Apple’s announcement should focus minds on the critical importance of future-facing and agile automated device security, says Darron Antill, CEO at Device Authority
The decision by Apple to slash the lifespan of public transport layer security (TLS) certificates from 398 days to just 47 is destined to have a significant impact on digital identity management in IoT networks.
The new policy from Apple’s Root Program, which uses public key infrastructure (PKI) in trusted root certificates to secure the communications and data integrity across the company’s platforms, is likely to be followed by Google. This means the clock is ticking faster than ever on certificate validity, which has profound implications for businesses relying on manual processes to manage their networks of devices.
Shorter lifespans mean Apple TLS certificates will need to be renewed nearly eight times more frequently. While the change is designed to improve security by limiting the impact of compromised or misconfigured certificates, it introduces new operational challenges. The big question now is how to scale certificate lifecycle management in a world where the margin for error is shrinking fast.
Automation required for speed and accuracy
Radically shortened certificate lifespans place extra pressure on the management of IT and IoT environments. Their complexity makes manual certificate management not just inefficient, but untenable. Rotating certificates every 47 days across potentially thousands – or even millions – of IoT devices becomes a logistical nightmare, and a prime opportunity for outages or breaches if missteps occur. A lack of encryption exposes transmitted data to interception and tampering.
Automation is not just beneficial, it is essential. Handling certificates manually puts continuity, accuracy, and compliance at risk, especially as security policies grow more demanding.
PKI management in IoT environments is already complicated by a mix of constrained devices, intermittent connectivity, and the sheer scale of deployments. It is important to recognise that PKI for IoT is not just “PKI at scale.” It requires purpose-built automation that takes into account the lifecycle of IoT devices, from the point at which they are manufactured to their onboarding to operation and decommissioning.
Research shows certificate-management is already a real difficulty
This year’s CyberArk State of Machine Identity Report, which surveyed 1,200 respondents across key global markets,demonstrates how organisations are already finding certificate security a problem. More than half (52%) of the respondents surveyed said they were struggling to manage certificates with the current lifespan of more than a year, and 51% said they had “recently” experienced a critical outage because of expired TLS certificates. Seven-in-ten (72%) said they had experienced at least one certificate-related outage in the previous 12 months.
The report emphasises how malicious cyber-actors know machine identities are potential entry points into IoT networks and thence into enterprise IT systems. Half of the respondents (50%) said API keys and SSL/TLS certificates were major contributors to incidents in the previous year. In 43% of cases this resulted in unauthorised access to data, network and systems.
Too many identities for humans to manage
Machine identities vastly outnumber number humans in almost all large organisations, with the expansion of AI constantly increasing the volume that IT teams must manage. Analysts at IDC expect IoT devices to reach 55.7 billion this year. Traditional security is no longer able to cope with the demands of securing such vast numbers of devices. The only practical solution to these considerable challenges is a more holistic approach to IoT security that uses automation to handle certificate rotation and authentication, deploying zero trust at scale.
Every device in these environments requires a unique machine identity, sometimes several per device, complete with authentication credentials and specific access controls, so it can interact securely within the network. This complicates the security framework, as the management of each device must be flawless to prevent unauthorised access and potential breaches.
“Machine identities vastly outnumber number humans in almost all large organisations”
Machine identities are complex, however. Each comes with its own set of digital encryption keys and requires a password which requires rotation. Every access request must be approved and then each device must recognise the approved credentials. Errors are inevitable when staff have to handle all these tasks, presenting major opportunities for ransomware gangs, foreign state-affiliated groups, or contractors with grudges.
Enterprises need to implement automation solutions for device identity management
Without continuous authentication and authorisation, organisations are going to leave themselves open to breaches from threat actors fully capable of exploiting expired certificates. These serious vulnerabilities need not persist, however, as identity access management (IAM) innovators have devised solutions that deploy policy-driven automation, overcoming the difficulties of scaling for IoT.
These solutions generate device certificates securely with zero-touch from IT teams. They automate tested PKI, handling device registration and IAM provisioning. The integration of the power of AI enables enterprises to implement their own policy-driven data encryption and to benefit from continuous, automated monitoring of ecosystems that IoT security now demands.
A more advanced, integrated approach blends IoT IAM with the traditional enterprise IAM, hardware security modules (HSMs) and data security platforms. This is essential for end-to-end security and data exchange. Device-bound crypto-key provisioning ensures security, while lifecycle management policies ensure automatic removal of sensitive data on decommissioning.
“These solutions generate device certificates securely with zero-touch from IT teams”
AI for detection of threats and anomalies in IoT networks
The deployment of AI as part of an integrated approach, ensures detection of anomalies that indicate suspicious behaviour and enables fast response times that reduce or eliminate damage from incidents. Speed of response is vital when criminals have developed their own fast-action exploits and techniques.
It is for this reason AI is necessary for continuous authorisation, but organisations also need access to external threat intelligence alongside policy-driven data encryption. This more integrated approach ensures only authorised devices can register, providing the initial trust anchor with an IoT application.
To gain access to this level of security and assurance, organisations need advanced, automated capabilities in a single platform, whether in the cloud or on-premises. The integration of privileged access principles to reduce access risks is one of the advantages of this approach.
The reduction in TLS certificate lifespans is, however, unlikely to be the last serious change that IT teams will face as they manage fast-expanding IoT networks. Organisations will need a platform designed to meet all the heavy demands not only of today’s devices with all their weaknesses and unique characteristics, but also of tomorrow’s IoT environments. The Apple announcement should focus minds on the critical importance of future-facing and agile automated device security.
Further information
To find out more head to Device Authority’s website.