Network security

Deploy IoT device certificates to enhance network security

Attackers are increasingly using IoT devices as network entry points, but IT administrators can use IoT device certificates as enterprise gatekeepers.

With the multitude of IoT devices on a given network, IT professionals need to take device security seriously. With the wealth of data that devices collect and transmit, it is prudent to use certificates to securing devices against malicious use.

IoT devices are attacked within five minutes of being powered on and connected to the internet, NetScout says report, which makes strong protective measures essential. The report also revealed that complex network attacks are increasing every year, growing by 2,851% since 2017.

Device certificates can increase security with authorization protocols and end-to-end communications encryption.

How device certificates work in the IoT

Device certificates are the mechanisms that verify and grant devices access to the network. IT administrators first register devices on the network as valid and authorized, then associate the devices with a certificate to act as a network passport. Without the digital certificate, a device cannot connect to the network to perform its function, even if it is registered as a valid device.

Certificates are part of the larger public key infrastructure (PKI) for device authentication, alongside the certificate authority (CA), registration authority, and database or server. certificate store.

IoT devices store device certificates, which work in concert with other security mechanisms to provide network access, such as device management software applications, mobile device managers, or third-party certificate managers.

When IoT devices connect to the network to authenticate, they typically do so through a secure communication protocol such as Secure Socket Layer (SSL) or Transport Layer Security (TLS). Many networks use SSL, an older protocol that many web applications and network devices still use. Newer devices use TLS, which has a more secure and efficient authentication process and supports more advanced and secure algorithms. IoT devices with TLS protocols may be backward compatible with devices that use SSL, but IT administrators should verify this with their network administrator or device manufacturer.

How to provision IoT device certificates

IT administrators have several ways to provide IoT device certificates through third-party or private services.

Third-party certificate providers

Many organizations purchase PKI-eligible certificates from third-party certificate providers, such as GlobalSign or Comodo, or use a managed PKI solution, such as Entrust or Thales. The right option will depend on network and IoT device deployment, security budget, and tolerance of third-party vendors in the network security stack.

Managed Digital Certificate Services provide a centralized way to provision, protect and manage IoT digital certificates. These services can scale up or down quickly, issue certificates instantly, manage certificate lifecycles across a fleet of devices, and automate certificate activities.

High Volume Private Digital Certificate Management

Organizations can also create private certificate servers to manually provision digital certificates for IoT devices. Simple Certificate Enrollment Protocol servers can provision and distribute certificates to IoT devices on the network by working with an enterprise PKI service. The service generates certificates and distributes them to devices through an integrated mobile device management (MDM) system. Organizations can use MDM as a cost-effective way to optimize device certificate management with IoT devices that are completely behind a firewall and never use a public internet to transmit data.

Manual management of low-volume digital certificates

IT administrators can manually provide device certificates for IoT devices. Manual Certificate Services creates an ad-hoc root or intermediate certificate to install on devices. For example, IT administrators can create custom scripts for Linux-based Raspberry Pi devices that enroll the device with manual certificates and install the correct network settings for secure network connections. Other services, such as the Azure IoT Hub Device Provisioning Service, create a provisioning service on your cloud network that facilitates the generation of certificates and keys for individual or multiple devices.

In the same way that blockchain technology maintains an immutable record of information and activity, organizations use certificate technology to track access and authorization through PKI.

Why Use IoT Device Certificates

Devices need end-to-end secure communication, as malicious actors frequently use IoT devices as a network entry point for various activities, including phishing. Certificates verify authorized devices and add a layer of security to the network. The combination of public and private keys used in PKI ensures that all data sent to and from IoT devices remains secure from unauthorized view or use.

In the same way that blockchain technology maintains an immutable record of information and activity, organizations use certificate technology to track access and authorization through PKI. The authentication mechanism logs every authentication and action by date, time and key information, providing irrefutable proof of who did what and when. Therefore, digital certificates provide tamper-proof functionality to communications between IoT devices and the network. It is more difficult for attackers to inject malicious content or code into an encrypted data stream.

IoT device certificates are also an inexpensive security measure for any business compared to other security technologies. Even with a third-party CA and certificate management service, the cost is still significantly lower than buying a new hardware device for every IoT device. Many CAs also offer volume discounts to control costs. For example, AWS IoT Device Management offers bulk device certificate registration at 10 cents per 1,000 registered devices, and Sectigo offers domain-validated certificates with unlimited server licenses starting at $125 per year. .

Be aware of the disadvantages of IoT device certificates

Managing certificates for a large fleet of devices can be difficult without a device management or certificate management service. Since each certificate has a set expiration date, it can take a lot of time and effort to keep track of them all.

Certificate provisioning can be a challenge if IT administrators need to onboard large fleets of IoT devices at once, remove multiple devices as they expire, or scale many device certificates up or down. If an IT admin has to manually provision and manage IoT device certificates, that time can double or triple. Unless an organization has a dedicated resource responsible only for device certificates, provisioning takes a long time.

Source link