Gunnar Assmy - Fotolia
IoT identity management eyes PKI as de facto credential
Public key infrastructure is emerging as the essential technology for identity management in IoT, as customers seek out a trifecta of data integrity, authentication and encryption.
Establishing the identity of the things in an IoT system is critical to categorizing and managing their access to data and other systems. Be it a sensor monitoring the temperature of a freezer, a camera in a security network, a light bulb in a smart building or any other number of devices, if it has internet connectivity and communicates with other IoT devices and systems, it has the potential to be hacked and wreak havoc on an enterprise's network. These devices, which are only growing more ubiquitous as IoT adoption proliferates, must be registered and managed to prevent breaches and stay secure.
However, achieving this in an IoT environment -- which often includes remote and resource-constrained devices -- has proven challenging. Yet, companies are emerging that use both new and tried-and-true security technologies to get the job done.
"IoT identity management is still nascent, in no small part, because emerging technologies are all dramatically impacting what IoT looks like and how data and interactions are processed," said Jessica Groopman, industry analyst and founding partner of Kaleido Insights in San Francisco.
AI-enabled interfaces, she added, "have already gone mainstream. Millions of smartphones with facial and fingerprint recognition have shipped already, and an estimated 89% of phones will ship by 2020. We also see blockchain and related technologies playing an important role in the IoT device identity narrative."
Companies like Filament and Intel, for example, "are developing blockchain-enabled chips so that devices can come preconfigured for specific use cases, such as provenance tracking," Groopman said. "Not only will identity solutions need to take these interactions into account, but such chips could become important enablers for authenticating device identities. Identities that capture every human, device, data, security interaction -- truly a 'digital twin' -- are much more unique and difficult to counterfeit than the current solutions."
Identity management for IoT is related, in many ways, to enterprise identity and access management, said Dan Timpson, CTO at DigiCert, a provider of TLS and SSL, public key infrastructure (PKI) and IoT security systems in Lehi, Utah.
"But what makes it trickier is that the IoT space isn't mature yet," he said. "This is why lightweight solutions to uniquely identify devices -- such as embedding a certificate or putting a key in the box -- are being adopted. With IoT, you don't have a lot of space hardware-wise, with memory, chip or footprint, to do the really complex things that you can within an enterprise."
To solve this issue, IoT platforms are attempting to come up with their own security methods or adopting known PKI mechanisms to number those devices.
"It's a realization that's happening in real time, as these makers try to figure out how to secure the device, bring it online and manage it," Timpson said. "Automation is one of the main differentiators with IoT that you've got to get right in the requirements. These devices need to be able to enroll themselves, get security artifacts and then go on their way. And if there's something anomalous happening, the management consoles will pick up on it."
Many people entering the IoT realm, however, may not have considered some of the security issues they open themselves up to when they connect a device, and they quickly discover that IoT identity management is a complex topic, said Nisarg Desai, head of IoT product management at GlobalSign, a certificate authority and provider of identity and security technologies for IoT in Portsmouth, N.H.
"Right now, we're at the stage where people are accepting that things need unique identities, and their management will become very important within the near future," Desai said.
Sure enough, as IoT grows, so too does the need for IoT identity management technologies. Market research firm ABI Research recently forecasted that IoT platform services, along with cryptography, digital certificate management and data exchange services, will propel IoT identity and management revenue to $21.5 billion by 2022 -- thanks primarily to industrial, manufacturing and automotive market verticals.
Why is IoT identity management so important?
Look no further than the 2016 Mirai botnet -- built largely out of hacked IoT devices -- for a painful example of how easily IoT devices that either have hardcoded passwords or that lack the most basic security requirements can be comprised and used to carry out hugely disruptive distributed denial-of-service attacks.
"If you look at the landscape of attacks that have occurred on the internet, one of the problems behind it is device attribution," Timpson said. "How do you identify devices uniquely and discretely? Our view is that digital certificates, in particular, and PKI work quite well. A certificate can be used as a strong authentication factor and has a pretty good shelf life for identifying a device. You can put in attributes about the device, and it's got some cryptographic tiebacks. In the event that the device identity needs to be refreshed or changed, the nice thing is that it's an artifact that can be replaced, renewed or updated, as needed."
People rely on multiple documents -- in the forms of a birth certificate, a driver's license, a passport or a Social Security number -- to prove different things about ourselves. To drive a car, we need a license. To cross a border, it's a passport. But we generally require an essential document like a birth certificate to get other documents that help us further establish our identity.
In a similar manner, there has been a rise of multiple ID documents per device in an IoT environment, Desai said, adding that "customers are asking for multiple certificates for a device, because the need for different forms of identities for different purposes is growing."
What are customers primarily concerned about?
Security has long been a major business concern, and the addition of IoT has only exacerbated the worry. Ensuring devices authenticate securely and keeping data encrypted and secure are major enterprise initiatives.
"[Customers] need to know that the devices themselves are authentic and not rogue devices," Timpson said. "This trifecta of integrity, authentication and encryption is what people really want. But the challenge is doing it in an elegant way that's user-friendly. If it's too difficult to use, you're not going to use it, right?"
Cost can also be a factor, and it often comes as a bit of a surprise.
"A lot of people feel like security should be built into devices and isn't something they should need to add and pay for," Desai said. "But once they get beyond that, the basic premise is to use the best security you can afford. Make yourself a smaller target, and the bad guys will move on to the next one."
The general consensus is customers want security technologies that can scale up to meet the needs of IoT in an extremely cost-effective way. It's important to create a scalable security framework and architecture that can support your IoT deployments not just now, but well into the future.
Putting identity management in IoT to work
DigiCert's PKI technology is being used to protect the full spectrum of devices that connect to the internet, with a special emphasis on safeguarding medical care and critical infrastructure, including water, electricity, oil and gas, and transportation.
Customers are bringing DigiCert some wild IoT identity management challenges, like embedded medical devices.
Dan TimpsonCTO at DigiCert
"PKI can be used to protect data between the next generation of medical devices embedded on or within your body -- like a pacemaker or an artificial insulin pump -- and your phone. It's pretty crazy," Timpson said. "I can use certificates to monitor and adjust to critical benchmarks with my body."
Identity management is also being rolled into IoT security systems. One recent example is how Longview IoT, a Carnegie Technologies company, partnered with GlobalSign and Intrinsic ID, a provider of digital authentication technology for IoT devices, to create a layered security system for asset tracking, utility and environmental monitoring, and many other applications.
"GlobalSign is investing heavily in a partner network to showcase how bringing different topologies together can provide a full level of protection," Desai said.
As a result, Longview now offers a collection of custom-engineered sensors, gateways, cloud analytics and industry-specific applications that come preconfigured to work right out of the box.
"IoT security is the utmost priority throughout the entire solution -- from our sensors to the cloud and into the field," said Brad Bush, managing director of internet of things at Carnegie Technologies, based in Austin, Texas.
The devices Longview developed feature two security certificates that GlobalSign provides and automatically provisions for protection within the supply chain, as well as to protect the data transmitted on Longview's low-power wide area network. Data is then stored in a private, secure cloud infrastructure as the final layer of security.
"We're seeing PKI emerge as the de facto credential for IoT devices," Desai said. "And now, we're on the path toward more complex identity management and provisioning systems."
On the IoT horizon, Timpson said conversations are already turning to topics like post-quantum cryptography and an algorithm capable of sitting on a device to continue to protect its security for 10 to 15 years and be resilient to quantum computers.
"We're looking at complementary decentralized strategies with identity," he said.
Using blockchain technology, not surprisingly, is also a part of these next-gen service discussions.