Machines are increasingly taking over tasks traditionally conducted by humans, often working independently to improve business productivity. But if we want our security measures to keep pace, as more and more machines come into existence, we need to be able to reliably determine which machines should be trusted and which shouldn’t.
In order to identify the trustworthy machines, first we must, well, give them identities. In the recent past, this wasn’t necessary. Tom’s hammer or Joe’s plow didn’t really need to prove they really were what they appeared to be. But then things turned digital and now we have all sorts of devices – from cars to wireless routers to medical devices to home and industrial IoT components – making autonomous connections and making machine identity suddenly very important.
One of the most secure ways to establish a machine ID is by assigning a unique certificate or key to it. This identity is then checked against a central authority each time it connects to network, to establish a chain of trust. It’s sort of like when you cross the border and an agent scans your passport. You get permission to cross only when your passport details are checked against a central authority that validates your “key” or identity, confirming you are who you say you are.
The challenge with assigning keys to every single machine is that there are so many of them, and their numbers are exponentially growing. When organizations start to accumulate keys, they need to be able to keep track of where they are stored and who controls them. They also need to rotate the keys periodically and revoke keys when machines are decommissioned to maintain good security hygiene. In short, key management becomes a very serious undertaking.
Staying on top of this is tremendously important. Recent data breaches have demonstrated that hackers can compromise machine identities to conduct an attack either by stealing a trusted identity to get onto a network, establishing a fake identity of their own, or, in the case of an unsecured network, get in without one at all. The infamous Target breach was a great example, where the attackers compromised machine identities associated with an HVAC system at a facility in Texas and used those credentials to gain access to a part of Target’s network where customers’ credit card information was stored.
Despite all the challenges, it’s not impossible for security teams to keep pace with the ongoing rise of the machines. They just need to apply the same foundational components that they would in other types of information security – confidentiality, integrity, availability, accountability and auditability. Issuing machine identities securely is the crucial first step for executing on these concepts and ensuring that a secure foundation is in place for the IoT.
By Gorav Arora, Data Protection CTO, Gemalto