Certificate Management – A Critical Part of Physical Security
Enterprises today rely on a massive number of physical security devices and sensors – such as surveillance cameras, access controls, and alarm systems – to secure their premises, people, IP, and other assets. Each of these devices comes with its own security certificate which must be tightly managed to ensure the device is compliant and functioning as expected. If physical security devices are not available or operating as designed, the results can have a severe impact on the enterprise — from unprotected assets to unauthorized access. This blog does a deep dive into the essential role that security certificates play in physical security device management.
What are device security certificates?
A device certificate is a digital certificate that enables the identification, authentication, and secure communication between two devices using a Public Key Infrastructure (PKI). Simply put, a device security certificate serves as a form of digital identity and allows devices to verify the trust status of other devices attempting to access their network. They do this by authenticating the organization’s name registered on the certificate and enabling data security through encryption. Without a digital certificate, a device cannot connect to the network, even if it is registered as a valid device.
Why are device security certificates so important?
Each device’s security certificate comes with a set of cryptographic keys, one to encrypt outgoing data and the other to decrypt incoming data, so a device certificate enables other devices to verify that the device trying to connect with it is legitimate. This ensures secure communications between the two devices while preventing unauthorized users from accessing that data. This is especially important in today’s era of cyberattacks. IoT devices are preferred targets of threat actors seeking easy ways to intercept company data or breach the device itself. Imagine the damage that can ensue if a hacker shuts down your organization’s security cameras or breaches your access panels.
Certificate rotation – replacing an existing certificate with a new one – every six months or less is considered a best practice for securing IoT physical security devices. While every organization has its own certificate issuance and life-cycle policies, rotating certificates help prevent outages and tracking these certificates highlights upcoming expirations and out-of-date issues.
Why is certificate management so challenging?
While organizations generally understand the operational benefits of using device security certificates for their physical security devices, these digital certificates are not always properly managed. That’s because organizations often rely on manual and time-consuming processes managing certificates on their physical security devices. This lack of efficiency results in multiple issues:
Unmanaged certificates: Most physical security devices do not have authentication certificates installed, and when present, they are rarely changed.
Unsecure communication channels: Communication with physical security devices often occurs via unsecured channels. Even with an encrypted connection, the identity of a device with no valid certificate cannot be verified, allowing traffic to be intercepted, and risking data integrity.
Self-signed certificates: Some devices use self-signed certificates. Security risks are introduced when device certificates are signed with their own private key, as opposed to being signed by a private or public Certificate Authority (CA).
Costly, time-consuming & manual operations: Manually managing security certificates for a fleet of devices is expensive and time-consuming. Any manual processes are prone to error and thereby increase risk.
Workflow gaps: Organizations are often missing official single certificate request workflows, as the workflow is often too difficult to implement. This gap opens the door to added risk.
Compliance issues: Any of these potential points of failure may lead to compliance issues.
Added complexity: The process of implementing end-to-end certificate management for 802.1x certificates on IoT devices has additional complexity. Several risks are associated with the success of the end-to-end 802.1x certificate management process, including loss of connectivity in the network infrastructure, reliance on device configurations, and its dependencies.
The case for automation
With the increasing number of deployed physical security devices, reliance on manual processes becomes less and less feasible. Enterprises have been turning to automation to complement their physical security teams by centralizing and automating the operational management of their physical security devices, including certificate management. Automating the operational management processes associated with physical security devices has been proven to both streamline ongoing tasks in an efficient manner, and deliver immediate cost savings and clear ROI.
This ROI comes from enabling visibility into the health status of all physical security devices on the network, which in turn keeps devices operational 24/7, and drives faster issue resolution, decision making, and future planning. At the same time, automation reduces the need for truck rolls and on-site visits, and frees up staff from time-consuming manual tasks.
The way forward: Horizon
SecuriThings Horizon is a software-only solution that introduces the concept of IoTOps — a set of practices that combines IoT operations and IT operations. It aims to empower organizations to operationally manage physical security IoT devices at scale in a consolidated and automated manner.
With the SecuriThings certificate management functionality integrated tightly into the organization’s security processes, the organization can improve its certificate rotation processes in coordination with its CA. Detailed compliance policies can be defined and implemented, with Horizon monitoring compliance in real-time and with visibility to adherence. Features include:
- Centralized inventory and compliance reporting
- Bulk certificate rotation for devices and groups of devices
- Discovery of all the SSL and 802.1x certificates deployed across devices
- End-to-end certificate life cycle management with the organization’s CA
- Secure connection with the device during the process (MiTM protection)
- Full control of the certificate parameters and flexible configuration, allowing control of the common name, key size, set email address, and more.
For more information about how your organization can benefit from automated operations for physical security devices, book a demo here.