In this and the accompanying blog written by our colleague Bridget Hildebrand from Venafi, we discuss the reasons why we must expand machine identity protection and the critical factors to consider when integrating it with Hardware Security Modules (HSMs).
Make autonomous decisions based on the situation they find themselves.
Device visibility, intelligence, and automation are characteristic of this developing ecosystem and we must choose machine identity protection accordingly.
Visibility is the capability devices have to develop situational awareness of the environment in which they are deployed. For an IoT device to function with other devices in a network, it must not only be able to see those other devices, but also be sure of their authenticity. To this end, machine identities in the form of digital (birth) certificates enable other devices to identify them, validate their legitimacy, and authenticate that they are authorized to operate within a particular ecosystem. This provides the foundation of trust necessary to have confidence in the system and the services it delivers. And we must be able to see all of these machine identities to be able to protect them.
Intelligence refers to machines’ ability to gather and share information, and to be able to extract insight not initially discernable from the environment. As machines collect and assemble vast amounts of data, specialized algorithms help them see trends and allow them to make predictions. As machines “talk” to each other and share data, they must constantly authenticate each other’s identities and validate what they are authorized to do and share. Machine identities again are the basis for trust in establishing those close groups and we need ready access to machine identity intelligence to be able to act quickly, when necessary.
Automation enables machines to make independent decisions based on what they see in their current environment and what they expect future states to be. With automation, it is even more important to protect machine identities and ensure autonomous decisions are trustworthy. Automating the entire machine identity lifecycle will also eliminate any mistakes caused by human error—keeping machine identities available and secure.
Trust through PKIs and Certificate Authorities
Machine identities are issued and validated through digital certificates. Digital certificates are signed by a trusted certificate authority as part of a public key infrastructure (PKI). Securely orchestrating certificates across a large population of machines requires specialized software and hardware and the protection of the underpinning cryptographic keys that sign the certificates.
Because underpinning keys are critical to the security of today’s highly connected systems, it is also imperative to protect keys from insider threats and other attacks. Keys stored in software can be replicated in memory, and become vulnerable. Segregating your critical cryptographic keys within a FIPS 140-2 and Common Criteria certified hardware security module (HSM) is not only considered a best practice among cybersecurity professionals, but it also facilitates regulatory compliance.
Venafi together with nCipher expand machine identity protection at scale with the highest level of trust, integrity and control. Venafi Advanced Key Protect integrates nCipher nShield HSMs to ensure organizations deploying machines across their systems are not only using strong cryptography, but that the critical signing and transactional SSL/TLS keys are protected from compromise through their entire lifecycle.
The next time you ask your home digital assistant for the latest traffic report, hop in to your car and follow the directions from your phone, and let your wearable device monitor your stress level as you navigate down the busy highway to your destination, rest assured you won’t need to card these devices to prove their identity. It’s all happening in the background with trust, integrity, and control thanks to the technology that Venafi and nCipher have developed.