IoT security calls for a new paradigm in which IoT service providers and manufacturers must inspire trust in order to attract customers and build successful businesses.
For IoT to be successful, humans must trust the security, safety and privacy of this massive transformation in both our business and personal lives. IoT security model calls for a new paradigm in which IoT service providers and manufacturers must inspire trust in order to attract customers and build successful businesses.
For truly secure IoT products we need to implement a Secure by Design approach with a chain of trust propagated from the beginning. In this chain of trust, any step depends on the security of the previous step. This highlights the importance and need for the very first step to be a security foundation at the time of manufacturing, along with the trust anchor and processes that support the onboarding of devices which is missing or a disconnected step today.
The challenge of trust and device identityIn many cases within the IoT, the old approach of verifying device identity alone is not enough. The device may, for example, only be trusted if it is both verified and in a certain location, at a certain time. A specialist IoT trust layer, therefore, needs to account for multiple key attributes as per the security policy of each specific device and its association to the application.
To further compound the problem is the operational complexity of provisioning and managing the trust layers at IoT scale – even if the right security protocol is available. Any IoT security framework needs to enable easy automation.
The biggest change and challenge in the IoT is device identity. While advances are being made in some aspects of traditional identity management using username/passwords, X.509 and SAML certificates, these methods are still inadequate and rarely address IoT use cases for identity.
A common problem is how to provision and bind the identity to the device, and how to securely manage it as per policy.
A user identity trust model uses two-step authentication. For instance, when logging into Google mail, Dropbox or an online banking portal from a new device. To login you need the account password and the One-Time Pin (OTP), a unique one-off code, sent to your registered mobile phone at the time of the login attempt. Once this is confirmed, login is complete. In this example, there are 3 levels of security: the password, the OTP and the time window of authentication. Anyone attempting to hack the account would need to know all 3 elements, as well as the account user name.
How can we construct an identity trust model for headless IoT devices using this same methodology here without human intervention?
Our Trust ModelImagine bringing an IoT device into an environment, what aspects can be relied on for security, safety and privacy? What are the intrinsic properties and capabilities that make it trustworthy? Unless we can establish trust for the device and trust for data then universal IoT adoption will be impeded.
Our vision is to deliver a new paradigm for IoT security and introduce four fundamental security elements to deliver device trust. These are:
Public Key Infrastructure (PKI) based technologies, products and services are proven to serve as a trust fabric in the IT world for a long time. Our patented technology, The Device is the Key, plays a major role in the trust foundation to authenticate and verify the physical and environmental attributes, integrity for each authentication session, enabling sub-second, device identification and authentication that meets each IoT trust policy’s requirements.
The methodology involves Dynamic Device Key Generation (DDKG) that provides unique authentication challenge based on the device’s physical and environmental attributes, enabling reliable, device authentication. By leveraging this extensively patented M2M authentication technology, The Device is the Key provides a complementary trust anchor for the devices with or without HW root of trust there by simplifying the IoT deployments, reducing the attack surface and extends the support for legacy devices that don’t have the hardware trust anchor.
It delivers the multiple levels of authentication, without the need of having any human intervention in the process. So, headless connected IoT devices can operate autonomously, with the same proven multi-factor approach.
Combining proven PKI with patented The Device is the Key technology, Device Authority is able to meet the trust foundation for any type of IoT use case.
Our technology is trademarked, patented – a unique patented trust anchor provides the security foundation for our platform, and flexible to support the standards based PKI as per the use case – a multiple agent architecture underpins the platform, supporting all industry platforms.
