PKI as IAM for M2M and IoT

Our industry certainly has no shortage of IAM solutions supporting government and enterprise. A multitude of different security platforms is available for managing identities, access, privileges, user single-sign on, identity federation, and passwords using techniques ranging from centralized to distributed, enterprise to cloud, desktop to mobile, and so on. 

One challenge for all these IAM systems, however, is their complexity. Granted, a portion of this complexity might stem from unforced design errors, but the majority is unavoidable given the messiness of dealing with unpredictable humans. Enterprise IAM systems must, for example, support lost tokens, forgotten passwords, confused users, and the like. 

Similarly, because IAM systems must also include interfaces to often badly-designed legacy tools such as haphazard HR databases, the associated design complexity increases even more. As a result, IAM systems typically require a disproportionate share of time and attention from CISO teams. Some teams might spend half their budget on IAM.

It is in the context of such IAM complexity that our industry must now begin to deal with new machine-to-machine (M2M) communications and Internet of Things (IoT) interactions. Both M2M and IoT will obviously require IAM, and their scope, combined with IPv6 deployment, has the potential to make things even more complicated. 

The IAM industry understands this challenge and some excellent vendor solutions are luckily beginning to emerge. One creative approach that you might not have considered in the context of M2M and IoT IAM is based on a pair of data structures that everyone in our industry is already intimately familiar with: Encryption keys and public key certificates. 

Talking recently with Jeff Hudson of Venafi, we discussed how teams might begin to use encryption solutions to improve IAM support for M2M and IoT. “Computer scientists long ago figured out how to pair public and private keys into decentralized schemes,” Jeff explained. “This is now perfectly-suited to supporting the M2M and IoT IAM challenge.” 

Now, I will assume that you already know that for public key infrastructure (PKI) to work, keys must be exchanged in a trusted manner between entities. This is accomplished by certificates, which include information that links a key to its true owner. “Certificates are like ultra-secure envelopes,” Jeff said, “with the ability to include useful metadata.” 

What you might not realize, however, is the degree to which PKI now supports IAM-type enablement of M2M communication between IoT machines and devices. Their use is growing to the point that Hudson refers to certificates as passwords for machines, albeit with none of the usual weaknesses, such as users reusing or exposing clear text passwords.

To better understand how PKI serves as IAM for M2M and IoT, it helps examine the underlying implementation and infrastructure layers. The implementation layer is where entities exchange information, relay data, and provide in-line support for the systems, applications, and services. This is the layer is where you click on the security needed to invoke encryption for your credit card. 

The infrastructure layer, in contrast, is where users register for services, create accounts, set up passwords, call to obtain assistance, and so on. This is the layer that deals most directly with all the messy humans.

Hudson offered this illustration: “Phishing is a special case of an infrastructure attack involving administrative warnings to users about expired passwords. Human beings can be tricked into this sort of thing so easily.”

The good news for M2M and IoT is that the bulk of key and certificate support is automated into the implementation layer, which should lead to much simpler deployment use-cases. “Machines do not forget passwords,” Hudson said. “They are not easily tricked into handing over sensitive information after a sympathetic appeal from the other end of the phone line.”

The primary implication of all this for security teams is that infrastructure security support for M2M and IoT should see reduced IAM complexity in coming years, because more functionality can be automated using PKI. In addition, the keys and certificates used in machines and device will require less of that special case support so necessary for humans. This is excellent news for emerging machine-based applications.

CISO teams are thus advised to engage in an active dialogue with their IAM and PKI vendors. Attention should be placed during the discussion on how the emerging evolution to M2M and IoT for IAM will be supported in their products and services. Listen carefully to ensure that your vendors are solving problems by reducing complexity rather than the reverse. 

What’s hot on Infosecurity Magazine?