DigiCert, a global leader in scalable authentication and encryption solutions, unveiled DigiCert Auto-Provisioning, powered by Device Authority, this past weekend at the DigiCert Security Summit. With Auto-Provisioning, connected device manufacturers and owners can provision digital certificates at scale, whether their devices use open standards such as SCEP or EST, or only support propriety device enrollment protocols.
Auto-Provisioning is meant to make it more feasible to secure devices connected to the Internet of Things that may not have the computing power needed to support robust security protocols such as advanced cryptography for communications over the Internet. With its experience in creating scalable solutions for SSL certificates, DigiCert believes that software such as Auto-Provisioning will help promote the need for better standardized security for the Internet of Things.
Why Are Security Certificates Important?
In the IT world, security certificates are generally used to secure anything from the login page when you log into your email account to the shopping cart function when you enter your credit card information. Any time you see an HTTPS:// header in front of the address of the web page you’re looking at, there’s probably a security certificate present and active. With the rise of the Internet of Things, security certificates could reasonably be extended to any device that has a digital component — even if that device is your coffee maker.
“Device authentication and encryption are critical to securing connected devices and the information they share, but many software implementations lack standard protocols for provisioning devices,” said DigiCert CTO Dan Timpson. “DigiCert Auto-Provisioning, powered by Device Authority, helps companies get certificates on a much wider range of IoT devices in a scalable, secure and automated way.”
This is especially critical for devices that people’s lives may depend on, like medical devices that are equipped to send data about patients’ health to a remote location. Recent malware attacks have targeted these medical devices in ways that make it possible for attackers to steal patient data or cause harm to patients who use them. The threat is exacerbated by the medical device manufacturing industry’s widespread use of closed-source software for their devices and lack of communication about possible security risks, which makes it more difficult for health care providers’ IT security staff to inspect and make informed decisions regarding malicious attacks on the devices. The FDA has attempted to address this issue in a report titled “Postmarket Management of Cyber Security in Medical Devices,” which calls for the deployment of solutions that can more effectively address security risks early.
Threats to devices meant for home use include the possibility of a “man in the middle” attack on Samsung’s smart fridge in which an attacker can intercept data that may include the homeowner’s credentials. Last year, researchers found that Nissan Leaf Smart Phone app APIs were not authenticating users on the server. A study published by HP Fortify estimated that three-quarters of connected devices failed to encrypt communications to the Internet and local network, perhaps because their processor were not powerful enough to handle the advanced cryptography necessary for proper security. While it is not expected that these devices would be equipped with processors that are on par with standard Bitcoin mining devices, which are equipped to handle SHA-256 encryption at a rapid rate, security solutions that are scalable and make efficient use of available computing resources become a vital part of managing the 50 billion devices that could be connected to the “Internet of Things” by 2020.
Auto-Provisioning is meant to automate tasks such as renewing and revoking security certificates and encrypting the certificate store, certificate generation & delivery. It’s designed to be scalable and capable of adapting to an environment in which authorization needs might change rapidly. This gives an advantage over having to change authorization information manually because it eliminates the risk of human error and reduces time spent on managing security for the Internet of Things. This can help to make companies that rely on the ability to keep their devices secure less dependent on the manufacturers’ ability to secure their own devices.