Imagine a world with no access controls. A free for all resulting in chaos thanks to broken processes, zero audit trails, and no way to administer rights to the appropriate devices or people. Luckily, today’s IoT driven world is layered with access controls designed to streamline and simplify alongside of prioritizing the most important aspect - security. With CMS VerdeTTo and the VerdeTTo Access Valve for ThingWorx, devices can be constrained to only access systems under certain conditions, such as connecting from certain known locations or during certain expected operating hours. VerdeTTo also allows devices with compromised certificates to quickly be disabled, preventing them from accessing network resources and systems. Just one click changes a metadata value for the compromised certificates through the VerdeTTo portal, while the VerdeTTo Access Valve immediately terminates the device’s access to the ThingWorx platform. But once a device is compromised (especially if a broad range of devices are compromised) how do you securely bring everything back online?
Rapid and secure replacement of compromised certificates
The CMS Agents infrastructure inside of CMS VerdeTTo can be leveraged to replace compromised device certificates. Running on a wide range of devices, CMS Agents offer certificate discovery, inventory, replacement, and renewal. Through the VerdeTTo web portal, you can schedule renewal operations for any collection of certificates with just one click. Once scheduled, each CMS Agent will pick up its renewal job and obtain a new certificate. The Agents can generate a new keypair on the device itself and ensure that the private key never leaves the device, or for devices that aren’t capable of generating their own keys, a keypair can be generated by the Certificate Authority (CA) instead and transmitted to the client over SSL.
Once the certificates are renewed and installed, the devices can be brought back online with just one more click. Since the certificate metadata values from the compromised certificates are automatically copied to the new certificate, the device will retain all access rules established with the VerdeTTo Access Valve. All that remains at this point is to flip once again the metadata switch that was used to disconnect access in the first place. This can again be done with just one click, bringing the total number of required clicks to three. These three clicks are sufficient to prevent all compromised devices from accessing the ThingWorx server, replace the certificates with new ones issued securely, and reconnect the devices to the platform.
Flexible processes for automated certificate provisioning and replacement
Furthermore, with the CMS VerdeTTo Web API, these operations can be scripted to occur automatically whenever a compromise is discovered. This allows additional flexibility in every step, as well as the ability to provision certificates with different content, different access-control metadata, or a different issuing CA. While all renewal operations are logged and auditable in VerdeTTo, this also gives an opportunity to log the renewal operation on the ThingWorx side or take action on any other system.
The assumption in the above scenario is that the connected “things” can run a CMS Agent and that the agent can install certificates in the required location. CSS offers a wide range of solutions to address this. Agents are available for the .NET platform, Java, and any SSL-capable architecture that a C compiler can target. These Agents can natively manage Java Keystores, PEM files, Windows stores, and more, and can be extended to manage certificates in nearly any other location. When none of these solutions are adequate, the CMS VerdeTTo Agent SDK enables the development of a new agent, written from scratch, for any platform. This flexibility in agent capabilities enables the management of almost any device with a CMS Agent.
The above scenario also assumes that the device has a certificate in the first place. After all, a certificate can't be renewed if it hasn't been issued. Sometimes, device provisioning takes place in the manufacturing process, but this isn't always feasible, and there’s no guarantee that the device would be activated and connected by the end user before the factory-installed certificate expires. CMS VerdeTTo offers a flexible solution for this problem as well – when the CMS Agent initially wakes up and connects to VerdeTTo, a plug-n-play code module interface allows custom logic to determine device validity and provision a certificate for authorized devices at that time. These Agent Registration Handlers can also perform any other actions required for device provisioning in the process, such as logging the device in another system and configuring the initial metadata values for access to ThingWorx through the VerdeTTo Access Valve.
Integrating CMS VerdeTTo, the VerdeTTo Access Valve, and CMS Agents provides the best way to build a secure, maintainable solution with the ThingWorx platform. At any time, you can view and search your provisioned devices, limit access to the ThingWorx platform by any criteria, and securely reprovision a device identity. Every part of this can be extended with custom business logic to fit any use case, ensuring that this is the most flexible solution for securing your IoT platform.
For more information, please visit: https://www.css-security.com/solutions/business-solutions/iot-platform-integration/
Register for LiveWorx 18 to learn more about IoT Security and advance your knowledge. Sign up to be a LiveWorx Insider to get all the latest news and happenings!
