use cases that need to be addressed. Then add on top of that all of the IT security vendors jumping on the IoT hype cycle, whether their solutions can effectively address IoT security needs today or in the foreseeable future. Just like securing the enterprise, IoT will need a layered security approach that will constantly change as new challenges arise.
One security technology that is standards-based and proven in devices today is public key infrastructure (PKI). PKI has been securing network connected devices by delivering trust and high assurance for decades already – making it ready for managing device identities for the IoT.
Importance of Identity in the IoT Ecosystem
By offering every “thing” a unique identity, PKI should be the foundation of any IoT security strategy. With a unique strong device identity, things can authenticate when they come online and ensure secure and encrypted communication between other devices, services and users. Because PKI is an established technology, it can be implemented immediately into your IoT ecosystem today and easily integrates with other components of your IoT security solutions as you bring them on.
Strong device identity addresses core IoT security requirements:
- Trust – When a device connects to the network, it must authenticate and establish trust between other devices, services and users. Once trust is established, devices, users and services can securely communicate and transact encrypted data and information.
- Privacy – As more things connect, more data is generated, collected and shared. This data can include personal, sensitive and financial information that must be kept private and secure – often times under regulatory compliance. A strong device identity can ensure communications are encrypted and secure and that the data being transacted will remain private.
- Safety – The safety of the user or users is extremely important. This can be in an industrial environment where a malicious attack on single sensor could cause harm to employees. Or, what if during the manufacturing process, a hacker compromises a piece of manufacturing equipment that affects the final product? When the defect goes unnoticed before going to market, consumer/user safety can also be at risk.
- Integrity – This applies to both the devices themselves and the data being transmitted within the IoT ecosystem. The integrity of a device starts with proving it is what it says it is. With a unique strong device identity, we can ensure that the device software code and firmware are legitimate – reducing counterfeit products and protecting a company’s brand. Data integrity is an often overlooked requirement, but think about it. What good is connecting all of these devices and systems if the information being transmitted is unreliable?
Public Key Infrastructure (PKI) has been around for decades. It is standards-based and proven to work in a multitude of use cases – providing secure encrypted communications and mutual authentication between devices, services and users. As mentioned above, every “thing” can be provided with a unique identifier. PKI certificates are ideal in providing these things with the identities they need. Additionally, the latest developments in PKI are around scalability and enabling certificate issuance at unprecedented volume and velocity. GlobalSign’s hosted PKI service can deliver over 2,000 certificates per second.
Other ways PKI has evolved to make it a prime candidate for IoT include:
- Open and Closed Trust Models – Support for managed private CA and publicly trusted certificates.
- Unique Cryptographic and Certificate Features – A number of certificate options available depending on the capabilities or constraints of the devices in your environment, including alternative algorithms (ECC), non-standard validity periods and EKUs.
- Support for Strong Authentication Use Cases – Choose form a variety of authentication methods depending upon on the authentication capabilities of your ecosystem, including various assurance levels and credential types.
- Massive Volume and Velocity – High volume certificate services are capable of issuing thousands certificates per second and can be automatically delivered via APIs.
What’s more, cloud-based PKI services from Certificate Authorities (CAs) like what GlobalSign offers are cost effective with flexible business and pricing models to minimize your CAPEX, align costs with revenue and enable rapid deployments. Build Identity in Today.
In order to go to market today, IoT device manufacturers need to begin implementing security in the early design phases of their products. Security can no longer be an afterthought as it has in the past with so many legacy connected device and products. Trying to retrofit security into devices already in use can be difficult, costly and a burden on the users.
Key benefits of building identity in from the start:
- Gain a Competitive Advantage – Build identity into your IoT devices and services to leverage secure functionality as a competitive advantage.
- Offer a Superior User Experience – Make security and identity easy to offer your customers provides a positive user experience.
- Brand Reputation and Integrity – Assure products and software code are legitimate. Don’t let counterfeit products and malware impact your brand.
- Privacy and Safety Ensured – Ensure sensitive data remains private and the safety of your customers and users is not jeopardized by a malicious attack.
To learn more about how IoT security starts with identity, we welcome you to join the Trusted Computing Group’s (TCG) webinar, “Securing IoT Endpoints, Networks and the Cloud,” on September 20, 2016 at 12:00 PM ET. During the webinar, Lancen LaChance, GlobalSign’s Vice President of Product Management, IoT solutions, will discuss the need for strong device identities and how to get started today.