The IoT is adding tremendous value, transforming manufacturing, transportation, power generation and a
host of other industries with greater automation, new services, and more efficient allocation of resources. However, it has also been the victim of some of the largest cyberattacks and botnets seen to date, including the infamous Mirai botnet. These persistent attacks are enabled by a lack of consistent, reliable security in IoT devices.
Enterprises are facing new types of security challenges. The rapid shift to work-from-home during the COVID pandemic requires secure remote access for a much larger number of employees and IT systems, increasing the need for reliable, low-touch, remote security solutions.
Amid this new normal, IT teams have increased their use of Public Key Infrastructure (PKI)-based authentication using digital certificates, a critical technology that can enable security in both IoT and remote-work environments. In fact, our recent 2020 Work-from-Home IT Impact Study found that 38% of IT professionals plan to increase use of digital certificate-based authentication in the next 12 months as a result of widespread remote work.
Certificate-based authentication using PKI
PKI facilitates the secure electronic transfer of information for almost all digital systems. The basic mechanism that enables this security is the digital certificate. PKI is, essentially, a set of roles, policies, hardware, software and procedures needed to create, manage, distribute, use, store and revoke digital certificates and other public keys and to manage public key encryption.
Think of a certificate as a virtual ID card that is issued by a certificate authority (CA). CAs provide the tools and systems required to create a PKI solution and to issue/manage large numbers of certificates. Certificates are used to verify the identities of both sides of the communication, enabling encryption—for people (users, administrators, etc.) as well as computers, applications, websites and any internet-connected endpoint needing proof of identity. They ensure the integrity of transactions between people, machines and even different software programs.
Much like a driver’s license, a certificate is issued by a trusted entity, providing an identity and a set of permissions. My driver’s license identifies me, with a photo and personal information, and defines my driving permissions. I am authorized to drive any standard passenger motor vehicle, but not certain commercial vehicles. And the license was issued by a trusted entity (the State of Iowa, in my case).
Likewise, a certificate is issued by a trusted entity (a CA), contains permissions, and is used to identify the holder of the certificate. It contains a public key, which is only useful in conjunction with the associated private key, which is held by the certificate holder.
An IoT device or computer can verify that the certificate holder is the entity specified by the certificate. These services are enabled using public/private key cryptography. The upshot is that a device can verify with cryptographic certainty that the holder of the certificate is really who it claims to be and not an imposter.
Three steps for using certificates to enable security
Replace passwords with user identity certificates
Offering secure remote access to assets starts with ensuring the identity of the user. Passwords offer some measure of security, but attackers have become adept at tricking employees and stealing passwords. In addition, botnets have exploited weak and default passwords in attacks against IoT devices. PKI-based identity certificates are the strongest form of identity and make life easier for employees, reducing the burden of remembering, updating, and managing passwords, and enabling higher levels of security for IoT devices.
Replace multi-factor authentication with no-touch authentication
Phone- or token-based multi-factor authentication provides an extra layer of security beyond the use of simple passwords. This two-step approach reduces the chance that employee identities are stolen. However, the additional effort an employee must make to use an application, beyond remembering a password, makes life more complex for both the employee and IT administrators. Multi-factor authentication is also not an option for authenticating IoT devices as they must perform authentication without human assistance.
For remote employees, PKI-based certificates not only offer the strongest form of identity authentication, but also simplify the connection process. An employee’s identity-certificate keys are stored directly in their computers, laptops and mobile phones, providing automatic authentication without requiring any action on their part. The employee can simply access applications and start working
Automate issuance of all identity certificates
While it is increasingly feasible to enable employees for remote work without having to use passwords or enter additional authentication codes, managing and maintaining the many digital certificates across an entire enterprise must be made easy if it is to be effective. Using manual processes to manage certificates can be labor-intensive, technically demanding, and error-prone. Automating issuance and lifecycle management empowers an enterprise security team to issue, revoke, and replace certificates quickly, reliably and at scale, while alleviating management burden.
Certificate-management platforms that use automation enable IT pros to manage all of a company’s certificates in one system. And a no-touch approach makes deployment very simple for the user. Automated certificate issuance is equally (perhaps even more critical) for IoT devices. The vast numbers of devices alone make manual certificate-renewal impractical. In addition, many IoT devices don’t support a user interface, or are located in remote locations, making automated management imperative.
Conclusion
Certificates issued and managed using PKI enable devices and systems to perform strong mutual authentication. Manufacturers building IoT devices and enterprises managing remote workers must be proactive by ensuring the proper security capabilities—PKI-based authentication is a method for ensuring strong security for both devices and users.
Alan Grau is vice president of IoT/embedded solutions at Sectigo