By Orestis Mavropoulos, AUSTRIACARD.
The promise of the Internet of Things (IoT) was always to create “smart” objects. To get data from the physical world to gain insights. These “smart” objects are computers with additional functionalities when connected to the Internet. Our mobile phone is a computer that makes phone calls. Our car is a computer with wheels and an engine. The connectivity of such devices, while beneficial, leaves them vulnerable to attack by threat actors.
IoT is a term that has attracted considerable attention as well as confusion. IoT, in the eyes of the general public, is full of questions. What is IoT? What are the benefits of adopting IoT? What happens to the Internet? What is a Thing?
While not the first reference to IoT, but definitely the most accurate, was made by Weiser in 1991, in his paper discussing the computer of the 21st century. He states “The most profound technologies are those that disappear. They weave themselves into the fabric of everyday life until they are indistinguishable from it.” Using IoT, information technology will be a part of our environment the same way written word is a part of our daily lives. Technology will be so evident that we will start perceiving it as a natural part of life. When viewed in that light, IoT is a vision in our quest to enhance our environment. We want more from our environment and IoT is a way to achieve it.
The vision of making our environment smarter, more in tune with our day to day lives, gives rise to a plethora of questions. Some of those questions are technical in nature. For example, how can we connect such a vast number of devices? How can we make IoT devices consume fewer resources? On the other hand, other questions about IoT are quite philosophical. Who owns the data that IoT devices generate? Who can profit from that data? If a self-driving vehicle causes an accident, who is to blame? Is it the owner of the vehicle or the manufacturer? What happens if the accident is a fatality?
One of the most significant concerns about IoT is that it is not secure. The adoption of IoT to everyday devices was the day when people started to distrust and fear technology. It is scary for a parent to hear a strange voice talking to their children through a connected toy. It is scary to think that someone might be stalking you through your security cameras. It is scary to think that a glucose sensor which someone depends on can be compromised and used to harm.
Philosophical questions cannot be answered in the same straightforward manner as the technical ones. But such questions are the ones that need to be addressed to dispel the fear and uncertainty surrounding IoT. The main challenge here is one of trust. An important question in IoT, is how to provide identification-based connectivity to devices without relying on users or other stakeholders? Devices need the ability to uniquely identify themselves to other devices and services. Device authentication enables the application of end-to-end security mechanisms to protect an IoT solution. Furthermore, it facilitates the use of traceability and auditability in the various states of an IoT system. The unique identifier can be used to determine the chain of causality during security analysis.
In the IoT, the role of identity management is expanding. It is no longer just about identifying people and managing their access to different types of data (i.e. sensitive data, non-sensitive data, device data, etc.). Identity and Access Management systems (IAM) must be able to identify devices, sensors, monitors, and manage their access to sensitive and non-sensitive data. A Public Key Infrastructure (PKI) most commonly thought of as a way of authenticating websites and encrypting data for commerce using SSL/TLS certificates, provides a scalable and flexible solution that can help authenticate devices in IoT.
NAUTILUS employs a certificate-based identification and access management service, named NAUTILUS IAM, for IoT devices on different form factors that are infrastructure agnostic. Stakeholders are able to deploy NAUTILUS IAM in their own premises or use NAUTILUS IAM as a service. The unique identity of each device is provided by leaf certificates that are generated when a device is provisioned using intermediate certificates of the stakeholders. Certificates are stored in secure elements that provide hardware-verified boot and end-to-end authentication root of trust. Based on the unique identity of devices, NAUTILUS offers a platform for developing IoT solutions for individual cases.
The NAUTILUS platform is about solving precise problems and providing clear business outcomes. The aim of the platform is to facilitate the identification of revenue streams from collected information, while securing that information in multiple layers. In the IoT, the information starts in the physical world. It is captured by edge devices, then communicated, processed, stored in the cloud. Finally, it is sent back to the edge. The platform can be deployed in every part of the life cycle of information. In each part of the transmission, the NAUTILUS platform offers additional security layers to protect the integrity of the devices and information. The security mechanisms are adapted to each layer to offer the least stress without compromising security. NAUTILUS’s platform focus on security intends to alleviate any fears surrounding IoT.