Roll out IoT device certificates to boost network security

How device certificates work in IoT

Device certificates are the mechanisms that verify and grant devices access to the network. IT admins first register devices on the network as valid and authorized and then associate the devices with a certificate to act as a network passport. Without the digital certificate, a device can't connect to the network to perform its function, even if it's registered as a valid device.

Certificates are part of the broader public key infrastructure (PKI) for device authentication, alongside the certificate authority (CA), registration authority and certificate database or store.

IoT devices store device certificates, which work in concert with other security mechanisms to give network access, such as device management software applications, mobile device managers or third-party certificate managers.

When IoT devices connect to the network for authentication, they typically do so through a secure communication protocol like a secure socket layer (SSL) or Transport Layer Security (TLS) protocol. Many networks use SSL, an older protocol that many web applications and network devices still use. Newer devices use TLS, which has a more secure and efficient authentication process and supports more advanced and secure algorithms. IoT devices with TLS protocols can be backward compatible with devices that use SSL, but IT admins should verify this with their network administrator or device manufacturer.

How to provision IoT device certificates

IT admins have several ways to provision IoT device certificates through third-party or private services.

Third-party certificate vendors

Many organizations buy PKI-eligible certificates from third-party certificate vendors, such as GlobalSign or Comodo, or use a managed PKI solution, such as Entrust or Thales. The right option will depend on the network and IoT device deployment, the security budget, and tolerance for third-party vendors in the network security stack.

Managed digital certificate services offer a centralized way to provision, protect and manage IoT digital certificates. These services can scale up or down quickly, issue certificates instantly, manage certificate lifecycles across a fleet of devices, and automate certificate activities.

High-volume private digital certificate management

Organizations can also create private certificate servers to manually provision digital certificates for IoT devices. Simple certificate enrollment protocol servers can provision and distribute certificates to IoT devices on the network by working with an enterprise PKI service. The service generates certificates and distributes them to devices through an integrated mobile device management (MDM) system. Organizations can use MDM as a cost-effective way to optimize device certificate management with IoT devices that are completely behind a firewall and never use a public internet to transmit data.

Low-volume manual digital certificate management

IT admins can manually provision device certificates for IoT devices. Manual certificate services create a root or intermediate ad hoc certificate to install on devices. For example, IT admins can create custom scripts for Linux-based Raspberry Pi devices that enroll the device with manual certificates and install the correct network settings for secure connections to the network. Other services, such as the Azure IoT Hub Device Provisioning Service, create a provisioning service on your cloud network that makes it easy to generate certificates and keys for individual or multiple devices.

Similar to how blockchain technology keeps an immutable record of information and activity, organizations use certificate technology to track access and authorization through the PKI.

Why use IoT device certificates

Devices need secure end-to-end communication because bad actors frequently use IoT devices as a network entry point for various activities, including phishing. Certificates verify authorized devices and add a security layer to the network. The public and private key combination used in PKI ensures all data sent to and from IoT devices remains secure from unauthorized view or use.

Similar to how blockchain technology keeps an immutable record of information and activity, organizations use certificate technology to track access and authorization through the PKI. The authentication mechanism records every authentication and action by date, time and key information, providing irrefutable proof of who did what and when. Consequently, digital certificates provide tamper-resistant features to communications between IoT devices and the network. It is more difficult for attackers to inject content or malicious code into an encrypted data stream.

IoT device certificates are also a low-cost security measure for any enterprise compared to other security technologies. Even with a third-party CA and certificate management service, the cost is still significantly lower than purchasing a new hardware device for each IoT device. Many CAs also offer volume discounts to keep costs under control. For example, AWS IoT device management offers bulk device certificate registration at 10 cents per 1,000 devices registered, and Sectigo offers domain validated certificates with unlimited server licenses starting at $125 per year.

Be aware of IoT device certificate disadvantages

Managing certificates for a large fleet of devices can be difficult without a device management or certificate management service. Because each certificate has a definite expiry date, that can take a lot of time and effort to keep track of them all.

Provisioning the certificates can be a challenge if IT admins must integrate large fleets of IoT devices at once, remove multiple devices when sunsetting them or scale many device certificates up or down. If an IT admin must manually provision and manage IoT device certificates, that time can double or triple. Unless an organization has a dedicated resource in charge of just device certificates, provisioning costs a lot of time.