IoT IAM leader Device Authority and digital security leader Gemalto join forces with an integration partnership offering interoperability between Gemalto’s SafeNet Access Management & Data Encryption solutions and Device Authority’s KeyScaler.
Gemalto also announces SafeNet KeySecure integration with NetApp as it steams further on its path of digital security leadership with Thales. An overview of the news , updates on the Thales acquisition and analysis of the Gemalto and Device Authority partnership.
The Device Authority KeyScaler Platform offers active IoT device authentication and policy enforcement with secure device provisioning, secure credential management, policy-driven encryption, automated password management (APM) and more.
With identity and access management (IAM) being key in IoT security (and beyond) on all levels, from IoT devices to users, Device Authority is a leader in IAM for IoT. Gemalto, being acquired by French cybersecurity leader Thales, offers a broad range of IAM solutions overall (Identity-as-a-Service, Authentication Management Platforms, Authentication-as-a-Service, PKI Smart Cards and far more). Gemalto was also recently awarded the £490m post-Bexit UK passport contract.
As organizations are investing in IoT security the importance of strong identity and access management across several layers of the IoT stack is growing. This is also the case in the IoT platform market, including on the level of IoT device management.
The go-to-market approach of Device Authority as IoT security permeates all IoT technology layers
Device Authority’s go-to-market approach with the Device Authority KeyScaler technology and platform includes several IoT platforms.
The partnership ecosystem of the company includes IoT platforms who leverage the Device Authority KeyScaler technology to enhance their existing security. Among the IoT platforms in the company’s ecosystem are Cumulocity (now Cumulocity IoT, after the acquisition by Software AG) and machineshop which uses the Device Authority technology to enhance security for its MachineShop EDGE platform.
Device Authority is also part of the ecosystems of IoT partners from leading IoT platform and Industrial IoT platform vendors such as Amazon (AWS), AT&T’s IoT partner program, the GE Digital Alliance Partner program and the PTC ThingWorx Marketplace, through which it is available. Device Authority also works with system integrators such as Cognizant and Infosys, service providers such as devicepilot and kepware (PTC) and is present in the partnership programs of IoT device OEMs such as AMD, Dell, Intel and Axis Communications, a long-time leader in network video.
In the context of the latter we need to mention the vendor-agnostic Device Authority KeyScaler solutions for video surveillance camera security. As is known, DDoS attacks previously have leveraged CCTV cameras so a proper authentication and authorization approach, on top of existing security measures does matter here as well.
And, not unimportant in the scope of the current market evolutions, Thales e-Security is a hardware security module (HSM) of Device Authority. In January 2018, Device Authority and Thales announced their partnership to deliver trust for IoT with HSMs.
Last but not least, the Device Authority KeyScaler Platform has built in capabilities which enable automated bulk provisioning of PKI certificates in combination with customer defined security policies that determine certificate management for secure certificate management at the scale of IoT.
Customers of Device Authority include BT, LeasePlan, Deloitte and GlaxoSmithKline, to cite a few. Device Authority, in its current form exists since April 2016 when Cryptosoft, a leader in policy driven authentication and encryption services for connected IoT and M2M devices with the Cryptosoft platform (developed in 2010) acquired IoT IAM solutions provider DeviceAuthority Inc, which was named a Gartner-cool vendor in 2015 and 2016. After the acquisition, Cryptosoft the changed its name to Device Authority.
The Gemalto and Device Authority partnership: interoperability in an environment where technical standards and end-to-end security and IAM strategies lack
IoT investor Tern holds a 56.8% interest in Device Authority. In a separate announcement of the partnership between Gemalto and Device Authority Tern CEO Al Sisto states: “Although it will not deliver revenues immediately, I am confident that the combined proposition will prove to be highly marketable when inter-operability has been achieved”.
That brings us back to the partnership between Device Authority and Gemalto. According to the press release, the partnership will simplify ‘security by design’ implementations for a trusted IoT ecosystem (also the mission of TIoTA, the Trusted IoT Alliance) and by joining forces, the two companies are making it easier for manufacturers, enterprises and service providers to build strong security into their IoT devices from the very beginning.
With data security, privacy (yes, you can also think General Data Protection Regulation, an area Gemalto has been very active in, where IAM and encryption do matter, and the coming ePrivacy Regulation that will change personal data protection in a scope of IoT and regulatory compliance as well) and the increasing focus of organizations towards IoT strategies and cloud based business models, which require robust solutions to meet their customer security and compliance requirements cited as reasons the challenge for CISOs to extend their enterprise data security technology to IoT devices is mentioned a driver for a required integration with IoT-friendly IAM solutions and data protection systems.
