October 20, 2021

Building secure products with security automation doesn’t have to be difficult

Last week Device Authority delivered a 3-day Virtual IoT Security Summit, and had a wide range of cloud providers, security vendors, analysts etc speak about the security challenges and solutions for delivering IoT. Looking back at the event and taking stock of the number of partners attending, solutions and services on offer, it’s clear to me that not one vendor can provide a complete end-to-end IoT solution. However, it does make me think how important the ecosystem is to be able to pull together a robust Edge to Enterprise IoT solution.

A lot of IoT projects struggle because of the sheer number of ecosystem vendors that have a play in IoT, this and the fact that there are so many different pieces that must be thought about to bring a product and service to market safely and securely.  From a security standpoint, a lot of the folks speaking at the Virtual Summit said “IoT demands a robust identity and security model to deliver device trust and data trust at IoT scale”.

If you think about it, every vendor of an IoT application has their own APIs, every IoT device supplier has their own software stack and hardware, every Enterprise service provider has their own service APIs and feature sets, nuances etc and although having such a great ecosystem of vendors is a big positive, it does provide some challenges for interoperability, building an Edge to Enterprise solution and including security management.


OEMs and IoT Device Makers

Making security easier to implement and deploy securely must be a top priority for security vendors, and it’s not just about device trust, device security, it’s the holistic view of what makes an IoT project secure from the Edge to the Enterprise. It helps to make it easier for OEMs and IoT device makers to build in security and automation from the outset, aka secure by design/privacy by design. It also helps make it easier to connect to IoT applications, platforms, Enterprise software vendors, CAs, HSMs, detect and respond visibility platform providers etc.

One area which can help ease the burden on IoT solution vendors is to make it easier for device makers, and OEMs to include trust, data privacy and automation in their devices. Essentially taking all the heavy lifting out of the way for OEMs and customers, meaning a customer should be able to buy a device/product pre-validated and tested with these security features onboard, enabling Edge to Enterprise protection. Our recent KeyScaler Ready program is a good example of this, and I would encourage more security vendors to do the same – help seed the market with security enabled products which customers can connect to the Enterprise.


IoT Platforms and Enterprises

Another area which must be addressed is making it easy for Enterprises to automate the security of these pre-validated devices into their chosen cloud applications/IoT platforms. This requires an IoT Identity Access Management (IAM) service which has pre-built service connectors to a wide range of security services, such as Azure (DPS, IoT Hub, IoT Central, Key Vault, ADCS, Sentinel etc), AWS IoT Core, PTC ThingWorx, Ericsson, CA vendors (DigiCert, HID, Sectigo…), HSMs (Entrust and Thales), Detect / Respond visibility platforms… actually far too many to mention, but the point I’m trying to make is that you need a wide range of service connectors coupled to your IoT IAM vendor to leverage your existing Enterprise infrastructure and services for IoT – and enable the Edge to Enterprise security automation that’s required for your use case.


Plug and Play with an IoT IAM platform

In the end, having pre-built service connectors, devices pre-validated for security automation and coupled to an IoT IAM platform like KeyScaler means that customers can focus on the core IoT value proposition that their IoT project is going to bring to businesses, not how to implement security and automation. This takes plug and play to a whole new level and essentially can help projects become more secure, get to market quicker, cost less to implement/manage and reduces the burden on development teams to pull the various security components together from the Edge to the Enterprise.

Robert Dobson