To securely build and grow an IoT ecosystem, one must have the tools and architectures in place to identify, control and manage their IoT devices. This process begins with establishing a strong identity within each IoT device. Here are some of the ways in which we can verify the authenticity of IoT devices before on-boarding them.
As IoT movement pervades every facet of our lives, the pace of innovation in this field continues to grow. We are seeing novel uses of this technology that are very cool – we are also seeing a lot of implementations that are downright silly! However, most if not all, of these are very impactful. As we have seen in the past with agriculture or healthcare, IoT is moving fast and is here to stay. However, this being a classic case of trying to run before we’ve learned how to walk, IoT device developers often leave out the core component of any connected service in today’s world – security.
There are very few standards in place for IoT security – cyber or physical. Hence, a lot of IT standards are being modified or drawn upon to come up with reference architectures and security best practices for IoT security. Common among these frameworks is the need for a strong, unique and immutable identity for each IoT device. While there are various ways to establish this, industry analysts, major cloud platform providers, thought leaders and early adopters all agree that Public Key Infrastructure (PKI) is going to be the chosen mechanism for this, now and into the future. PKI itself has had to adapt and is now moving into the 21st century with increased adoption, but also widespread application to a varied number of use-cases.
Core to a PKI-based infrastructure is a trusted third-party, a Certificate Authority (CA). CAs have existed for decades and today issue publicly (or privately) trusted credentials entities that need to prove their identity. As such, a digital certificate issued by CAs is a universally accepted identity credential on most digital platforms.
An important component or function of a CA is the act of ‘registration’ commonly performed by the Registration Authority (RA). The RA sits between the entity that is requesting an identity and the CA and essentially implements a layer of control and management over the verification of identity prior to issuance. It is responsible for checking that a particular public key belongs to the entity requesting a certificate for it.