The World of PKI and IoT in 2017
In 2017, Public Key Infrastructure (PKI) will continue to solidify its place as a fundamental digital identification, authentication and encryption standard—especially as the Internet of Things (IoT) evolves and security concerns heighten. The need for trusted digital identities will become paramount to the overall security of the Internet. As businesses attempt to secure the IoT, PKI is re-emerging as a cost-effective and proven technology that delivers a secure and high-performance solution.
Prediction 1: PKI will continue to grow exponentially and become a de facto standard for digital identification, authentication and encryption.
As predicted last year, SSL/TLS certificates are still commonly used for secure web browsing, and CSS continues to observe the widespread use of in-house PKI for authenticating data, devices, applications and users within commercial applications.
Given the pervasiveness of cloud-based products, services and tools, SSL/TLS is certainly needed. The Thales Ponemon 2016 PKI Global Trends Study revealed that the most influential trends driving the use of PKI continue to be:
- Cloud-based services—61% of respondents
- Consumer mobile—52% of respondents
- Internet of Things—28% of respondents (increased from 21% in 2015)
Many SSL certificate and endpoint vulnerabilities have been identified in the last two years, more recently DROWN, “Severe,” Sparkle, BadLock, and older attacks like Heartbleed, FREAK, POODLE and Apple man-in-the-middle. Despite such attacks, PKI continues to be the trusted backbone for secure authentication. Certificate transparency is emerging as a PKI-based practice which ensures the security of internet facing SSL certificates. With ever evolving threats, PKI-based practices have proven to be “the best security option” at this time.
Every organization throughout all verticals must be proactive in ensuring the security and proper usage of PKI environments as well as the issuance, monitoring and reporting of SSL/TLS certificates. CSS Research determined that only 15% of businesses are purchasing 1,000 or more third-party certificates. CSS Research also identified that nearly 12% of all certificates published to the Internet belong to devices, and not websites—the rise of IoT continues. Looking at the bigger picture, the total number of certificates on the internet continues to climb and CSS Research suggests that the driving factors are both digital certificates issued from an enterprise-dedicated PKI as well as IoT devices.
A properly implemented, well-managed PKI represents a highly secure, cost-effective framework to issue trusted certificates for a variety of use cases. As a result, organizations are routinely establishing their own enterprise-dedicated internal PKIs and many are managing millions of, or more, certificates to offer digital identity authentication, encryption, and signing for cloud services, mobile devices and mobile applications.
Prediction 2: PKI will solidify as the best practice for identification, authentication and secure communications for IoT devices.
Businesses are continuing to develop and launch IoT innovations that customize products and services with the intention of making life faster, better and more accessible. Advancements of the IoT help companies increase revenue, improve operational efficiency, meet regulatory requirements, improve safety and protect assets. According to Gartner, the global IoT market will grow from $591.7 billion (in 2014) to $1.3 trillion in 2019, and the number of connected IoT endpoints will grow to more than 25.6 billion in 2019, hitting 30 billion in 2020.
It’s a fast-growing, promising market. However, if not properly identified, authenticated and secured, IoT devices can open and magnify multiple threats to businesses. Cyber threats, outages and data breaches are on pace to have a significant impact on the revenue and reputations of growing businesses worldwide if IoT security doesn’t catch up.
Secure authentication for IoT devices must be scalable and cost-effective. Traditional methods of digital authentication may not be as secure, cost-effective, or efficient for the type and volume of devices, data, people and applications that need to be authenticated, encrypted, or signed. Not to mention, purchasing third-party certificates contributes immensely to product and service expenses.
“Passwords and shared keys don’t work well for user authentication and are even worse for device authentication,” commented Wayne Harris, Principal Consultant at CSS. “We’re already seeing IoT devices being used for DDoS attacks, and anticipate more will be targeted in 2017."
Prediction 3: PKI will follow the “Cloudification of IT” trend into cloud-based deployments.
Despite cloud breaches and SaaS vulnerabilities, the hesitation to put critical systems and applications in the cloud is waning throughout all verticals. Five years ago, the fear of having servers in the cloud kept many organizations from reaping a myriad of operational benefits, but today, most have realized the economic benefits of freedom from managing infrastructure in order to focus on that which is business critical.
Increased adoption of certificates combined with decreased cloud hesitance means that PKI is moving to the cloud alongside its cyber security counterparts, and businesses looking to optimize cost and operational efficiencies would benefit from considering cloud-based PKI.
“Our fastest growing service is cloud-based enterprise PKI. Safer and more cost effective, the solution enables cloud-based PKI for IoT,” commented Ted Shorter, CTO at CSS.
Prediction 4: SHA-1 will eventually be exploited to make a “fully-valid” fake certificate.
