Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Connected device security is moving to lifecycle enforcement


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 11631
Topic starter  

TL;DR: Global supply of connected devices is projected to rise from 7.740 billion today to 29 billion by 2030, while the EU Cyber Resilience Act would impose mandatory security requirements across the full product lifecycle, according to GlobalSign and the European Commission. The policy shift matters because device identity, certificate management, and vulnerability handling are becoming governance problems, not just engineering tasks.

NHIMG editorial — based on content published by GlobalSign: Matter, PKI, and the Cyber Resilience Act for connected device security

Questions worth separating out

Q: What breaks when connected devices do not have a defined identity lifecycle?

A: Devices that cannot be issued, rotated, revoked, and retired through a controlled lifecycle become permanent trust risks.

Q: How should organisations govern IoT devices as part of identity security?

A: Treat IoT devices as governed identities, not just endpoints.

Q: What do security teams get wrong about PKI for connected devices?

A: Teams often assume certificates solve trust on their own.

Practitioner guidance

  • Define a device identity lifecycle policy Map issuance, renewal, rotation, revocation, and end-of-life steps for every connected device class, including consumer and industrial fleets.
  • Require lifecycle evidence from suppliers Ask manufacturers for support windows, vulnerability disclosure processes, and secure update commitments before approval.
  • Automate certificate renewal and revocation Use PKI workflows that can renew certificates before expiry and revoke them when devices are decommissioned, compromised, or re-provisioned.

What's in the full article

GlobalSign's full article covers the operational detail this post intentionally leaves for the source:

  • The article explains how the CSA Matter standard is intended to improve interoperability across smart home ecosystems.
  • It outlines the proposed EU Cyber Resilience Act obligations for planning, design, development, delivery, maintenance, and support.
  • It summarises how manufacturers would need to document risks, notify exploited vulnerabilities, and provide updates for at least five years.
  • It points to PKI and certificate-backed identity as the practical security model for connected device trust.

👉 Read GlobalSign's analysis of Matter, PKI, and the Cyber Resilience Act →

Connected device security is moving to lifecycle enforcement?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11186
 

Device identity is becoming the control plane for connected product security. The article shows that the real issue is no longer simply whether a device is vulnerable, but whether its identity can be established, maintained, and revoked across its life. When millions of devices depend on certificates and update paths, security depends on lifecycle governance as much as on hardware design. Practitioners should treat device identity as an identity programme concern, not a niche engineering detail.

A question worth separating out:

Q: Who is accountable when a connected device remains vulnerable after sale?

A: Accountability should sit with both the manufacturer and the operator, but the proposed EU Cyber Resilience Act shifts more responsibility to the manufacturer for lifecycle security, updates, and vulnerability handling. Operators still need procurement and monitoring controls, but they should demand evidence of support, disclosure, and update commitments before deployment.

👉 Read our full editorial: Connected device security is moving to lifecycle enforcement



   
ReplyQuote
Share: