In 1973, Bob Dylan released his hit song Knocking on Heaven’s Door. In 2016, increasing number of devices connected to the Internet are now knocking on your closed network domain door. Ensuring you only let in those devices that are legitimate is critically important. To that end enterprises must be vigilant of the security risks and challenges that the new Internet of Things (IoT) presents. While the provisioning of identification credentials for controlled device authentication has received much attention among security professionals, an equally important but less often discussed aspect is the enrollment of devices within closed network domains.
Why is network enrollment important?
IoT devices use digital certificates for identification and authentication, but without an enrollment process, these cannot be properly registered to control access to closed network domains. Unauthorized devices access can create vectors that can introduce malware and pose serious risks to the enterprise. Public key infrastructures (PKIs) issue and manage credentials for identification and authentication of devices using a certificate authorities (CAs), but a certificate enrollment processes must also be in place to maintain registration records for controlled access. Enabling growing number of connected devices to securely enroll their certificates is a critical component of enterprise security that needs to be at the center of the IoT security discussion.
How does enrollment work?
Identification and authentication of the digital identities of devices ensures their authenticity and the integrity of their firmware. Enrollment in a closed network domain ensures that only authorized devices are allowed access. Enrollment is done by binding device certificates to a corresponding private key using the CA as the root of trust. Safeguarding and managing the cryptographic keys that underpin the registration process is vital for providing the foundation of trust for the entire ecosystem. As more connected devices are deployed to support the IoT, PKIs are expected to not only protect the Root CA private key that underpins the security of certificates issued across the domain, but also their registration.
Critical factors to consider
When the certificate issuance and registration process is executed on servers using keys stored locally in files, the keys can be subject to attacks that can make them vulnerable to duplication, modification, and substitution. Hardware security modules (HSMs) increase the assurance level of the certificate issuance and enrollment process by protecting the private issuance and enrollment keys. Organizational PKIs not using HSMs to protect their private keys, and not employing mechanisms to issue, enroll, and validate certificates, leave themselves vulnerable to compromise with potential severe consequences. HSMs like Thales our nShield, provide a hardened environment that protects security-critical keys from theft and misuse, and enable their full life cycle management. Binding certificate issuance to identity checks using an HSM, and controlling the enrollment and validation of certificates, have been important lessons learned from security compromises in the industry. One way Thales is we are helping enable secure certificate enrollment for IoT devices is through its support of Microsoft Network Device Enrollment Service (NDES). Another way is by delivering a robust root of trust for IoT platforms such as Samsung ARTIK™.
When analyzing the security implications of IoT, don’t forget to consider device enrollment. With a growing number of connected devices, Thales can help you to securely answer that knocking on your network’s door.