PKI and internet of things use cases
PKI is an essential component to secure an organization’s IoT infrastructure. EST is a popular protocol to facilitate automation and management of different devices.
The Internet of Things (IoT) is a popular technical trend driving consumer behavior. Fitness trackers, smart thermostats, and sensors that can tell consumers a package will be arriving soon are all examples of IoT devices that touch our lives daily. McKinsey & Company estimates that IoT will drive up to $12.6 trillion in economic value by 2030, with $1.6 trillion captured in 2020. Given the expected scale and availability of IoT, it poses unique security challenges that need to be addressed. This blog will discuss IoT as well as steps organizations can take to secure their solutions.
» About IoT
IoT is a network of connected devices that exchange data with other devices, applications, and clouds. Generally, IoT devices have embedded applications and sensors that deliver data to artificial intelligence and machine learning systems to improve customer experience or enhance decision-making processes that increase the value of the business.
For instance, remote patient monitoring is a common application of IoT devices for healthcare. Connected devices collect health-related data on a patient's heart rate, blood pressure, temperature, glucose, and more from patients who are not physically located in a healthcare facility. This eliminates the need for patients to travel to their healthcare provider for sample collection. Remote monitoring through IoT devices also allows a broader dataset to be collected over time in a patient’s normal environment during natural activities, which improves overall results.
IoT devices collect data and forward it to an application where healthcare professionals or the patients can monitor or take action on it. Software can analyze the data in order to recommend treatments or generate alerts. For example, an IoT sensor that detects a patient’s unusually low heart rate may generate an alert so that healthcare professionals can intervene or deliver treatment automatically.
A major challenge with remote patient monitoring devices is ensuring that the highly personal data that these IoT devices collect is secure and private.
IoT enables many benefits, including but not limited to:
- Enabling access to information anywhere
- Collecting large amounts of data from connected devices
- Automating tasks to improve the quality of service and reduce the need for human intervention
But IoT also brings new security challenges that need to be addressed to secure users and their data:
- IoT creates and expands cyber attack surfaces because of the large number of connected devices. As the amount of information shared among connected devices grows, the potential for a breach of confidential information and subsequent misuse increases.
- Device management and security challenges grow as the number of IoT-connected devices grow.
- When an IoT platform supports diverse devices, securing them using a common standard can become difficult. This is where public key infrastructure (PKI) comes into play to help organizations secure their IoT interests and other use cases.
» How PKI helps IoT
One of PKI’s strengths is affirming strong authentication within diverse IoT ecosystems, including device-to-device, device-to-cloud, and user-to-device use cases. Traditional applications rely on server-side logic for decision making, but since much of IoT’s value is based on the connected device’s ability to make decisions independent of human intervention, that value and risk can be tied directly to the data. Using encryption, PKI ensures the privacy of communications and data between devices, applications, and IoT-related infrastructure.
Device diversity is undisputedly the IoT ecosystem’s most significant characteristic. This causes some divergence between traditional and IoT PKI. Traditional PKI focuses on conventional functionality like issuing SSL or TLS certificates for servers or digitally signing applications. IoT-centric PKI focuses on securing communications between vast numbers of connected devices and the rest of the IoT ecosystem (servers, gateways, etc.) by utilizing digital certificates and encryption. Connected devices are assigned unique digital certificates to verify the device’s identity and so that it can communicate with its broader ecosystem. The mutual authentication PKI preserves data and software integrity for IoT.
» Enrollment over secure protocol (EST)
PKI supports a variety of protocols that include additional capabilities to more closely tailor PKI workflows to a particular use case. When selecting the most appropriate technologies for IoT use cases, automating the provisioning and rotation of PKI certificates on diverse devices is very important due to the magnitude of security risks. Automated certificate management environment (ACME), simple certificate enrollment protocol (SCEP) and enrollment over secure transport (EST) are considered the best PKI protocols to automate large volumes of certificates.
EST is a PKI enrollment service that standardizes interoperability and secure information exchange between client and certificate authority (CA). In an IoT PKI architecture, EST services execute functions generally done by Registration Authorities (RA). For instance, EST validates whether clients are authorized to receive the requested certificates. When validated, EST communicates with the CA to return the certificate(s) to the client. EST is popular for IoT use cases because of its interoperability advantages and because it only requires requests via a standard URL or IP address.
EST also enables a level of automation that helps reduce risk and allows IT teams to manage their PKI at scale. Manual configuration can take several hours per certificate, making the operational cost prohibitive. The manual process is also prone to human error, making it high-risk. Additionally, manually managing certificates puts organizations at risk of being forgotten until after expiration, causing unexpected outages of critical systems and exposure to malicious attacks.
An Internet Engineering Task Force (IETF) workgroup has determined that EST is a preferable replacement for Simple Certificate Enrollment Protocol (SCEP). As a more modern protocol, EST offers an easy-of-use certificate management solution that delivers critical advantages for today's enterprise PKI environment, including:
- Secure transport: EST is natively secure because it offers better transport security; all requests and responses between client and CA are transmitted over TLS. EST does not require the authentication of messages with a shared secret identifier like SCEP or by a challenge password as ACME does.
- Certificate requestors: EST associates the certificate signing request (CSR) with an authenticated trusted requestor. In contrast, with SCEP, CSRs are authenticated using a shared secret between the client and the CA. That approach introduces greater security risks for exposure.
- Algorithm support: EST supports the Elliptical Curve Cryptography (ECC) and Elliptical Curve Digital Signature (ECDSA) algorithms, while SCEP does not.
- Automated certificate renewal: EST was designed to support automatic re-enrollment. SCEP does not support re-enrollment natively.
- Server-side key generation: PKI requires server-side key generation for environments or devices that cannot generate a random private key. SCEP only supports the client's private key generation.
- Transition periods for the incremental root of trust rollover: During instances of CA rollover or any need to change the root of trust, EST adopts the Certificate Management Protocol (CMP) model for CA certificate rollover, though it does not use the CMP message syntax or protocol. The EST model refreshes the root trust by using three certificates during the transition while maintaining communications between clients and servers. Alternatively, SCEP requires CA rollover across all certificates to coincide. This rollover method puts critical systems at risk of an outage should a problem occur.
» Learn more about PKI EST and IoT
HashiCorp Vault has a long history of supporting PKI and certificate automation to secure our customers diverse infrastructures. The EST protocol is now available as a beta feature with an expected GA date later this year. EST represents an exciting new addition to HashiCorp Vault’s PKI and secret lifecycle management capabilities that helps enterprises reduce risks and improve efficiency. The ability to centralize secrets management along with certificate lifecycle management further differentiates Vault’s Security Lifecycle Management portfolio.
To learn more, check out these resources:
Sign up for the latest HashiCorp news
More blog posts like this one
Cracking the code to overcome developer and security team differences
Implementing the right consolidated internal development platform (IDP) can nudge your Dev and Sec cultures in the right direction — toward collaboration and away from conflict through tooling and automation.
5 ways to improve DevEx and security for infrastructure provisioning
Still using manual scripting and provisioning processes? Learn how to accelerate provisioning using five best practices for Infrastructure Lifecycle Management.
Fix the developers vs. security conflict by shifting further left
Resolve the friction between dev and security teams with platform-led workflows that make cloud security seamless and scalable.