DigiCert unveiled DigiCert Auto-Provisioning – powered by Device Authority – over the weekend at the DigiCert Security Summit. With Auto-Provisioning, connected device manufacturers and owners can provision digital certificates at scale, whether their devices use open standards such as SCEP or EST, or only support propriety device enrollment protocols.
“Device authentication and encryption are critical to securing connected devices and the information they share, but many software implementations lack standard protocols for provisioning devices,” said DigiCert CTO Dan Timpson. “DigiCert Auto-Provisioning, powered by Device Authority, helps companies get certificates on a much wider range of IoT devices in a scalable, secure and automated way.”
As the number of connected devices rises toward an estimated 50 billion by 2020, security continues to lag behind. A study published by HP Fortify estimated that three-quarters of connected devices failed to encrypt communications to the Internet and local network. Last year, researchers found that Nissan Leaf smartphone app APIs were not authenticating users on the server. Similarly in 2015, researchers highlighted a flaw in Samsung’s smart fridge that attackers could use to carry out a man-in-the-middle attack and access a homeowner’s credentials.
In healthcare, the FDA has recently issued “Postmarket Management of Cyber Security in Medical Devices,” even as security vulnerabilities have been discovered in popular pacemakers, defibrillators and diabetes insulin pumps. The report calls for “deploying mitigations that address cyber risk early.” Public key infrastructure (PKI) can be used for secure boot, patch management, machine-to-machine mutual authentication, user authentication, and data integrity to help prevent unauthorized intrusions and data manipulation.
IoT devices often lack the compute power required for strong encryption and do not have the ability to securely generate and store keys required for strong device security. Similarly, when credentials need to be revoked or rotated because of device authorization changes, the process is typically manual, time-consuming and vulnerable to human error. DigiCert Auto-Provisioning combines scalable certificate issuance with automated provisioning to simplify large-volume device enrollment and credentialing. It also provides secure key generation and storage to prevent the use of stolen credentials and unauthorized devices.
DigiCert Auto-Provisioning expands the range and type of IoT devices that can be secured, enabling certificate deployment and management at scale through:
- secure certificate generation & delivery
- automated certificate renewal
- automated certificate revocation
- encrypted certificate store
Concluded Timpson, “Companies now have the ability to assert owner-controlled PKI on a much wider spectrum of connected devices to strengthen security controls. Using this solution, companies can take a major step forward in securing their IoT investments, becoming less dependent on manufacturer security.”