01 Feb 2022
Why use a digital certificate management system when you could manage your certificate lifecycle manually? Beware, it gets increasingly complex – and risky - as you grow your business.
Digital security certificates are a cornerstone of IoT security. By offering a means for servers to verify the authenticity of the source of every incoming communication and instructing them how to decrypt their message, they build trust in an otherwise hostile environment. Remember, whether it’s a smart sensor, a webcam, or a smart TV, any single connected device that has been co-opted by hackers can be exploited for nefarious activities.
But what, exactly, are digital security certificates? In the same way that the passport issued by your national government confirms your identity when you cross international borders, digital security certificates, issued by trusted certificate authorities, confer an identity to each endpoint on the IoT. Take the X.509 certificate, the most common type of digital identity, defined in the IETF RFC 5280 standard. Its main ingredients are a device name and, associated with that name, an asymmetric key pair comprising a private and a public key that is used for encryption.
Like passports, digital security certificates have an expiration date. Once it has passed, servers will block any incoming communication from the associated device until the certificate is renewed. Your passport is probably valid for around a decade. IoT devices don’t have that luxury: the risk of keeping the same certificate for years is simply too high. Maintaining high IoT device security requires promptly removing outdated encryption algorithms and comprised certificates from circulation.
While short certificate validities are a clear benefit to end-users, they create a challenge for device developers and companies managing fleets of connected devices. Rather than building a device, provisioning it with the required certificates, and releasing it into the wild for its entire IoT lifetime, they need to continually check in on it, ensure that the encryption it uses is still up to speed, and renew certificates when they expire – or face the consequences.
And the stakes can be high. The impact of breached devices and expired certificates can cascade through industrial production processes, logistics chains, and social networks, putting devices, machines, individuals, and entire businesses at risk.
One way to de-risk device fleet management is to turn away from manual device provisioning and certificate renewal and adopt an automated certificate management tool such as that offered by our zero touch provisioning and IoT certificate management services. Designed to integrate seamlessly with leading IoT cloud platforms, including AWS IoT Core, Azure IoT Hub, and custom platforms, these services can be easily extended to all IoT platforms that use X.509 certificate-based device authentication.
With our zero touch provisioning service, the entire device provisioning process – including creating and signing the root certificate, uploading it to the cloud service provider, generating the associated public and private keys, and provisioning the signed certificates on the device and on the IoT platform – can be done securely for your entire fleet in just a matter of minutes. It only takes a few clicks to configure the system. The provisioning procedure then executes automatically on each individual device, simply by switching it on.
Our IoT certificate manager then lets you easily monitor and control the X.509 certificates on all your fielded devices, simplifying the process of replacing compromised device certificates and renewing in advance the ones that are going to expire, all with our user-friendly Thingstream IoT service delivery platform.
Our zero touch provisioning and IoT certificate manager services are highly scalable, allowing you to seamlessly transition from prototyping to mass market scale, keeping your overhead costs low even as your fleet size grows.
There’s more to implementing robust IoT device security than immediately meets the eye, and that’s a good thing for end-users, who expect maximum performance with minimum hassle. For device developers, however, the efforts involved – IoT security experts, secure hardware development, secure production facilities, etc. – show up in the budget – and in their product’s sales price.
Combining the u-blox SARA-R5 LTE-M cellular module, which features a hardware-based root of trust for robust IoT security, with our zero touch provisioning and IoT certificate lifecycle management services minimizes your set-up costs and provides a clear total cost of ownership, keeping a lid on production and operational costs, while also speeding up time to market.
The internet security field has always been fast paced, with hackers and security teams hard at work to stay ahead. And the pace keeps picking up, which is one reason why IoT device certificates have shorter and shorter lifetimes. In fact, it’s likely that common certificates with one year lifespan requirements will soon need to be renewed every three months. At the same time, increasing computing speed and new computational paradigms are threatening today’s encryption methods.
With the IoT certificate manager, you can ensure that your devices are always protected with increasing levels of security regardless of where they are and for how long they’ve been in the field. With IoT device lifetimes pushing toward the ten-year time horizon, a futureproof certificate management tool offers a smart insurance policy toward the security threats of tomorrow.