Securing IoT Devices in a World of Complexity
Digital trust is a must to assure these connected devices are secure. Public key infrastructure (PKI) has enjoyed wide adoption by IoT solution manufacturers as a primary method of achieving scalable trust. Proven, standards-based, and transparent for users, it lies at the heart of nearly every aspect of technology and digital security. PKI also supports strong security measures like authenticating connections, signing software, and encrypting sensitive data. However, despite the wide adoption of PKI, in many ways, the PKI world is still an untamed wild, wild west.
IoT Security is a World of Unmanaged Chaos
What’s making PKI security for IoT so difficult? The diversity, volume and limited visibility of many IoT deployments combine to present unique challenges. IoT solutions are being deployed across a dizzying array of environments, in every imaginable use case, running on user devices, appliances and sensors in many form factors.
The sheer volume of devices is also introducing new challenges for organizations utilizing PKI. According to the 2021 State of PKI Automation Report, the typical enterprise managed over 50,000 certificates. But today, enterprises are facing massive surges in the number of certificates they manage.
The same report found that 37% of enterprises use more than three departments to manage certificates, leading to confusion, administrative overhead and time-consuming, error-prone manual processes. These multiple departments may be siloed organizations, which contributes to limited visibility into the state of their certificates. Nearly half, or 47%, say they frequently discover so-called “rogue” certificates—certificates that were implemented without IT’s knowledge or management. It’s impossible for organizations to secure what they can’t see.
Without Digital Trust, IoT Can’t Work
IoT devices themselves have inherent vulnerabilities. The same quality that makes the IoT so advantageous—the ability to connect a wide variety of devices of all form factors—is what makes protecting it so difficult. Every process and transaction is based on trusted connections and information exchange, so authentication is critical.
Data is constantly flowing in real time between devices at the edge, and back to the data center network, so assured confidentiality is also essential to protect data. Maintaining digital trust and data integrity is essential not only for device interactions themselves but also critical for supporting secure firmware updates, device boot processes and other essential requirements.
Complexity permeates almost every aspect of IoT use cases, from the devices themselves to the environments they are operating in.
Whether the endpoint is a sensor on the factory floor, a medication pump in a hospital or a home security camera, every device has its own computation and power requirements, as well as specific communications protocols. Characteristics of the hardware also vary widely. Some microcontrollers may be highly secure, featuring tamper-resistant designs, and separate storage areas for keys and other features, while others may be more open and vulnerable.
Securing IoT Requires a Layered Approach
Organizations need a layered approach. PKI certificates can play an important role in each of these layers, to support key processes like authentication and data integrity. To overcome the inherent complexity of IoT deployments, PKI management at scale is essential for every layer. According to the State of PKI Automation report, 91% of enterprises are at least discussing automating the management of PKI certificates.
Safeguarding the Device Layer
The device layer of IoT deployments is made up of all the endpoints, sensors and other devices that are connected to the system. An IoT deployment might acquire data from just one device, such as a home appliance or from hundreds or thousands of devices on a farm or smart utility network.
Protecting the IoT Gateway Layer
The IoT gateway layer plays an intermediary role. It’s made up of software or a device that gathers data from IoT devices, then transmits it to the cloud. At this layer, PKI encryption can be used to maintain the integrity of data that is flowing to the cloud.
Securing the IoT Cloud and Platform
The IoT platform layer is made up of cloud or on-premises data centers that enterprises use to manage and archive data. After IoT data is loaded to the cloud, it can be processed and utilized by tools and applications in the platform layer.
Automation and Management are Essential for IoT Security
As IoT adoption continues to mature, it’s more important than ever that organizations take responsibility for their own systems and understand how and where their keys and certificates are deployed. With a scalable, automated approach to certificate lifecycle management, together with security best practices, organizations can establish a strong level of digital trust. Ultimately, they can better ensure that their IoT deployments deliver their intended outcomes, without compromising enterprise security and compliance.
