Defending the Internet of Things
Identity at the Core of Security
+1-888-690-2424
entrust.com
Table 1
of contents
2
3
4
5
6
7
Introduction
Page 3
Challenge: protecting & managing identity
Page 4
Founders of identity security
Page 5
Standardizing PKI
Page 6
Secure mobile, leverage mobile
Page 6
Identity management
Page 7
Trusted advisor for
critical architectures
Page 7
Introduction
“More system complexity means
that there is more threat surface
that needs to be defended. It also
means that there is more potential
to make mistakes and introduce
vulnerabilities.”
Attacks on traditional IT systems have resulted in massive loss of money, privacy
and intellectual property. Even worse, attacks on the Internet of Things (IoT)
potentially threaten our safety.
This threat landscape exists alongside the ever-increasing demand for more
technology to be embedded into coordinated devices used in healthcare,
automobiles, aviation, critical infrastructure and smart city initiatives.
More system complexity means that there is more threat surface that needs to
be defended. It also means that there is more potential to make mistakes and
introduce vulnerabilities.
The opportunity to create a safe and secure system occurs when we realize that
perimeter defenses are insufficient and that we must engineer comprehensive
security throughout system processes. In highly automated systems, connected
devices must assure trust by assuring authenticity. Too often, devices in
automated and coordinated systems do not challenge the authenticity of the
source of the commands that they act upon.
In an ideal world, the identity of each system component would be authenticated,
but system constraints demand that we optimize an architecture that achieves
security and assures performance.
3
Challenge:
protecting &
managing
identity
What’s at Risk?
||
Critical infrastructure programmable logic units
||
Automobile electronic control units
||
Medical devices
||
Smart city, including intelligent transportation
||
Utilities and industrial control
||
Building automation
Securing identity is a central concept in reducing attack surfaces. Every attack
we have studied requires an attack against identity in order to accomplish its
malicious goals.
The chain of trust shows us how system parts sitting directly in the sequence
of a process must question each other’s identity. Wherever an identity can be
compromised, an attacker will find it and use it against the system.
Authenticity of Parts
This approach is suitable for parts that include firmware
components. It also has the potential to allow secure in‑service
upgrades because of the code-signing confirmation that
authenticate the identity of the firmware source.
Receiving Commands – Identity of Source
All networks should be considered unsafe. Any device that
receives a valid command on a network should not blindly
trust the source’s identity. The authenticity of command is not
enough, but the identity’s authenticity of the command source
is the key to reducing threat surface. These concepts are at the
heart of what public key infrastructure (PKI) can accomplish.
Sending Commands – Identity of Destination
Vulnerabilities and failures occur. Therefore, not all devices
on a network should be trusted to hear commands sent
on the network. An attacker who can read legitimate
commands moving across a network can learn which
commands to replay at a later time for malicious intent.
The need for encrypted communications within an
enclosed network of embedded devices is important
to reduce attack surface.
Authentication
IoT is synonymous with remote connectivity, which is a
fast-growing technology area. Without authentication,
critical devices are at risk of attack.
Too often, critical IoT devices and their networks are considered
to be secure because of the perceived lack of physical access or
the complexity of the communication protocol.
Attacks have shown us that security by obscurity is
insufficient. Secure elements and higher processing
power in IoT devices have created opportunities to embed
cryptographic capabilities enabling strong authentication.
Security Culture
As traditional vendors transition to solve IoT challenges,
there will be struggles to manage, secure and authenticate
devices. Security that stands the test of implementation
requires expertise that is forged through experience.
4
Founders
of identity security
“Entrust has a long history
of protecting identities and
architecting systems that assure
chains of trust.”
Entrust’s core competencies — such as PKI — are highly applicable to security
for the Internet of Things. This security expertise specifically protects identities.
Entrust is a founder and editor of the underlying standards community, as well
as the one of the primary architects for identity security within complex projects.
Today, this leadership is further augmented by the strategic integration between
Entrust and Datacard Group.
As a single company, this partnership provides identity-based technologies that
enable highly secure anywhere-anytime access for workforces of all sizes. Our
solutions help consolidate identity information that is typically scattered through
numerous databases. We create unified and trusted identities that provide
enterprises with a single point of control and much greater security.
Whether people are entering secure facilities, logging onto desktop computers
or accessing networks remotely with mobile devices, Datacard Group and Entrust
provide security and convenience for authorized users — and strong lines of
defense against unauthorized access.
These high-assurance credential solutions, strong authentication platforms,
encryption technologies, mobile security, managed PKI services and SSL
certificates meet the needs of organizations with advanced requirements and
complex ecosystems, including IoT.
Our wide range of credential issuance solutions also meets the needs of
enterprises looking to protect smaller populations and control access to a limited
number of facilities.
5
Standardizing
PKI
From its early days (as a division of Northern Telecom) to the present, Entrust
has played a strong leadership role in the standardization, implementation and
deployment of PKI.
In 1992, Entrust supplied one of the world’s first PKI implementations to the
Canadian Department of National Defence. The system, Packet Data Security
Overlay (PDSO), provided end-to-end security for X.25 data communication systems.
Development of the base PKI standard, commonly referred to as X.509 began
in 1985 and was completed in 1988. Entrust was one of the primary technical
contributors to that first edition and also played a leadership role as ITU-T and ISO/
IEC editor for the project.