According to the latest 2018 IoT security forecasts from Gartner, regulatory compliance is about to be the prime influencer for IoT security uptake, among others in highly regulated industries such as healthcare (one of the four verticals where Device Authority focuses on with its IoT security for healthcare solutions) and also in the critical environments of Industry 4.0 (whereby manufacturing and industrial IoT markets overall are a second key focus of Device Authority, on top of the mentioned surveillance cameras and smart connected products).
Gartner’s Ruggero Contu pointed out several issues regarding IoT security, emphasizing that technical standards for specific IoT security components in the industry are only now just starting to be addressed across established IT security standards bodies, consortium organizations and vendor alliances.
It’s, among others, in the scope of the latter that the partnership between Device Authority and Gemalto can be seen as the interoperability statement from Al Sisto already makes clear. As the press release states the interoperability between Gemalto’s SafeNet Access Management & Data Encryption solutions and Device Authority’s KeyScaler will help organizations to optimize existing investments in hardware security modules (HSMs) or other data security technology. They can leverage these to improve overall security, while also expanding functionality to manage blockchain identities and data security policies across any IoT deployment” (blockchain and IoT is clearly finding its way in an IoT device management scope with not just the press release mentioning it but also the first blockchain IoT platforms, the blockchain registration protocol for IoT thing registration and, among others, user authentication and device registration and onboarding, as key blockchain IoT use cases). On top of IoT-readiness also blockchain-readiness is mentioned by Darron Antill, CEO of Device Authority, when commenting on the partnership.
Under the partnership the Device Authority KeyScaler platform/technology integrates with Gemalto’s SafeNet Luna Network Hardware Security Modules (HSMs) and the SafeNet KeySecure centralized key management platform for automated PKI certificate provisioning, high-assurance device authentication and managed end-to-end encryption at scale.
Using the SafeNet KeySecure central platform, Device Authority’s KeyScaler can extend encryption to IoT data and Device Authority’s integration with Gemalto’s SafeNet Data Protection On Demand solution (a cloud-based platform enabling a broad range of on-demand key management and encryption services through an online marketplace) provides customers with choices when migrating operations to the cloud and/or through a managed services model, we further read in the press release.
Gemalto SafeNet KeySecure validation for latest NetApp Volume Encryption solution
Also in April 2018, Gemalto announced that SafeNet KeySecure has been validated for use with the latest release of NetApp Volume Encryption (NVE) data management solution.
This enables NetApp customers to encrypt granularly at the volume level without the need and additional cost of purchasing self encrypting drives (SEDs), while retaining key benefits such as centralized key management and access control, better compliance, and high availability.
On top of having more granular data encryption and keeping keys separate, customers will have the freedom to choose any storage media, have flexible deployment options, audit trails, separation of duties and ecosystem support, the announcement says.
Data privacy and data security are mentioned as continuing to be a key focus for organizations, especially in light of industry compliance standards such as US health standard (HIPAA) or payment card standard (PCI-DSS) and the EU’s previously cited GDPR (General Data Protection Regulation), by Gemalto.
Building an IoT security powerhouse to offer what CISOs want
End 2017 French Thales announced the acquisition of Gemalto, rooted in The Netherlands, creating a digital security powerhouse. The completion is expected for the second half of 2018.
Expect more changes when this is the case, even if it’s just regarding product names. After all, the acquisition of US-based SafeNet by Gemalto from private equity firm Vector Capital is close to four years ago and, as often is the case in IoT land, partnerships can often lead to more, certainly when that interoperability is achieved and if companies are part of several players’ ecosystems when these ecosystems start merging.
Looking at the picture of IoT security spending and the messages Gartner sent regarding strategy it wouldn’t be surprising to see more similar initiatives, ecosystem shifts and further collaborations as attention for IoT security becomes a more strategic issue and de facto an end-to-end matter whereby companies and CISOs don’t want to manage complexity which is a job for vendors and system integrators.
As the CISO of cloud security company Zscaler said in an interview for Device Authority customer BT in 2016: when it comes down to the cloud CISOs want visibility because they inherited a culture of pizza box architectures.
We’re pretty sure that the same, visibility on top of simplicity and interoperability, applies to the complex and utterly fragmented landscape of IoT where interoperability still lacks far too much. Time for the leaders to act and that’s clearly what they do and what this partnership and the acquisition of Gemalto by Thales is all about and what Gartner’s Ruggero Contu had in mind when pointing out the challenges and evolutions in an IoT security spending perspective.
And if security belongs on the boardroom agenda as previously written then so does IoT security to end with the message of a blog post by Device Authority CEO Darron Antill, entitled “IoT security: a boardroom concern“.
Quote: “For managers to be able to understand the evolving IoT security posture of their business, and the real-life implications on on-boarding a range of smart devices, they need to be able to have easy access to an overview of those devices and how they interact together”.
All images belong to their respective mentioned owners.