The expansion of the Internet of Things (IoT) has created a need for trusted tools to support the identification and validation of increasing numbers of Internet-enabled connected machines (defined as applications or physical devices that collect data). Analyst firm Gartner projects that by 2020 the number of deployed IoT machines will reach 20.4 billion. In a recent blog, I discussed the need to protect the identity of these machines, in light of the volumes of digital credentials that have to be managed. In this blog, I will dig a little deeper into the subject and describe the main reasons why you need a root of trust to ensure security in enterprise IoT deployments.
The rate at which IoT machines are being deployed across enterprise networks is rapidly accelerating. The IoT focuses on collecting data and maintaining situational awareness of the operational and business environment. The insights obtained enable decisions to be made quickly (and many times automatically without human intervention), to optimize processes.
However, with more machines online than people on the planet, the IoT is driving demand for trusted digital identities. Trust is essential for the success of IoT, because, if you cannot trust the machines and data they collect, any insight discovered is questionable and could produce misguided actions.
To manage machine identities and ensure the machines are who they say they are, enterprises need to deploy digital credentialing systems with a strong root of trust. To do this, organizations need to understand how to support machine credentialing and how to securely manage it to ensure trust in the technology. Fortunately, public key infrastructures (PKIs) offer the foundation for establishing and managing digital identities at the scale the IoT demands.
The Role of the PKI Framework
PKIs have been used for decades to identify and authenticate individuals and machines. The technology includes the hardware, software, policies, processes, and procedures needed to manage digital identities. PKIs enable the use of digital signatures and encryption across large user populations. As the IoT has grown, PKIs have become more important. The Ponemon Institute’s PKI Global Trends Study, commissioned by Thales, found that IoT is the fastest growing trend driving the deployment of applications using PKIs. In the next two years, an average of 43 percent of IoT machines including devices will use digital certificates for identification and authentication. However, ensuring the security of a PKI requires an auditable chain and root of trust that you can depend on.
Why You Need a Root of Trust?
PKIs employ asymmetric cryptography using a key pair – a private and a public component. The private key is held in secret, and is used to sign the public certificate that is issued to the individual or machine receiving the credential. Secure insertion of digital certificates into machines establishes their identity, and provides the mechanism to later authenticate who they are once they become part of a closed ecosystem. Here are three reasons why you need this root of trust when orchestrating machine identities:
Protecting Signing Keys
The identity of machines depends on the PKI and its signing keys. Maintaining the secrecy of the signing key is essential for ensuring the security of the entire system. The root of trust of a PKI is built on the ability to protect and manage the signing keys in a robust and isolated environment. PKIs with a hardware security module (HSM) at their root of trust enable the secure issuance of machine credentials, so these can validate the identity of machines and the integrity of the data they collect. HSMs are purpose-built, certified devices that safeguard and manage cryptographic keys and their lifecycle policies. Their use is considered a best practice in data security and is often required by regulatory bodies for high assurance security.
Enforcing Dual Control
The root of trust of a PKI must not only be protected from external attacks, but also from internal threats. For this reason, it is imperative that no single individual or entity have access to, or have the capability to change, the lifecycle policy of signing keys. By enforcing dual controls that require two or more individuals to enable sensitive operations, HSMs further enhance the security of PKI signing keys and establish a root of trust.
Facilitating Data Security and Compliance
As more IoT applications involve the collection and processing of private and sensitive data, whether patient information, customer preferences, or critical processes to name a few, certifying that machines collecting this data are legitimate is a concern for both data security and regulatory compliance. Providing not only strong cryptographic key protection and key management, HSMs maintain key use logs that facilitate auditing and compliance with government and industry data security regulations.
The Way Forward
Security solutions from Thales and its technology partner Venafi can help you establish a root of trust, so you can deploy and use the IoT with confidence. Thales and Venafi can help you design and implement a PKI root of trust that protects your IoT deployments and accelerates your organizations’ digital transformations. Venafi Advanced Key Protect provides automated orchestration for key generation, installation, and protection. Thales nShield Connect HSM sleverage strong hardware-based security to protect critical signing keys, enforce dual controls, and facilitate compliance to establish a FIPS and Common Criteria certified root of trust.