Since that first edition, Entrust has continued participation in the development
of new architectures and features to the present time and have, at various times,
chaired the X.509 committee and provided project editorship.
In addition to these primary PKI standards activities, Entrust has also participated
— and in some cases played leadership roles — in numerous industry forums,
regional standards initiatives and application-specific initiatives. Some of these
include the CA/Browser Forum, Electronic Messaging Association, ICAO, ETSI,
American Bar Association and others.
Secure
mobile,
leverage mobile
Entrust both secures and leverages mobile devices. Device certificates ensure
that authorized devices securely connect to a network. Entrust Mobile Smart
Credentials enable strong authentication and transaction-signing.
The isolation of mobile operating system applications provides greater security
than desktop environments. Future devices will even enable credentials to
be stored in secure elements. Entrust’s mobile SDK provides authentication/
credential functionality that can work within a custom mobile application.
Many of the advances in mobile security technologies such as Trusted Execution
Environments and secure elements are models that should be leveraged by IoT
technologies.
Easy-to-use mobile user interfaces, along with the high levels of security
functionality, are a combination in security rarely seen. If security requires the
input and/or decision-making of a human, security is likely to fail. Mobile is an
opportunity for success.
6
Identity
management
Entrust’s flagship authentication solution, Entrust IdentityGuard is one of the most
robust authentication and identity-assurance platforms in the market. It delivers
an unmatched breadth of capabilities and flexibility to meet the most demanding
security environments.
Identity management is a challenge for most organizations. Authentication vendors
often do not have an identity management platform to match customer needs.
Existing point authentication solutions are no longer up to the task of thwarting
advances that exploit vulnerabilities in a variety of channels or mediums. Whether
the root threats originate from internal or external sources, critical information,
data and identities are at constant risk.
Mobile Soft
Token
SOFTWARE AUTHENTICATION PLATFORM
Transaction
Verification
Mobile Device
Certificates
Mobile Smart
Credential
SMS
Device
Authentication
Digital
Certificates
IP-Geolocation
Password
Mutual
Authentication
Trusted
advisor for critical
architectures
Grid / eGrid
Smartcards
and USB
OTP Tokens
Knowledge
Based
Transaction
Signing
Biometrics
As a trusted PKI advisor, Entrust has served a key role assisting with the design
of PKI architectures for specific projects. One of these, the U.S. Federal PKI (FPKI)
working group, included design, development and deployment of the first
“bridge CA.”
This concept enabled different agencies to operate their own PKI infrastructures in
a relatively autonomous environment, supporting common policies and enabling
secure communications among a variety of agencies.
Another example, the design of Extended Access Control (EAC) for the European
Union ePassport application. This included the design of a Single Point of Contact
(SPOC) supporting certificate management between EU member states and
delegation of authorization and access control permissions from a passport issuer
to foreign border control.
EAC, and its associated PKI architecture, are becoming more widely adopted for
other applications as well, including ISO/IEC standards for driver’s licenses and
national ID cards (e.g., Germany).
7
Entrust
and you
“More than ever, Entrust
understands your organization’s
security pain points.”
Twitter
Facebook
Youtube
Entrust offers software authentication platforms that strengthen security in a wide
range of identity and transaction ecosystems. Government agencies, financial
institutions and other enterprises rely on Entrust solutions to strengthen trust
and reduce complexity for consumers, citizens and employees.
Now, as part of Datacard Group, Entrust offers an expanded portfolio of solutions
across more than 150 countries. Together, Datacard Group and Entrust issue more
than 10 million secure identities every day, manage billions of secure transactions
annually and issue a majority of the world’s financial cards.
For more information about Entrust solutions, call +1 888-690-2424,
email [email protected] or visit www.entrust.com.
Company Facts
Website: entrust.com
Employees: 359
Customers: 5,000
Offices: 10 globally
LinkedIn
Headquarters
Three Lincoln Centre
5430 LBJ Freeway,
Suite 1250
Dallas, TX 75240 USA
Google+
Sales
North America:
+1-888-690-2424
EMEA: +44 (0) 118 953 3000
Email: [email protected]
RSS
Entrust is a registered trademark of Entrust, Inc. in the United States and certain other countries. Entrust is a registered trademark of Entrust Limited in Canada. All other
company and product names are trademarks or registered trademarks of their respective owners. The material provided in this document is for information purposes only.
It is not intended to be advice. You should not act or abstain from acting based upon such information without first consulting a professional. ENTRUST DOES NOT WARRANT
THE QUALITY, ACCURACY OR COMPLETENESS OF THE INFORMATION CONTAINED IN THIS ARTICLE. SUCH INFORMATION IS PROVIDED “AS IS” WITHOUT ANY REPRESENTATIONS
AND/OR WARRANTIES OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY, BY USAGE OF TRADE, OR OTHERWISE, AND ENTRUST SPECIFICALLY DISCLAIMS ANY AND ALL
REPRESENTATIONS, AND/OR WARRANTIES OF MERCHANTABILITY, SATISFACTORY QUALITY, NON-INFRINGEMENT, OR FITNESS FOR A SPECIFIC PURPOSE.
30091-1-0914