Comprehensive IoT security approaches, architectures, and frameworks are still undoubtedly in their infancy. GlobalSign is actively following, discussing, and learning about all industry groups perspectives for thinking through comprehensive IoT ecosystem approaches. Recently the Cloud Security Alliance (CSA) released their report - Security Guidance for Early Adopters of the Internet of Things, which is another step forward in laying down some specific control guidelines for building your IoT solutions.
While the CSA guide is aimed at overall security thinking for early adopters in the IoT, I feel they actually attempt to provide some concrete and specific guidance, rather than just general security mindsets, which is a great step forward. Additionally, it also raises some good points and highlights areas in which GlobalSign makes a strong partner to beef up your the security controls in your IoT ecosystem or application. The article highlights seven security controls tailored to IoT environments, which aim to mitigate risks with the new technologies and environments. Here I wanted to comment on some of the salient points of the article, extracting common themes as related to PKI, IAM, and cloud services.
PKI and Cryptography Considerations
First of all, this guide by no means glosses over PKI, and it's obvious the authors have strong backgrounds and understanding of PKI features and usage. The guide approaches concepts such as cryptographic algorithm choices, preshared keys vs. certificates, and key management.
Object and System Lifecycles
One of the key themes is to map out and design your object and system lifecycle, identifying areas at risk and lifecycle features to support mitigating those risks. This is definitely sound advice, as once this is done, it places the system owner in a much better position to take advantage of provisioning automation and certificate tracking offered by providers like GlobalSign who have specific expertise in this area. We recognize that while there are numerous options available for building out your own CA infrastructure, we also know first hand the cost and complexity involved with doing it right.
The other PKI-related guidance in the report is related to how cryptographic credentials are used in context of IoT-focused protocols, like CoAP, and how cryptographic authentication features are chosen for an IoT ecosystem. For example, CoAP provides several modes for operation (No security, preSharedKey, rawPublicKey, and Certificate). The first option is obviously not relevant to this conversation. The second, preSharedKey, provides basic authentication, but as the CSA team addresses, it scales terribly in an IoT sized system. The other two options using rawPublicKey or Certificate are the recommended approaches from the group. If possible, it's advantageous to consider the certificate mode, as opposed to using public keys. This way, you get the added capability certificates provide for more granular trust controls based upon the attributes based in the certificate (Issuer, Names, Key Usages), along with the potential to leverage revocation services.
Identity and access management (IAM) isn't as deeply addressed in this guidance as cryptography, but still some good concerns and observations are made which move the discussion forward. One of the observations we've made, and is echoed to a degree within the CSA guidance, is regarding the integration of existing silo'd enterprise systems like asset management systems. Right now there is a gap for how these types of systems fold into scenarios where enhanced capability devices are integrated, which may be accessed or controlled by numerous services, users, or other devices.
The IoT's complexity due to scale affects IAM as well. In this area, GlobalSign has addressed a similar situation with our CustomerID product allowing direct integration of existing identity repositories with new or auxiliary e-services, to provide a simpler, but more robust identity relationship management, as well as authorization capabilities. We're actively working to fold this capability into IoT use cases to provide an equally useful and secure value proposition for IoT ecosystems.
Cloud services are the least directly addressed component of the CSA report, but they have a shadow that threads through much of the dialogue. So with cloud services perhaps being the unmentioned "elephant in the room" of a guidance paper published by the Cloud Security Alliance, my take is that much of the guidance positions an organization to effectively bring on these services once the appropriate groundwork and security analysis is done.
There are a number of reasons why cloud services are a great option to consider in your infrastructure. The main one following the traditional build vs. buy decisions - that if you're building an IoT ecosystem, product, or service, you want to be able to focus on the value proposition of that offering. Security often won't be the forefront of the offering, but will be a requirement or expectation from the customer. Dedicating resources toward building the core of your platform, while choosing the right services to buy and integrate is a proven strategy. This strategy, if done with sound security guidance and planning, not only offers a competitive cost model, but also allows the best security and identity management to be used.
Overall, I'm impressed by the guidance the CSA has put forward with explicit technical details around cryptography and PKI. Until recently, much of the conversation surrounding IoT security has been abstract or generic, so it's exciting to see this concrete advice being released by industry thought leaders. As we move forward as an industry, I'm also excited to see the next evolution of this guidance, which hopefully will contain some real-world examples and implementations.