Cloud-based and short-lived IoT certificates were key to solution for TKE.
submitted by GlobalSign
Every enterprise needs to secure its devices. But when that enterprise is spun out of a very large, global corporation, it is going to have some unique specifications. Such was the case for Essen, Germany-based TK Elevator (TKE) in 2021. After the separation from thyssenkrupp group in August 2020, TKE was no longer under the umbrella of a massive organization and its technology infrastructure. As a result, the company — still formidable with more than 50,000 employees worldwide — had to reinvent its approach to technology.
Among the many projects the company’s IT team wanted to undertake was to secure thousands of laptops, which the company refers to as Digital Workspace Devices (DWD). From the beginning, TKE knew an important part of the solution for secure DWDs would be to take advantage of digital certificates. In this case, the company was looking for the capability of issuing and managing machine-authentication certificates for domain-joined and non-domain-joined devices. The solution also needed to run across many different operating systems and mobile device types, and it needed to be cloud-based. Once the critical factors for the project were determined, TKE set out to find the right technology suppliers to help fulfill its vision.
IoT Device Identity for Laptops
As the Internet of Things (IoT) continues to broaden, the technology is being utilized in many ways. Take laptops, for example. These internet-enabled devices, like any other device today, must be protected — especially for global corporations with thousands of employees. This is why, in the case of TKE, it was determined that IoT certificates delivered to user devices such as laptops and hardware would be the best fit for the project. That’s the very definition of enterprise IoT.
Securing hardware involves different forms of communication across TKE’s internal infrastructure. One factor is deployment, but securing hardware also includes manufacturing lines, as well as encryption within a typical IT infrastructure. Having all of it aligned establishes a good technical communication in between. Therefore, incorporating an authentication mechanism was an important element, such as a laptop connecting to a corporate Wi-Fi network. Another factor we considered is that laptops need to be recognized within a local area network. It was part of GlobalSign’s role to reassure TKE its users’ devices were being recognized to ensure no other foreign device can access their network, preventing a serious incident such as a data breach.
Short-Term Certificates
Digital certificates are based on Public Key Infrastructure (PKI) technology. Due to increasing concerns about cyberattacks, the lifecycle is getting shortened all the time. This is attributed to security community beliefs that, in certain contexts, short-term certificate lifetimes reduce the possibility of an attack. When a company’s solutions are completely in the cloud, this is especially true. That’s because of the widely held belief that using short-term certificates should give an enterprise confidence they are armored against an attack in an enterprise- and cloud IoT-use scenario. In addition, when talking about user asset identities for devices ranging from laptops and mobile devices to workstations, PDAs (personal digital assistants) and point-of-sale terminals, changing keys frequently means better security hygiene, as well.
For TKE, it was determined that rather short lifecycle certificates would be the best — and most secure — option. GlobalSign’s internal certificate management system, ATLAS, provides the company with the flexibility to have a certificate lifecycle in place with validity ranging from minutes up to 397 days, which can be easily managed within the ATLAS platform. The platform even allows customers to adjust their certificates at any time. For example, GlobalSign gave TKE the option of certificate expirations — within hours, a few days, a few weeks or even several months.
We believe it is a great benefit to have a certificate management system in place that not only instantly alerts, but replaces, an expired certificate with a new one. Using a combination of either short-life or long-life certificates is a very good security strategy as it provides a healthy key rotation altogether. Certificate rotation ensures the serial number or hash can’t be attacked.
Move to the Cloud
In addition to the IoT and short-lifecycle aspects, the implementation for TKE also incorporated other unique features, including moving company databases and directories completely to the cloud via an integrator. This was possible due to a longstanding GlobalSign technology partnership that allows customers like TKE to enjoy a private — but secure — cloud environment. By integrating with this provider of cloud key management services, customers can pull certificates from a trusted supplier.
According to GlobalSign Account Manager Jerker Svensson:
“TKE needed a solution for machine authentication that worked with Microsoft Intune and mobile devices using Windows 10. It also had to be cloud-based. Further, they wished to deploy, issue and manage machine authentication certificates for domain-joined and non-domain-joined devices. Due to the heterogeneity of the endpoints, they were looking for a solution running across many different operating systems and mobile device types.”
TKE sought an accredited and renowned European PKI service provider and found it in GlobalSign. GlobalSign also offered TKE a needed ISO-certified secure private cloud compatible with hardware security module services. Additionally, TKE sought a certificate, key management software and endpoint agent to automate requests, as well as delivery and installation of certificates on each endpoint.
Svensson observed:
“GlobalSign was able to offer them an integrated solution that met all of their needs, as well as enabled them to fulfill their project requirements using a hosted private certificate authority and IoT certificates.”
This successful project created a strong relationship and paved a way for another industrial IoT project.
Get more of Elevator World. Sign up for our free e-newsletter.