It’s common knowledge among the cyber security community that the SHA-1 signing algorithm is weak, and will eventually be cracked by a hash collision, and projections of the costs and time needed to crack SHA-1 have lowered increasingly. While hashing different messages should result in unique hashes, actual collisions can lead to the same hash value being produced for different messages, which can be exploited to create fake certificates.
In 2012, Bruce Schneier predicted that a SHA-1 collision could occur by 2015 at a cost of $700,000. The same research estimated that it could occur by 2018 at a cost of only $173,000. Another estimate believes that a freestart collision could be accomplished in a few months using computer power similar to Amazon’s EC2 cloud at a cost between $75,000 and $120,000, though this particular attack places restrictions on formatting that would be difficult to meet within an X.509 certificate.
Large and small organizations are extremely vulnerable, and reacting post-breach can quickly reach exceed millions of dollars—so can remediation. Not to mention, in today’s environment, $173,000 and/or a few months of computing power is well within the reach of cybercriminals. Given the lower cost, plus advancements in computing power and cryptanalysis, it’s a matter of “when,” not “if,” a SHA-1 collision will occur.
Shorter noted, “We’ve continued to watch, and we still haven’t seen a SHA-1 certificate collision attack out there in the wild—which is a good thing. But that doesn’t mean that it’s not right around the corner, and the fact that the SHA-1 algorithm is highly vulnerable is indisputable. All businesses should already be migrated to SHA-2, and those that aren’t need to make it top priority. Vulnerabilities and practical crypto aside, browsers will soon stop accepting SHA-1 entirely."
CSS Research indicates the percentage of certificates still signed with SHA-1 at over 46% of the total certificates published to the Internet.
Prediction 5: Blockchain will continue to gain traction, but with its own unique use cases.
Blockchain has taken hold, continuing to grow and gain attention. In 2017, it will likely reach its peak on the Gartner Hype Cycle, as reported by CoinDesk, but the tech community will certainly be hearing more about it.
Currently, there is something of a dichotomy coming to pass among those observing the development of blockchain technology. On one hand, many people throughout the tech community don’t fully understand its applications beyond serving as a ledger system for financial applications. Gartner stated that blockchain is currently being used by less than 1% of its total audience. On the other hand, many users within the tech community seem to be over-celebrating its emergence with “inflated expectations” of its benefits; similar to the entry of IoT.
It’s not that blockchain won’t be transformational; the impact and influence will be significant. But blockchain is still finding its place, and proper adoption will depend largely on level of expertise among those executing implementation, and critical blockchain governance and compliance issues.
It’s important to note that PKI and blockchain are in no way mutually exclusive—they have entirely different functions. While blockchain is still settling into its role, PKI remains to be a proven, longstanding technology for securely issuing digital certificates, which applies to a wide range of use cases and will continue to be used and adopted among security organizations throughout all industries.
Prediction 6: IoT security will get worse before it gets better.
The Internet of Things has presented endless opportunities for virtually every conceivable vertical. A massive amount of connected devices exist today, and a seemingly unfathomable amount of connected devices will be active in the future. Today, there aren’t many appliances left that can’t be connected to the Internet, satisfying data-hungry, instant-results-demanding consumers, but leaving manufacturers with the persisting dilemma: how will the IoT be secured?
Businesses are more concerned about bringing a product to market quickly vs. properly implementing appropriate security controls, placing strain on the overall security of IoT devices. In addition, former software patching processes are not an option for possibly disparate IoT devices such as a light bulb which will never be in the hands of a developer again – further wrecking the ability to exercise suitable security controls over such devices. No industry could have foreseen the extent to which the IoT would take hold, or the evolving security implications that would come with it. Today, there are more breaches occurring than ever before, and more ways to execute a breach being born every day. IoT devices are increasingly being used in DDoS attacks because they’re connected to a network and pose further weakness due to flimsy password only requirements.
Yet, there is still no consistent framework spanning industries, or even applying to specific verticals, which governs IoT usage and security practices—automotive and healthcare devices are prime examples. Multiple factors are influencing the level of complexity which makes the IoT difficult to govern. First, design cycles are long. As a result, it takes a long time to implement security into objects; particularly when security is an afterthought. Second, many products are released without a way to upgrade. For many consumers, upgrading consists of buying a new product.
There is a positive, though. Although it is anticipated that the security problems the IoT is facing will worsen before a widely applicable solution is identified, there are controls manufacturers can implement in the meantime. Many companies are choosing to embed turnkey security solutions within objects; PKI managed services are becoming a standard practice within the IoT.
Being Prepared for the Fast Rate of Change in Cyber Security: Questions for 2017
Being prepared for the rate of change in cyber security is key to business success; so much is changing throughout the entirety of information technology. The best way for your business to take control is to keep the right expertise on deck as your IT and security strategies change.
As you weigh the options for implementing and managing PKI, consider talking with CSS. Our CSS Research, professional services, and development teams feature experts in the field of digital identity. For over a decade, we’ve been trusted security advisors to more than half of the Fortune 500.