Think back to the height of the Cold War. As the US and the Soviet Union amassed huge stockpiles of weapons, the real battle was waged with information. Who was spying on whom, and what exactly were they communicating? Were messages being intercepted by the enemy, and even if they were, was it all just misinformation to throw off the other side?
Flash forward to today, and we see a battle of information and identity between organizations and attackers trying to steal personal information that they can turn around and sell. Nowhere is the risk greater than with the exploding Internet of Things (IoT) market. The threat vector is expanding.
Still today as with Cold War communications, you can scramble the message, but you also have to authenticate who’s doing the communicating.
The Vital Need for Authentication
Encrypting all data is vitally important, but we have to make sure that the encrypted data ends up in the right hands. Hence, the importance of high-assurance identity binding to accompany security credentials online.
Public key cryptography (PKI) allows us to achieve both strong encryption and binding authentication using digital certificates. In the case of digital certificates, authentication comes in various forms, with each level enforcing stricter processes for a certificate applicant to prove her credentials prior to obtaining the certificate. Obtaining a viable identity confirmation, vetted by a trained professional, is essential for protecting online connections of value.
Why is thorough authentication so important? As the IoT connects critical infrastructure, wearable devices, smart home automation systems, networked medical devices and many other objects not traditionally serving data over the web, our information being shared gains greater value. Both our personal safety and the safety of the general public can be compromised if we’re not authenticating who is communicating with whom, or who is authorized to access a device.
For example, imagine a mining company that sends robotic devices underground to set off controlled blasts. The company may have thousands of Internet-connected robotic devices at mines across the globe. At the same time, there may be hundreds of employees on many different laptops or mobile devices controlling all those underground robots. What if the wrong person gains the ability to set off a blast in the wrong mine? The results could be catastrophic.
Living in the IOT Age
Defending against damaging, less visible blasts occurring in home networks or across streaming media devices requires a thorough defense. Strong authentication assures that only the right devices will be controlled by the right people, or in the case of web-based communication it provides a cryptographic way to identify your organization to users online. In the traditional web use case, it helps users avoid phishing websites that seek to imitate your established brand and gain trust via spoofed certificates. Attackers will always seek the option where they are least likely to be exposed.
The IoT age is upon us, and the number of connected objects is expected to multiply five or ten times in the next five years. If we don’t work together to insist that strong security be built into the design processes and not bolted on, then we’ll pay the price later. Now is the time to build strong authentication and encryption into the IoT, and to do so in a way that assures credentials can be verified and only issued to those whose identity is confirmed by a trusted agent.
Though the Cold War that many of us grew up with ended 25 years ago, no end to the conflict between attackers and security pros appears to be in site. But if we’re smarter about authentication, we’ll have a lot fewer battles to wage.