Verizon Enterprise Solutions, part of Verizon Communication Inc., today announced the availability of a cloud-based...
platform that enables the management of digital certificates for a wide range of Internet-connected devices, commonly referred to as the "Internet of Things."
With billions of previously unconnected devices -- including cardiac implant monitors, household and industrial appliances, mechanical sensors, and many others -- set to come online in the next decade, organizations of all types are increasingly in need of basic security measures, such as digital certificates, that have been standard on PCs and laptops for years.
The Managed Certificate Services platform, as Verizon refers to it, offers organizations with nontraditional Internet-connected devices, such as smart meters connected to utility grids, the ability to offload much of the digital certificate management process to the Verizon cloud.
Digital certificates are likely to play a critical role in securing nontraditional Internet-connected devices. Unlike with last decade's PCs and today's bring your own devices (BYODs), regulatory bodies governing various segments of the Internet of Things have proactively addressed information security. In the U.S., several regulatory bodies, including National Institute of Standards and Technology (NIST) and the Food and Drug Administration (FDA), have published mandatory security controls for certain device types, and those controls rely on digital certificates for security assurance.
Though customers will be responsible for selecting digital certificates, the Verizon service will handle the authentication process to ensure that devices without proper certificate credentials can't connect to sensitive networks. Verizon declined to comment on pricing, but the company said a "pay as you go" model will be employed so that organizations only pay for active certificates.
Johan Sys, managing principal of Identity and Access Management for Verizon Enterprise Solutions, noted that certificates can be provisioned either over the air or, in the case of a set-top television box, for example, during the manufacturing process. Interestingly, if a digital certificate needs to be revoked, Sys said those subscribing to Verizon's service would not have to go through the usual certificate revocation process. Instead, an organization would use Verizon's management system to mark a certificate as either inactive or lost.
Sys said the impetus for this new offering was the demand from current Verizon customers, most of which he said were not previously assigning certificates to Internet-connected devices. He indicated that customers' interest was largely the result of burgeoning Internet of Things security regulations from government agencies, such as NIST, and various industry consortiums.
Weighing in on the growing security issues presented by the Internet of Things, the FDA earlier this year released "Radio Frequency Wireless Technology in Medical Devices: Guidance for Industry and Food and Drug Administration Staff," which documents the many security concerns the agency has around medical devices that contained no connectivity options until recently. The fears regarding Internet-connected medical devices were only heightened when former U.S. Vice President Dick Cheney said he asked his doctor to disable the connectivity of his heart defibrillator due to concerns that hackers could access it.
Though various regulations will have specific requirements for securing Internet-connected devices, Sys emphasized that digital certificates tend to be considered the first line of defense across the board.
"It's still a very fragmented security landscape, but all of those initiatives have one thing in common," Sys said. "They rely on digital certificates as the core security layer for devices."
Digital certificates provide a number of benefits and are generally "well suited" when it comes to securing nontraditional devices, according to Sys. For one, organizations want to make sure devices aren't spoofed and that the data received from devices is legitimate. In particular, organizations must ensure that the integrity of sensitive data sent to and from such devices is kept intact. For example, he noted that Verizon had often used digital certificates in the past to remotely update firmware on devices.
Still, Sys repeatedly made clear that neither digital certificates nor Verizon's new offering should be viewed as standalone security options. In fact, Verizon will only be including its managed certificate services platform as part of other security management service offerings. Still, digital certificates are a central part of the ecosystem that will emerge to secure what networking giant Cisco estimates will be 50 billion Internet-connected devices by 2020.
"So [there are] a lot of challenges that need to be overcome to provide security just to a fraction of these connected devices," Sys said. "This is exactly what the platform is geared toward."