There’s a lot of connected devices out there. That may seem like an obvious statement given that everyone seems to be walking around with a mobile phone, tablet, computer, and wireless headset. But what about all the devices that aren’t entertainment based? I’m thinking about all the connected vehicles, medical devices, routers, smart locks, thermostats, wearables -- this list never seems to end.
In fact, Gartner predicts there will be 25 billion connected “things” by 2021.* With that kind of ubiquity, one key question arises: How are they secured?
As the IoT landscape and security requirements evolve, device manufacturers need a cost-effective and scalable solution to secure IoT devices from increasing threats and regulations. We've compiled a list from a recent whitepaper that shows how public key infrastructure (PKI) can help your teams build with security in mind from the beginning.
Where PKI fits into IoT Security
Before we get to our top ways to secure IoT devices, let’s breakdown some advantages of using PKI for your IoT security needs. With all the connected devices coming online, we need a way to identify them. In the next two years, 42% of IoT devices will rely primarily on digital certificates for identification and authentication. In fact, the rapid growth of digital certificates can be largely attributed to the critical use cases that IoT manufacturers require through device identity, authentication, and encryption. However, without a proper way to issue and manage the millions of certificates across IoT deployments, scalability will be challenging.
This is where PKI comes into the picture.
Public key infrastructure is a framework composed of hardware, software, policies and procedures to help create, management, manage, distribute, and update these digital certificates overtime. For decades, PKI has served as the backbone of Internet security, and now it’s emerging as a flexible and scalable solution uniquely capable of addressing the data and device security needs of the IoT.
Let's see how.
Ways to Secure IoT Devices with PKI
- Use Unique Identities: By embedding a cryptographically verifiable identity into each device, you can enable secure network access and code execution throughout the device lifecycle. These certificates can also be customized based on manufacturer policy and updated or revoked on a per-device basis.
- Define and Set Security Standards: PKI’s open standard allows you to define a system cryptographically, with flexible options for trusted roots, revocation, and standard protocols for certificate enrollment and deployment — such as REST API, SCEP and EST.
- Scale Security as Your ‘Things’ Grow: By using asymmetric encryption means that all certificates can be issued from a single trusted Certificate Authority that is tightly controlled. This disconnected verification model allows devices and applications to authenticate to one another without the need for a centralized server or agent-based software
- Maintain Robust Security: When digital certificates are issued from a well-managed PKI, they offer much stronger protection than other authentication methods. IoT devices can also utilize secure hardware elements for cryptographic key storage and employ validity periods that far exceed the usable lifetime of passwords or tokens.
- Secure with a Minimal Footprint: A major advantage of using PKI is that it allows manufacturers to implement safeguards with minimal footprint on the device. Even devices with low computational power and memory can still use asymmetric keys. Elliptic Curve Cryptography (ECC) is quickly becoming the algorithm of choice for IoT, using smaller key sizes ideal for networked devices and sensors.