When you put your ear to the ground in Information Security circles long enough, you hear common struggles emerging.
One of the struggles that surged at SecureWorld conferences in 2018? The difficulty of securing a growing number of IoT devices within the organization.
We recently came across an excellent post on the topic titled, Three Reasons You Need a Root of Trust When Orchestrating Machine Identities.
And we reached out to the article's author, Juan Asenjo, Senior Manager for Solutions Marketing at Thales eSecurity, with some questions about this struggle to secure Internet of Things devices. Here is an excerpt:
[SecureWorld] You point out in your article that an increasing number of organizations are using PKIs to secure IoT devices. But how can an organization feel comfortable trusting the PKI?
[Juan Asenjo] A public key infrastructure, as the term implies, is a framework upon which one builds the mechanisms to create, distribute, and manage identities for a large user population. That population can be individuals or machines such as physical devices or software applications. The security of all certificates and the process of issuing, managing, and revoking them (when necessary), is predicated on the establishment of a root certificate authority or CA that you and everyone else in the ecosystem recognizes as authentic and trustworthy… an analogy is birth certificates and passports issued by a recognized government entity that we collectively trust to only issue authentic credentials that have been properly vetted to represent the real individual to whom they correspond.
Much like a government hierarchical structure where you have national, state/provincial and municipal entities, CAs are also layered with a self-signed Root CA and Subordinate CAs that issue certificates to individuals and machines, thus establishing a chain of trust.
The validation of that chain starts from the point of issuance all the way to the root. The signing keys (i.e., the private component of the public/private key pair used to sign the certificate) is thus critically important. Since this private key is the one used by the CA entities to sign and attest to the validity of the certificate(s) issued, it is critically important that it stays with the CA. Compromise of such would enable another entity to impersonate the CA and create forged certificates.
To protect these private keys, hardware security is recommended, as it offers the strongest level of assurance. Isolation from the rest of the system and dual controls that prevent any one individual from unilaterally changing the key use policy, thus give the signing key the strongest level of protection.
[SW] I recently attended a session on the intersection of cybersecurity and privacy. Does this method of securing IoT devices help with privacy or compliance?
[Asenjo] PKIs are used to issue certificates for identification and strong authentication, as well as data encryption. PKIs have been around for several decades, you could say they have been a foundational technology upon which ecommerce has been built.
Facilitating the identification and authentication of individuals, controlling access, securing transactions, and providing the mechanism to exchange cryptographic keys and establish secure connections for the exchange of information. It is no surprise that the application that most commonly use digital certificates is SSL/TLS for securing public websites and services.
And this is where privacy and compliance come into place. Securing the transmission of personal data we commonly share across the Internet when we do online banking, when we purchase goods, or exchange medical details with healthcare providers, to name a few, and all of which are regulated areas.
[SW] You wrote this in your article. 'The insights obtained enable a decision to be made quickly (and many times without human intervention) to optimize processes.' What are some examples?
[Asenjo] Perhaps the best example that illustrates the need to trust information collected by IoT for automatic decision-making is autonomous vehicles or "driverless cars."
Autonomous vehicles depend on a myriad of IoT machines (i.e., sensors and applications), that collect all sorts of data for situational awareness. The system amasses details form GPS maps, road sensors, proximity to other vehicles and road obstructions, road signals, etc. to control speed, steering, and braking. Autonomous technologies, to various degrees, ultimately take the human out of the equation, so it is imperative that we trust the machine and the data collected, so that the decisions made are correct.
Another example is in the field of medical devices, sometimes-embedded devices that monitor vital functions, collect data, and conduct predictive analytics to automatically dispense medications. It is not science fiction anymore, many of these applications already exist and are widely used, and others are not too far off in the future.
When he put it that way, it reminded us of our interview with U.S. Bank CISO Jason Witty at SecureWorld Twin Cities last year. He says information security is now about securing human life.
"It's not just about protecting your data anymore," says Witty. "It's also about making sure that whatever the physical manifestation is, something connected to you, the hospital you are in for care or the car you drive. It's about the pacemaker that's implanted in your chest and making sure these things are not going to actually kill you."
This is clearly a serious issue. And the latest Gartner prediction says it will continue to grow as 20.8 billion devices will be connected to the internet by 2020.
More resources around IoT security
We can suggest two additional resources around securing IoT devices within your organization.
The web conference covers the evolving role of PKIs in the new IoT ecosystem, the scale of the IoT and its increased demand on PKIs, why key orchestration and lifecycle management is critical, where must the root of trust be established to ensure security, and much more.
Please let us know if you have ideas for others you'd like us to interview. Send your tips to media@secureworldexpo.com
