By Pete Johnson
Security” used to mean worrying about HTTPS certificates on your websites. The notion of a “device” was a browser and all you really had to do was to guarantee that traffic between it and your web servers was encrypted.
Then the “bring your own device” (BYOD) phenomenon caused system administrators to worry about things like isolating WiFi traffic for visitors and providing VPN tunneling software of iOS and Android, so that employees could access corporate assets in the palms of their hands. “Device” then meant “smartphone.”
But now, “device” means something different. Manufacturing equipment, plane engines and even parking meters all qualify. Devices seem to outnumber people, reminding us why we need IPv6. But this new notion of “device” also requires a very different security model unless you want to fall victim to a hacker because you forgot to secure every thermostat in your building.
Building Multiple Security Levels on top of HTTPS
Different vendors address this more complex security model in different ways, but generally speaking, it has three components to it: Authorization Engine, Handshake Certificates and HTTPS.
HTTPS is still the underlying technology for encrypting traffic, but unlike the old days of web surfing (when we used to argue about the length of the keys), modern device traffic puts two layers on top of that base encryption. First, there is a set of certificate handshakes that makes sure that some cloud entity should be talking to the device in question. On top of that is typically a cloud-driven authorization engine that can confirm or deny specific instructions to the device.