nCipher Security Blog

Guest Blog: Why it’s Critical to Orchestrate PKI Keys for IoT

According to statistica the number of Internet of Things (IoT) devices connected will rise to 23 billion this year.

From industrial machinery and intelligent transportation to health monitoring and emergency notification systems, a broad range of IoT devices are already being deployed by enterprises. And each of these devices requires network connectivity so it can collect and transfer data.

Because IoT devices typically have limited CPU and storage capabilities, many devices transmit data in the clear and with limited authentication capabilities to a central collection unit where it can be collected, stored, analyzed and securely transmitted for additional use. Unless communications between IoT devices and extended enterprise networks are authenticated and protected with valid, unique machine identities, the data flowing from these devices can be stolen or compromised. However, this proves to be challenging because IoT devices have limited processing power, so they simply aren’t equipped to deal with more than standard, built-in cryptography.

Each IoT device and application requires its own machine identity to operate securely within its ecosystem. More manufacturers are providing factory originated machine identities in order to clearly identify each device—these are often thought of as the device’s “birth certificate.” Since most devices are deployed by organizations that did not manufacture them, each of these devices requires an updated machine identity that is trusted by the organization deploying these devices—these are often thought of as the devices “driver’s license.” Both of these identities can be vulnerable to compromise and must be actively tracked, monitored, and managed for maximum security.

Organizations need to understand how to support machine credentialing for IoT, and how to securely manage increase demand for certificates. Secure generation and storage of machine identities requires a root of trust. Security professionals consider the use of hardware security modules (HSMs) to be a best practice. HSMs provide a certified environment for generating and safeguarding strong cryptographic keys – the critical keys used by public key infrastructures (PKIs) to sign device certificates. As a tried and tested foundational technology, PKIs provide the framework to manage digital certificates for people, machine, and device credentialing. Thales eSecurity’s 2018 Global PKI Trends Study, revealed increased reliance on PKIs as a core enterprise asset and root of trust. To make PKIs work at the scale the IoT demands, PKI administrators require not only an HSM root of trust, but also careful orchestration.

Given the number and variety of IoT devices now connecting to corporate IT environments, organizations can't manage this machine identity protection process manually. The only way to secure machine-to-machine communication at machine speed is to orchestrate the process of identifying, automating, and remediating the identities of machines. Automating the orchestration of machine identities for IoT will help improve security, increase efficiencies, and meet compliance requirements.

Orchestrating keys for IoT helps you authorize and grant appropriate access to resources and applications without human intervention. By coordinating all verified machine identities, you can verify the security of machine-to-machine connections and communications for IoT, enabling the creation of secure encrypted tunnels at machine speed and scale.

The following are three security challenges that organizations will have to overcome to securely orchestrate machine identity credentialing for IoT:

  1. Gain visibility of IoT across all keystores. Organizations need to identify every IoT device connected to their IT environments, assign it a machine identity, and monitor that identity to help protect and authenticate its communication. Without key life cycle orchestration, it will be difficult for organizations to discover and create an accurate inventory of all IoT machine identities.
  2. Centrally manage all keystores, including IoT. Previously, when organizations attempted to automate the entire key life cycle, they had to create custom scripts or run manual processes—both of which required major investments. Orchestrating key management eliminates error-prone manual efforts that resulted in high-maintenance solutions that did not scale.
  3. Consistently apply enterprise policy controls to IoT. Without automated workflows, provisioning and change management controls, it is difficult to ensure that IoT machine identities comply with security and operational policies. Orchestrating key management will help organizations ensure that IoT machine identities are created within policy and are thus the only machines allowed to authenticate to each other.

Organizations that deploy HSMs widely should consider adding the ability to centrally manage all their distributed keystores to consistently apply enterprise policy controls. Orchestration of key management will help them protect the machine identities used for IoT. By orchestrating and ensuring that critical keys never leave a trusted security boundary, organizations can deploy IoT technologies and confidently make their journey to digital transformation.

How safely are you managing machine identities for IoT devices?

For more information on this topic, please visit Venafi.

About Ben Rogers

For over 17 years, Ben Rogers has engaged with enterprises to determine the best security implementations to meet their business and technical needs. His experience spans the software development life cycle including pre-sales engineering, architecture, design, development, test, and solution implementation. His technical expertise includes cryptography, including PKI, mainframe security, and cloud security. Ben is a published author on topics including best practices for securing cryptographic resources, identity management, and key distribution. He has also been an Adjunct Faculty member at Marist College where he taught an accredited on-line class “Introduction to the New Mainframe – Security.”