Attackers increasingly use IoT devices as network entry points, but IT admins can employ IoT device certificates as gatekeepers to the enterprise.
With the multitude of IoT devices on any given network, IT professionals must take device security seriously. With the wealth of data that devices collect and transmit, it makes prudent business sense to use certificates to secure devices against malicious use.
IoT devices are under attack within five minutes of being powered up and connected to the internet, according to a NetScout report, which makes strong protection measures essential. The report also found that complex attacks on networks increase every year, with a 2,851% growth since 2017.
Device certificates can increase security with authorization protocols and communication encryption from start to finish.
How device certificates work in IoT
Device certificates are the mechanisms that verify and grant devices access to the network. IT admins first register devices on the network as valid and authorized and then associate the devices with a certificate to act as a network passport. Without the digital certificate, a device can’t connect to the network to perform its function, even if it’s registered as a valid device.
Certificates are part of the broader public key infrastructure (PKI) for device authentication, alongside the certificate authority (CA), registration authority and certificate database or store.
IoT devices store device certificates, which work in concert with other security mechanisms to give network access, such as device management software applications, mobile device managers or third-party certificate managers.
When IoT devices connect to the network for authentication, they typically do so through a secure communication protocol like a secure socket layer (SSL) or Transport Layer Security (TLS) protocol. Many networks use SSL, an older protocol that many web applications and network devices still use. Newer devices use TLS, which has a more secure and efficient authentication process and supports more advanced and secure algorithms. IoT devices with TLS protocols can be backward compatible with devices that use SSL, but IT admins should verify this with their network administrator or device manufacturer.
How to provision IoT device certificates
IT admins have several ways to provision IoT device certificates through third-party or private services.
Third-party certificate vendors
Many organizations buy PKI-eligible certificates from third-party certificate vendors, such as GlobalSign or Comodo, or use a managed PKI solution, such as Entrust or Thales. The right option will depend on the network and IoT device deployment, the security budget, and tolerance for third-party vendors in the network security stack.
Managed digital certificate services offer a centralized way to provision, protect and manage IoT digital certificates. These services can scale up or down quickly, issue certificates instantly, manage certificate lifecycles across a fleet of devices, and automate certificate activities.
High-volume private digital certificate management
Organizations can also create private certificate servers to manually provision digital certificates for IoT devices. Simple certificate enrollment protocol servers can provision and distribute certificates to IoT devices on the network by working with an enterprise PKI service. The service generates certificates and distributes them to devices through an integrated mobile device management (MDM) system. Organizations can use MDM as a cost-effective way to optimize device certificate management with IoT devices that are completely behind a firewall and never use a public internet to transmit data.
Low-volume manual digital certificate management
IT admins can manually provision device certificates for IoT devices. Manual certificate services create a root or intermediate ad hoc certificate to install on devices. For example, IT admins can create custom scripts for Linux-based Raspberry Pi devices that enroll the device with manual certificates and install the correct network settings for secure connections to the network. Other services, such as the Azure IoT Hub Device Provisioning Service, create a provisioning service on your cloud network that makes it easy to generate certificates and keys for individual or multiple devices.
Why use IoT device certificates
Devices need secure end-to-end communication because bad actors frequently use IoT devices as a network entry point for various activities, including phishing. Certificates verify authorized devices and add a security layer to the network. The public and private key combination used in PKI ensures all data sent to and from IoT devices remains secure from unauthorized view or use.
Similar to how blockchain technology keeps an immutable record of information and activity, organizations use certificate technology to track access and authorization through the PKI. The authentication mechanism records every authentication and action by date, time and key information, providing irrefutable proof of who did what and when. Consequently, digital certificates provide tamper-resistant features to communications between IoT devices and the network. It is more difficult for attackers to inject content or malicious code into an encrypted data stream.
IoT device certificates are also a low-cost security measure for any enterprise compared to other security technologies. Even with a third-party CA and certificate management service, the cost is still significantly lower than purchasing a new hardware device for each IoT device. Many CAs also offer volume discounts to keep costs under control. For example, AWS IoT device management offers bulk device certificate registration at 10 cents per 1,000 devices registered, and Sectigo offers domain validated certificates with unlimited server licenses starting at $125 per year.
Be aware of IoT device certificate disadvantages
Managing certificates for a large fleet of devices can be difficult without a device management or certificate management service. Because each certificate has a definite expiry date, that can take a lot of time and effort to keep track of them all.
Provisioning the certificates can be a challenge if IT admins must integrate large fleets of IoT devices at once, remove multiple devices when sunsetting them or scale many device certificates up or down. If an IT admin must manually provision and manage IoT device certificates, that time can double or triple. Unless an organization has a dedicated resource in charge of just device certificates, provisioning costs a lot of time.