Verizon platform tackles security challenges of the ‘Internet of Things’
The recent security breach suffered by discount retailer Target—resulting in about 40 million credit-card numbers and related security codes being hacked—underscores the depth of the cybersecurity challenges that enterprises and government entities face in the so-called “Internet of Things” era. Recently, Verizon launched a new security suite that is designed to address these issues.
Dubbed the Managed Certificate Services (MCS) platform, the suite authenticates a wide variety of objects and machines that are connected to the Internet and/or to private networks—for instance, credit-card readers, smart meters, sensors, medical devices and smartphones/tablets—and secures the transmitted data.
While organizations take cybersecurity more seriously than they did in the past, there’s plenty of work still to do—largely because the attacks continually become more sophisticated and organizations often find it difficult to keep pace, according to Johan Sys, Verizon’s managing principal for identity and access management.
“For example, 80% of successful attacks could have been stopped if people were using strong two-factor authentication, instead of just using a name and password,” said Sys, quoting from Verizon’s 2013 Data Breach Investigations Report. “So, there is still quite a big security issue out there, and it’s quite a complex thing to solve, because you always have the whole convenience-versus-security [question].”
The MCS platform is a cloud-based, fully managed public-key infrastructure (PKI) service. The fact that it is fully managed by Verizon is a key attribute, Sys said. That’s because PKI, while generally well understood, has deployment challenges that would be exacerbated, if it were applied in an Internet-of-Things environment.
“PKI is perceived as being difficult. People know what it is, but it is still quite a specialized field,” he said. “You need to have the proper policies and infrastructure—things like crypto-hardware—in place. And then, if you start applying it to the Internet of Things, it has its own challenges—very specifically, we’re thinking about a whole other level of scale. … We’re actually at the point where there are more interconnected devices than there are people in the world.”
Indeed, the platform is highly scalable—due to the fact that it resides in the cloud—to the point where it can verify billions of devices and applications simultaneously. Also, the service is available on a pay-as-you-go basis, so organizations only pay for the level of service that they need at any given time.
“We believe this is quite unique,” Sys said. “In the past, if you wanted to source digital certificates, you had to know up front approximately how many you were going to need,” Sys said. “The problem is that digital certificates have a lifetime—one year, two years, three years—and this doesn’t really make sense in some of the use cases we are seeing with our customers, because some of these devices are only active for a couple of months.
“Think about a medical trial where they want to monitor patients—such a trial typically only has a three-month period,” he continued. “Think about a utility meter—you don’t know how long the person is going to stay in the house. It’s often very hard to estimate up front how long these digital certificates should last.”
The digital certificate that the service establishes for each device not only authenticates the connection and protects the data from being pilfered, it also protects the data’s integrity, according to Sys.
“When you’re responsible for managing a device on the Internet, you want to make sure that the data that you receive from that device is properly coming from that device, so that it’s not being spoofed,” he said. “For example, if you’re a utility, you want to ensure that someone hasn’t changed the data coming from their smart meter at home, in an attempt to get lower electricity rates.”
The digital certificate is a plus in the public-safety sector, as well, according to Sys. For example, consider an emergency medical technician that needs to transmit highly sensitive patient information to a hospital from the scene or while en route to the hospital. When time is of the essence, “you don’t want to have them worrying about passwords,” Sys said.
After an initial one-time set-up fee, the MCS services costs about $2,500 for up to 15,000 certificates. Additional certificates cost from 1-8 cents each, depending on volume.