Credentialing Devices, Users at Scale and When They Connect: This Is Not Your Grandfather’s PKI

Device identity (or device birth certificate) involves pinpointing what exactly is connecting to the network. It helps to strengthen organizations’ overall security.

Device identity in the manufacturing space

Developing device birth certificates is a salient concern among many manufacturing organizations. These entities are looking to credential devices, identify them, authenticate them and update them appropriately.

The implementation side of things isn’t so problematic. But to do it right, modern PKI is needed.

That’s where organizations run into trouble. It’s difficult for the supply chain to get credentials onto devices at scale. Take organizations that are getting chips as an example. These chips can have credentials in them, but the device manufacturer doesn’t usually manufacture those chips.

Let’s not forget that new software is coming into those devices, too. Those programs will inevitably suffer from a vulnerability at some point. Organizations need a way to track that software and implement a patch.

Imperfect solutions

Manufacturing organizations are coming up with solutions to the problems described above. For instance, their chip manufacturing machines are building PKI credentialing into their devices by pressing PKI into a chip. But their device has this thing that was issued from another third party. Organizations need to make sure they can manage or revoke that credential if they need to.

Two different types of devices

That’s not always possible. Part of that has to do with the various types of devices that are connecting to the network. First, you have products where a device with a PKI credential will activate but rarely connect back to the network. With those devices, you usually need service people to update the device on site. Organizations need to manage that process and make sure that only authorized people manage the device’s credentials.

Simultaneously, you have more sophisticated devices that connect to the network more often and whose credentials are dynamic in nature.

Some solutions can help manage this and make sure it happens securely for PKI, authentication and encryption. As an example, chip manufacturers are trying to burn credentials onto the chip. The challenge is that it doesn’t offer high authentication and involves poor usage of PKI. Not only that, but there’s not just one way to do it.

PKI for enterprise users

Users are different than what we described above. The biggest change is that they’re not like devices. There’s a lot of variation among users.

Challenges tend to emerge from such dynamism. Today, enterprises are using PKI to enforce policies for devices, remote work and a host of other things that are helping to drive organizations’ digital transformations. Some systems can help enterprises automate and scale this ability. But the user base and network are changing. It’s no longer just a local server farm with Active Directory. The environment is cloud-enabled. The boundary has changed.

With this changed perimeter, there’s a need to take authentication tools and apply them to cloud authentication where the boundary is less defined. This would allow organizations to continue to automate authentication at a huge scale by reaching beyond the enterprise boundary to transparently include customers, partners and vendors.

How PKI serves as a solution for both devices and users

PKI works as a flexible solution for both devices and users. Things have evolved since the first protocols specified how enrollment and key exchange could take place. Now there’s a new task: make protocols work for customers. The task is to create a “meta-protocol” that specifies how enrollment is allowed. By combining the protocol and the meta-protocol, organizations can make the protocol more useful for device authentication, integrity, etc. They just need to make sure they can take such a process to scale.

The answer is to modernize PKI with leading solutions that leverage the cloud as well as combines them with protocols and workflows to allow customers to scale how they want. Specifically, it involves moving to a consumption-based model that enables them to use PKI according to how it’s used. Under this model, solutions can function within the cloud and bring the speed of a containerized model to PKI. They should also enable organizations to port PKI to their various environments, use standards-based protocols to manage these things consistently across their environments and have it centralized.

Everyone is facing this challenge right now to make this reality. Large vendors with a history of running large-scale PKI for enterprise, web and IoT have the advantage. Think of your well-known public CA vendor. They are best-suited to make this happen in the not-too-distant future. Implementations are already deployed.

Posted in Guest Author, Identity, PKI