When looking at technology adoption, I am frequently reminded of Pandora’s Box from Greek mythology. This metaphor rings true when considering the Internet of Things (IoT). Whereas Pandora released a host of evils into the world, with IoT we have released new concerns associated with multiple technologies, multiple standards, scale, and security (or as I like to say, resiliency). When considering the information that flows from the edge, through the cloud, and ultimately to the data center, the lowest common denominator for protecting information is trust created by cryptography (as noted by Entrust's Juan Asenjo in the other half of this blog series). In this blog, we are going to start by acknowledging the pitfalls of our particular Pandora and then discuss how we find hope in the solution provided by Entrust and Fornetix.
The Problems
The first step in solving any problem is acknowledging that it exists. In regard to pitfalls for IoT, let’s take a look at the perils of multiple technologies, multiple standards, scale, and resiliency:
- Multiple Technologies – There are a lot of IoT technologies, all of which lend themselves to their own management application stacks. They include smoke detectors, digestive trackers, heart monitors, and other wearables. While these devices may be perceived as single solutions, they incorporate multiple technologies. When considering resiliency across platforms, it is important to note that encryption becomes a lowest common denominator servicing both identity and authorization concerns.
- Multiple Standards – Consider the number of standards that cover the gambit of what is considered IoT: Zigbee; NB-IoT based off of 3gPP and 5G; LoRaWAN; BlueTooth; even WCDMA. When Bain & Company compared industry survey results between 2016 and 2018, it noted that interoperability is a rising concern. The vendor-specific protocols and APIs were nominally created in order to optimize functionality with minimal resources. It just happens that the vendor-specific protocols isolate other competitive solutions from being integrated into the IoT system as a whole. This lack of interoperability compounded with scale and resiliency leads to systemic faults that can exploited by an enterprising attacker.
- Scale – When one thinks of IoT pitfalls, scale is probably the first one that comes to mind. According to Gartner there will be 25 billion connected things in use by 2021. One thing to consider in any utilization of IoT capabilities is how information moves from where it is collected to where it is utilized. For consumer devices this is not as large of a concern, but it is for the Industrial IoT and connected vehicles space. These technologies traffic in exabytes of data, all of which need governance, consistency and resiliency.
- Resiliency – It’s easy to think scale is the 800 pound gorilla in the room - and they are right, it’s just that there are multiple 800 pound gorillas. Resiliency in the face of attacks is a continuing concern in IoT, especially when they concern the industrial IoT, healthcare, and government industries (incidents such as the Murai Attack, Medtronic vulnerabilities, and even the DDoS attack on Krebs on Security are good examples). Concepts such as supply chain security, machine authentication, privacy and data governance need to be answered for before organizations take the plunge into IoT. Unsurprisingly, Bain Capital noted that security continues to be the top concern of organizations adopting IoT solutions.
The Solutions
But let not your heart be troubled, there are paths to avoid the pitfalls. In this case, let’s examine the combined solution provided by Entrust and Fornetix. Working together, Entrust and Fornetix provide the capabilities to help customers avoid these pitfalls and adopt IoT solutions with confidence. In the spirit of offering solutions and not just problems let’s address those pitfalls:
- Multiple Technologies – The Fornetix/Entrust solution provides a standards-based platform that allows for integration of multiple IoT components, giving users a consistent way to address trust and identity across IoT solutions. The Fornetix/Entrust cross-functional approach works for IoT because it address the lowest common denominator by being focused on the utilization of the root of trust from the factory through IoT deployment and utilization. Features such as local and network code signing, protected key distribution, and utilization reporting allow for afederation of trust throughout the “system of systems” that make up IoT solutions.
- Multiple Standards – Addressing the plethora of communications is an exercise in intelligent integration. At Fornetix, we like to say "In Standards We Trust." With standards such as Key Management Interoperability Protocol (KMIP), PKCS#11, OpenC2, and TCG DICE, we recognize that interoperability is critical to avoid brittle IoT systems. From an implementation perspective, it is also obvious that there are other standards out there (especially in communications) and that intelligent integration in this case means knowing how to extend capabilities to the right parts of the solution based on the IoT technology. Our ever-growing suite of “Orchestrator” plugins provide a consistent approach to translate between multiple standards while utilizing secure protocols like KMIP.
- Scale - The Fornetix/Entrust solution was built with scale in mind, recognizing it is important to protect keys, certificates, and other trust data consistently whether it is 100 devices or 1,000,000 devices. This is an exercise in systems engineering and speaks to the intelligent engineering approach that makes handling multiple protocols possible. In short, the solution can scale because it was engineered to scale from its inception. Given that scale is not an afterthought, companies adopting IoT solutions can do so in confidence knowing that managing trust for the IoT solution will be consistent no matter the number of devices deployed.
- Resiliency - In IoT systems, resiliency is an exercise in trust... and trust is an exercise in management. By providing security controls and operations, IoT devices assert identity, are authorized to transmit information, and can even assert device integrity. Key Orchestration has the operational capabilities, policy, mandatory access controls, automation, and event tracking to integrate the root of trust that starts with Entrust's HSMs. The trust that starts with Entrust is given a voice with Key Orchestration. Additionally, the combined Fornetix/Entrust solution has the internal security controls in place to provide assurance that the keys to the IoT kingdom are safe and protected.
IoT solutions provide fantastic benefits to individuals and organizations. Whether it is the industrial IoT systems that keep trains running or health monitoring devices ensuring the welfare of our loved ones, we cannot deny the benefits. On the other hand, IoT solutions that are rushed to market quickly end up creating brittle, insecure systems. Both Entrust and Fornetix bring secure, interoperable trust to IoT so that people and organizations can embrace the benefits of IoT while being confident that those IoT systems are safe and secure.