IoT services are enabled by devices collecting, processing and sending data, quite often sensitive or personal, to the cloud. A key factor in the widespread deployment of IoT services is the ability for key stakeholders – end users and service providers – to trust that the data gathered and transmitted to the IoT cloud is done so securely, in order to protect its integrity and the resulting integrity of the service.
Global authorities, industry bodies, governments and regulators are therefore working collaboratively towards defined IoT guidelines and mandates. This activity is particularly advanced in Europe. The General Data Protection Regulation (GDPR) defines strict penalties for device manufacturers and service providers who do not protect consumer privacy. A robust certification framework has also emerged, with the ENISA Cybersecurity Act and Eurosmart IoT Certification Scheme requiring IoT devices to undergo penetration testing from state-of-the-art independent security laboratories prior to deployment.
The challenges of remotely provisioning, managing and updating credentials across millions of different devices throughout their entire lifecycle to ensure this security and privacy are myriad. It is the ability to protect IoT data communications in a simple, standardised manner at scale, however, that has emerged as a key industry challenge.
Market fragmentation: a key challenge
Leveraging a hardware secure element (SE) as a ‘Root of Trust’ to execute security services and store security credentials is an essential step in the development lifecycle to guarantee end-to-end security for IoT products and services. It is also a key recommendation of the GSMA IoT Security Guidelines.
There are several proprietary hardware SE solutions available to deliver this root of trust, but market fragmentation introduces a key challenge. Connected devices must be modified to access security services from different SE providers, which creates significant design issues and is unsustainable at scale given the ever-increasing size and diversity of the IoT ecosystem.