Historically speaking, it’s very difficult to secure code signing operations for IoT devices. When developers haphazardly sign code, IoT updates can be ripe for attack. As we’ve seen with Stuxnet, stolen code signing keys and certificates are powerful cyber weapons. Venafi is committed to enabling our customers to protect their business-critical applications, and to support this effort, we created the Machine Identity Protection Development Fund. With $12.5 Million, the Fund sponsors the development of integrations with the Venafi Platform over the coming years, accelerating the expansion of the Venafi ecosystem.
In eleven months since the Development Fund’s inception, nearly 20 companies have focused on building integrations with the Venafi platform. Recently I had the pleasure of getting to know an important new developer and learning about the exciting plans they have for the Venafi Platform. In this continuing interview series with developers, today I am speaking with James Penney who is CTO at Device Authority in the United Kingdom.
Bridget: What does Device Authority do?
James: Device Authority is a global leader in Identity and Access Management (IAM) for the Internet of Things (IoT). In particular, we focus on medical/healthcare, industrial, automotive and smart connected devices. Our KeyScaler platform extends trust to IoT devices and the IoT ecosystem, to address the challenges of securing the Internet of Things. KeyScaler uses breakthrough technology including Dynamic Device Key Generation (DDKG) and PKI Signature+ that delivers unrivalled simplicity and trust to IoT devices. The solution offers organizations a rich set of features for automated security, including device provisioning, authentication, credential management, policy based end-to-end data security/encryption and code signing/update capabilities.
Bridget: As part of the Development Fund, which machine identity protection challenge you are aiming to solve?
James: For decades, code signing has been used to verify the integrity of software. Nearly every organization relies on code signing to confirm their code has not been corrupted with malware. Code signing keys and certificates are used in a wide range of products, including firmware, operating systems, mobile applications and application container images. Unfortunately, organizations often struggle to secure and protect code signing operations, because they don’t have a solution that allows them to consistently enforce policies across locations, tools and processes.
Bridget: How is Device Authority going to solve this challenge?
James: As enterprises embrace and adopt IoT devices, code signing usage will continue to grow at an exceptional rate. Many organizations use home-grown solutions to fulfill code signing requirements for IoT use cases, but these tools often lack the visibility, automation and intelligence needed for proper protection. Using our sponsorship from the Machine Identity Protection Development Fund, Device Authority will provide a new turn-key code signing and update delivery extension to KeyScaler powered by Venafi Next-Gen Code Signing to connect security team policy and controls to secure the code signing process. Additionally, Device Authority will create a new Certificate Authority service connector for the Venafi Platform. This will allow KeyScaler customers to use the Venafi platform as a source for certificate issuance.
Bridget: Describe the new world for customers that the KeyScaler and Venafi integration will make possible.
James: In the case of IoT, organizations need to maintain a trust association with the edge/device and the process must be managed without human intervention. If this trust is compromised, it provides adversaries with essentially a cyberweapon with huge breadth, high success, and immensely damaging impact. This Development Fund project seeks to close these gaps by integrating and using Venafi Next-Gen Code Signing throughout the secure update lifecycle. Being accepted into the Development Fund is a huge success for the Device Authority team, and we are excited to bring this critical technology integration to market.
Device Authority’s integration is targeted to be complete in early 2020. Visit Device Authority on the Venafi Marketplace for more information. And stay tuned for future interviews with Machine Identity Protection Development Fund recipients.
Learn why code signing is not just for software companies anymore. Venafi code signing expert Eddie Glenn explains.