Trinity of security in IOE

Every day one way or another of using utilities and equipment will be connected to the Internet for one reason or another. The information security community sees thunderstorms, tsunamis and hurricanes in the horizon when the number of connected numbers explodes.  Manufacturers and vendors are in a hurry to add this connectivity, and can ignore even the most obvious security measures.

 You see it daily when you trade online.

Just look at the browser address field, and if you see a green box on the left, you can be 99.9999% sure that you are working with the right site. Why not 100% – Well, I am an Infosys professional, so I know that every system can be broken by looking at enough time and resources. The point is that PKI and properly certified certificates are the building blocks for a reliable infrastructure.

A certificate can be used to properly identify [something: device, app, server, person, etc.].

The trust is the anchor for the Certificate Authority (CA), which issued and signed the certificate. There are many widely trusted CAs in the world, with GlobalSign being one of them. Millions of Internet users rely on our certificates every day.

In IoT, certificates are a very good choice for identifying devices, among other things.

When a manufacturer produces a device, the device must be issued the device certificate itself, preferably in a tamper resistant environment. The issuing CA certificate must also be installed. This enables the device to determine if a software update that it has received is good to install via code signing certificates. When the device vendor is communicating with the system, the certificate is used to identify the communication parties, and even to encrypt the data.

Device communication is the first step in securing device communication.

Securing user access to the device will be the next step. And, here is the part where many sellers still struggle. Devices are sent with the default password. Users are not forced to change these credentials. And, if they are, nothing is done to prevent them from using “password1”. Password is already a bad choice. We have a lot of them, and when the number of connected devices grows we will be disappointed when we have to create and maintain a bunch of passwords for each of our connected devices as well.

Installing and activating the device can use a vendor portal where owners can associate their existing identity with the device, in essence adding the device certificate to the user identity. Ease of use and user experience are key. This will increase satisfaction when users can use their existing identities to access devices, or the data they have generated using something familiar and easy to do. The Identity and Access Management (IAM) solution will provide IoT capability.

In some cases, a device has many users, but usually only one owner.

Therefore, the owner should be able to authorize others to accomplish various things. A smart lock is a good example. The owner of the lock, tells Dad, needs to authorize other identities to open the lock. Not only family members, but perhaps an electrician, family friends etc. The family fridge may be a smart one and connected to the Internet and your local eGorcery. Dad needs to authorize others in the family to order items for next delivery, but perhaps restrict these orders to avoid the ice cream freezer as well. Connected devices and online services associated with these devices require flexible authorization functionality.

the Trinity? Authorization – Identification – Device Security – AID.

Can be done. Talk to us today to know more.

Leave a Comment