Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

IoT device identity and certificates: what IAM teams need to know


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: IoT devices now operate inside business and public service chains with little transparency into who or what is talking to whom, and the article argues that unique device identity, standardized certificates, and conformity checks are becoming necessary foundations for security and privacy, according to DigiCert. The governance question is no longer whether connected devices need identity, but whether organisations can treat ephemeral device trust as a regulated control surface.

NHIMG editorial — based on content published by DigiCert: Guest Opinion on IoT devices needing greater conformity and security built in

Questions worth separating out

Q: How should organisations govern IoT devices as part of identity security?

A: Treat IoT devices as governed identities, not just endpoints.

Q: Why do IoT devices create identity governance problems for security teams?

A: IoT devices create governance problems because they often operate with poor transparency into who is communicating with whom and where data is interpreted.

Q: How do certificates improve IoT security and privacy controls?

A: Certificates give IoT devices a common mechanism for authentication, encryption, and traceable trust decisions.

Practitioner guidance

  • Inventory connected devices as identity-bearing assets Map every IoT class, owner, trust dependency, and service-chain role so devices can be governed as participants rather than anonymous endpoints.
  • Bind onboarding to certificate issuance and revocation Require a certificate-backed identity step before a device is allowed to authenticate, and define revocation triggers for loss, retirement, compromise, or supplier change.
  • Design for disposable identifiers where persistence adds risk Use ephemeral or scoped identifiers for use cases where long-lived device tracking is unnecessary, while keeping durable records in the governance system, not the device itself.

What's in the full article

DigiCert's full article covers the practical policy and standards detail this post intentionally leaves for the source:

  • How the article frames CE-mark conformity and EU regulatory expectations for connected devices
  • Why the authors recommend standardized digital certificates for authentication, encryption, and authorization efficiency
  • The specific role they assign to manufacturers, sellers, and regulators in device identity adoption
  • Their examples of IoT devices as part of human, object, and robot identity control

👉 Read DigiCert's guest opinion on IoT device identity, conformity, and security →

IoT device identity and certificates: what IAM teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

IoT security fails when organisations confuse connectivity with trust. The article's central point is that many connected devices can communicate without any clear, durable evidence of who they are or what they are allowed to do. That is not a device-management nuisance, it is an identity governance failure because trust is being inferred from presence on a network rather than asserted through controlled identity. The practitioner conclusion is that IoT governance has to start with explicit identity, not with perimeter assumptions.

A few things that frame the scale:

  • 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to the Ultimate Guide to NHIs.
  • Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.

A question worth separating out:

Q: Who should own IoT device identity governance in an enterprise?

A: IoT device identity governance should be shared across identity, security architecture, operations, and procurement, with clear ownership for issuing, approving, rotating, and revoking device credentials. If no team owns the lifecycle, devices become persistent trust exceptions. The right model is policy-led governance with operational responsibility assigned before devices reach production.

👉 Read our full editorial: IoT device identity and certificates are becoming security infrastructure



   
ReplyQuote
Share: