It seems you can't go a day without hearing about the Internet of Things (IoT). While there's no questioning the scale and impact it's going to have on our life as we know it, there is one major outstanding question (okay, more than one, but we'll stick to this one for now) - how are we going to secure this explosion of connected devices and services?
I'd like to propose that IoT key players, including platform providers and device manufacturers, take a look at PKI (and I'm not the first to do so). It's a tried and true standard that's been securing the connections between servers, machines, and devices for years, and it seems like a natural fit.
So what role can PKI play in securing the IoT? Let's start by taking a look at how it meets the traditional information security principles.
“When you’re looking at authenticating devices, the only real standards at the moment that offer any real interoperability tend to be Public Key Infrastructure (PKI).” (source)
I'm talking here about authentication in the sense of authenticating devices to cloud services, users to devices, and device to device (or "thing" to "thing"). As many have pointed out, PKI has been used to authenticate machines and servers for decades, and is an open standard for interoperability.
“[In the Internet of Things] Privacy needs to be thought of as a functional requirement and not just a quality attribute…built-in and not bolted on.” (source)
Given the types of devices coming online - smart grids, elements of other critical national infrastructure, health monitors, etc. - privacy is a major concern. Encrypting communications to and from devices is essential. PKI-based solutions provide some basic and essential encryption mechanisms ensuring the privacy of communications.
"Strangely all the security focus seems to be on privacy, as if the public disclosure of the contents of your fridge is something to be feared." (source)
While there’s no denying the privacy concerns in an IoT ecosystem, the above quote raises an interesting point. I think it’s extremely important to consider the integrity of that data at the time of consumption. Some of the transformative value we see when considering the future of IoT relies on devices being able to make decisions and act on their own without human intervention. In these scenarios, both the value and risk are directly tied to the integrity of the data.
Consider the impact of scenarios with heart monitors or insulin pumps relying on spoofed data sources. Or what about energy regulating components that need to trust the operational executions sent to them? These types of scenarios highlight the value of the data integrity that PKI can provide.
So is PKI the answer for securing IoT?
It's clear that PKI helps tick the three major information security boxes, but it goes beyond that as well. Overall, PKI's largest role is to support and maintain trust in the IoT ecosystem.
Of course that's somewhat easier said than done, given the unprecedented scale and diversity IoT brings to the scene. PKI as we know it will need to adapt and evolve to accommodate these new considerations, but that's one of the best things about it! While it's based on decades old standards, it offers enough flexibility to adapt to changing requirements. I'll be covering these new requirements in a future post, so stay tuned!
What do you think? Is PKI the answer? Let us know in the comments!