There’s only one sure way to build security into your IoT ecosystem
The Internet of Things (IoT) isn’t just about connecting things together. It’s about harnessing the power of multiple interconnected devices to provide new services. And as a service owner in pursuit of a solid reputation that will build your business, you need to be sure that the devices on your network won’t let you – or your users – down. That means you vet third-party edge nodes, gateways, and cloud data providers to make sure they meet your standards, and you protect your network from unauthorized devices that can impact users’ security or satisfaction.
In short, by creating a new service, you’re creating an ecosystem that must be managed.
Unfortunately, managing the IoT isn’t as straightforward as managing the Internet that consumers have typically accessed using personal computers. Certificate chains for secure sites on the Internet are handled by web browsers. This is a manageable solution because there are only a few browsers, so concentrating efforts there gets full certificate coverage easily.
But with the IoT, each network and each device is different. There is no common denominator like a browser that can provision each device with the certificates needed for proving authenticity, and the certificates needed by different devices can vary wildly.
So while much of the conversation about how to secure the IoT has revolved around a familiar software approach, software is easy for bad actors to copy, revise, and upload. And within a thriving IoT ecosystem that could have dozens or up to hundreds of different suppliers, each having multiple products with different upgrade schedules, versions, and compatibilities, even valid version changes and updates rapidly become unmanageable.
The only effective and scalable way to manage an IoT ecosystem is through hardware, by incorporating a chip into each node that certifies that it is legitimate. Atmel’s ATECC508A, for example, is designed for resource-constrained IoT edge nodes that need certificate chains that enable them to attach to a network. The ECC508A serves as a cryptographic co-processor that offloads the heavy lifting of elliptic curve math from the main process, allowing the use of smaller, lower cost microcontrollers while still maintaining high security.
This approach offers the advantage of letting you manage and control your ecosystem’s supply chain over time, even as it grows and adapts. As the service owner, you can establish the hardware requirements that let third parties connect to your network while maintaining ecosystem authenticity. And by leveraging security hardware so that only certified hardware joins your network, you are effectively making the integrity of your ecosystem part of your security strategy. Not only does this build customer confidence in your service by ensuring high-quality, reliable service, but it also means that counterfeit hardware, which may have inadvertent or intentional security holes, cannot be used to compromise the security of your overall network. It’s an approach that has certainly been proven effective, as evidenced by Apple’s successful “Made for iPhone” ecosystem.
Including hardware ecosystem management as a part of your security strategy means that you can maintain control over your supply chain in a simple, scalable fashion so that you can guarantee that your customers have the most consistent and secure product experience possible.