June 19, 2017

How PKI has evolved to solve the IoT security issue

We all know that the ever-expanding Internet of Things (IoT) brings with it some significant security challenges. How can a vastly proliferating ecosystem of connected devices, many of them too small to include sophisticated embedded security systems, deliver adequate protection of the data they generate, transmit and store? How can organizations harness the benefits of the IoT without compromising the security of their corporate network?

One solution that clearly fits into the evolving IoT security picture is Public Key Infrastructure, or PKI.

What is PKI?

As an infrastructure, PKI is not one single ‘thing’. Rather, it is a set of rules, policies and procedures – all based around the principal of digital certificates. These policies verify the ownership of public keys – that is, the disseminated keys that form one half of public key cryptography pairs. Those pairs of keys achieve two crucial security functions: they authenticate the sender of information, and they encrypt that information – only the holder of the paired private key can decrypt the message on the public key. The key pairs are authenticated and bound to respective identities by digital certificates, which are issued by certificate authorities (CAs) like ComodoSymantec and DigiCert.

In short, PKI provides a framework to both verify the identity of devices, and to protect the data transmitted between those devices. It has long been used to secure devices ranging from network routers and servers to individual printers and fax machines. And because it is open standard, free to adopt and customise, it is a clear choice for businesses.

How does this fit into the IoT?

The IoT ecosystem is entirely new by comparison with traditional corporate IT infrastructures. The IoT will have 20X the volume of devices, a far greater diversity of devices, with new devices being provisioned faster than ever before – all without human intervention.

Fundamentally, though, those devices need to follow the same security principals as any other devices on corporate IT infrastructures. In particular, the identity of each device must be verified. This is what PKI can offer.

The first step in securing the IoT with PKI is to securely on-board each individual connected device into an IoT application. From there, PKI certificates must be provisioned. Each PKI certificate proves the identity of the associated device to the IoT Platform/Application. Specific devices or gateways may also require additional verification, such as username/password credentials.

The obvious problem is that in a vastly expanding IoT landscape, the task of manually on-boarding and provisioning each individual device quickly becomes unmanageable. It’s enormously time-consuming – and the risk of human error, which could open severe security flaws, increases along with the volume of devices. Yet each individual device still needs its own unique PKI certificate.

Another key requirement of PKI for IoT is the ability to manage these certificates at IoT Scale, e.g. revoke or rotate certificates as per the policy.

Automated provisioning of those PKI certificates securely without human intervention is the obvious solution – and this, fundamentally, is how PKI has evolved to solve the unique challenges of the IoT. This is where Device Authority comes in.

Our KeyScaler platform is all in-in-one solution for IoT device identity and validation – and the latest iteration of the platform enables the automatic provisioning of PKI certificates and policy based certificate management securely at IoT scale.

Device Authority’s extensively patented technology binds the PKI certificate to the respective device, only that device can use it, can’t be copied.

It automatically proves the identity of each connected device, and encrypts all data between the device edges and central servers, thereby delivering a truly granular and automated software security solution for the dynamic IoT landscape.

Click here to learn more about how KeyScaler could help your business.

Sign up for our webinar on July 13th which looks at Automated and Trusted PKI for IoT with speakers Damon Kachur from Comodo and David Aiken from AWS Marketplace.

Robert Dobson