“Legislative bodies are switching on to the need for improved digital identity policies, but action remains tentative”
Digital identities, in the age of hyper-distributed IT, are increasingly gaining importance, writes Alan Grau, VP of IoT/Embedded Solutions, Sectigo. Secure authentication of devices, communications and data is now imperative, with everyone working from home and becoming increasingly reliant on connected devices, often with only basic levels of encryption.
In the UK, public concern keeps growing around the repeated delays to the proposal of legislation designed to address the urgent issue of digital identity. Leading UK technology trade body Tech UK wrote to the UK Government in late July, calling for decisive measures to address what they found to be inadequate levels of action.In the same month, the European Commission announced plans to revise the Electronic Identification, Authentication and Trust Services (eIDAS) regulation, setting out a series of consultations on how digital identity practices can be improved.
Legislative bodies are switching on to the need for improved digital identity policies, but action remains tentative. This comes at a crucial moment, as IoT devices are in particular need of decisive legislative steps to protect digital identities.
IoT and the need for secure digital identities
Internet of Things devices are increasingly fundamental to almost every industry. Aviation? GPS tracking models increasingly run across a connected network. Healthcare? IoT devices, whether they be insulin pumps or defibrillators, are on the frontlines of patient monitoring and emergency response. These sectors, where IoT devices are mission-critical, cannot afford to be breached. If device digital identity is not secured in the healthcare or aviation industry, lives are at risk.
Even simply looking at the sheer volume of IoT devices in use today, both in enterprise networks and consumer households, it is clear that securely authenticated digital identities are an urgent priority. IoT growth remains on an unstoppable course, with analyst house IDC predicting that by 2025, there will be 41.6 billion connected IoT devices in use. At such numbers, IoT authentication becomes an elemental piece of the puzzle if we want to avoid an ever-expanding host of poorly secured devices which leave the entire network vulnerable to breaches, outages and data loss.
Connected devices create a sensor-rich network which means improved functionality and potential revenue growth for organisations, but they also come with significant business and compliance risks. These begin to outweigh the strategic benefits unless businesses and governments prioritise securing digital identities.
It is readily apparent that the current model of implementing secure digital identities for IoT devices is insufficient, but it is one thing to highlight an inadequate system and another to be able to change the model.
Now is the time to reevaluate IoT supply chains
It is absolutely paramount that properly authenticated device identity is in-built into devices at the point of manufacture.
In the absence of a clear legislative agenda to create IoT devices with an authenticated digital identity, manufacturers have been able to churn out devices lacking authentication, with often only static credentials as a barrier for cybercriminals.
Unless security becomes mandated, manufacturers will continue to cut corners at the expense of safety. Modern supply chains are now so convoluted and complex that devices in their millions are being shipped out with insecure chipsets, creating digital identities for devices that lack authentication. Manufacturers need to lean on solutions and technologies that provide identity management at the device level.
Ensuring secure digital identities for IoT devices needs to be a continuous, automated process but this needs to start at the point of manufacture and continue throughout the device lifecycle.
Best practices for securing digital identities for IoT devices
Enterprise networks that rely on IoT devices need to have a management system that ensures devices are secure and authenticated. With hundreds and possibly thousands of devices now making up enterprise networks, a single device which lacks properly secured digital identity can render the whole network insecure.
A centralised management system can identify every single device across the network, and therefore crucially identify any device lacking authentication or a secure digital identity, ensuring that each device has the relevant firmware to be protected from intrusion attempts and malicious cybercrime.
Identity management solutions can ensure that each device across the network has authenticated certificates to verify the identity of the device, whilst also ensuring that each connected device has in-built PKI solutions to protect the network and device from malicious actors.
IoT devices may have ongoing security concerns, but they are becoming increasingly central to business operations by the day. As such, it is more important than ever that enterprises take proactive steps to secure the digital identities of these mission-critical solutions.