Skip to main content
banner image
venafi logo

3 Reasons You Need a Root of Trust When Orchestrating Machine Identities

3 Reasons You Need a Root of Trust When Orchestrating Machine Identities

orchestrate machine identities
September 5, 2018 | Juan C. Asenjo, nCipher Security

The expansion of the Internet of Things (IoT) has created a need for trusted tools to support the identification and validation of increasing numbers of Internet-enabled connected machines (defined as applications or physical devices that collect data). Analyst firm Gartner projects that by 2020 the number of deployed IoT machines will reach 20.4 billion. In a recent blog, I discussed the need to manage and protect the identity of these machines, in light of the volumes of digital credentials that have to be managed. In this blog, I will dig a little deeper into the subject and describe the main reasons why you need a root of trust to ensure security in enterprise IoT deployments.

The Growing IoT and Need for Trust

The rate at which IoT machines are being deployed across enterprise networks is rapidly accelerating. The IoT focuses on collecting data and maintaining situational awareness of the operational and business environment. The insights obtained enable decisions to be made quickly (and many times automatically without human intervention), to optimize processes.

However, with more machines online than people on the planet, the IoT is driving demand for trusted digital identities. Trust is essential for the success of IoT, because, if you cannot trust the machines and data they collect, any insight discovered is questionable and could produce misguided actions.

To manage machine identities and ensure the machines are who they say they are, enterprises need to deploy digital credentialing systems with a strong root of trust. To do this, organizations need to understand how to support machine credentialing and how to securely manage it to ensure trust in the technology. Fortunately, public key infrastructures (PKIs) offer the foundation for establishing and managing digital identities at the scale the IoT demands.

The Role of the PKI Framework

PKIs have been used for decades to identify and authenticate individuals and machines. The technology includes the hardware, software, policies, processes, and procedures needed to manage digital identities. PKIs enable the use of digital signatures and encryption across large user populations. As the IoT has grown, PKIs have become more important. The Ponemon Institute’s PKI Global Trends Study, commissioned by Thales, found that IoT is the fastest growing trend driving the deployment of applications using PKIs. In the next two years, an average of 43 percent of IoT machines including devices will use digital certificates for identification and authentication. However, ensuring the security of a PKI requires an auditable chain and root of trust that you can depend on.

Why You Need a Root of Trust?

PKIs employ asymmetric cryptography using a key pair – a private and a public component. The private key is held in secret, and is used to sign the public certificate that is issued to the individual or machine receiving the credential. Secure insertion of digital certificates into machines establishes their identity, and provides the mechanism to later authenticate who they are once they become part of a closed ecosystem. Here are three reasons why you need this root of trust when orchestrating machine identities:

  1. Protecting Signing Keys
    The identity of machines depends on the PKI and its signing keys. Maintaining the secrecy of the signing key is essential for ensuring the security of the entire system. The root of trust of a PKI is built on the ability to protect and manage the signing keys in a robust and isolated environment. PKIs with a hardware security module (HSM) at their root of trust enable the secure issuance of machine credentials, so these can validate the identity of machines and the integrity of the data they collect. HSMs are purpose-built, certified devices that safeguard and manage cryptographic keys and their lifecycle policies. Their use is considered a best practice in data security and is often required by regulatory bodies for high assurance security.
  2. Enforcing Dual Control
    The root of trust of a PKI must not only be protected from external attacks, but also from internal threats. For this reason, it is imperative that no single individual or entity have access to, or have the capability to change, the lifecycle policy of signing keys. By enforcing dual controls that require two or more individuals to enable sensitive operations, HSMs further enhance the security of PKI signing keys and establish a root of trust.
  3. Facilitating Data Security and Compliance
    As more IoT applications involve the collection and processing of private and sensitive data, whether patient information, customer preferences, or critical processes to name a few, certifying that machines collecting this data are legitimate is a concern for both data security and regulatory compliance. Providing not only strong cryptographic key protection and key management, HSMs maintain key use logs that facilitate auditing and compliance with government and industry data security regulations.
The Way Forward

Security solutions from Thales and its technology partner Venafi can help you establish a root of trust, so you can deploy and use the IoT with confidence. Thales and Venafi can help you design and implement a PKI root of trust that protects your IoT deployments and accelerates your organizations’ digital transformations. Venafi Advanced Key Protect provides automated orchestration for key generation, installation, and protection. Thales nShield Connect HSM sleverage strong hardware-based security to protect critical signing keys, enforce dual controls, and facilitate compliance to establish a FIPS and Common Criteria certified root of trust.

To learn more and earn CPE credits, join Thales and Venafi on our joint webcast Orchestrating Machine Identities in the IoT: Securing the Chain and Root of Trust. You can also follow me on Twitter @asenjojuan.

Related posts

Like this blog? We think you will love this.
 Bild eines verärgerten jungen Mannes, der mit dem Kopf in der Hand auf seinen Computerbildschirm starrt
Featured Blog

Erneuerung, Neuausstellung, Widerruf – so vereinfachen Sie das Zertifikatsmanagement

Nachfolgend finden Sie einige Informationen zu jedem dieser Verfahren.  

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Juan C. Asenjo, nCipher Security
Juan C. Asenjo, nCipher Security

Juan is Senior Manager, Global Partner Marketing at nCipher Security. He is an accomplished writer and presenter with doctoral academic research experience in data mining and knowledge discovery.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more