IoT device identity and certificates: what IAM teams need to know

TL;DR: IoT devices now operate inside business and public service chains with little transparency into who or what is talking to whom, and the article argues that unique device identity, standardized certificates, and conformity checks are becoming necessary foundations for security and privacy, according to DigiCert. The governance question is no longer whether connected devices need identity, but whether organisations can treat ephemeral device trust as a regulated control surface.

NHIMG editorial — based on content published by DigiCert: Guest Opinion on IoT devices needing greater conformity and security built in

Questions worth separating out

Q: How should organisations govern IoT devices as part of identity security?

A: Treat IoT devices as governed identities, not just endpoints.

Q: Why do IoT devices create identity governance problems for security teams?

A: IoT devices create governance problems because they often operate with poor transparency into who is communicating with whom and where data is interpreted.

Q: How do certificates improve IoT security and privacy controls?

A: Certificates give IoT devices a common mechanism for authentication, encryption, and traceable trust decisions.

Practitioner guidance

• Inventory connected devices as identity-bearing assets Map every IoT class, owner, trust dependency, and service-chain role so devices can be governed as participants rather than anonymous endpoints.
• Bind onboarding to certificate issuance and revocation Require a certificate-backed identity step before a device is allowed to authenticate, and define revocation triggers for loss, retirement, compromise, or supplier change.
• Design for disposable identifiers where persistence adds risk Use ephemeral or scoped identifiers for use cases where long-lived device tracking is unnecessary, while keeping durable records in the governance system, not the device itself.

What's in the full article

DigiCert's full article covers the practical policy and standards detail this post intentionally leaves for the source:

• How the article frames CE-mark conformity and EU regulatory expectations for connected devices
• Why the authors recommend standardized digital certificates for authentication, encryption, and authorization efficiency
• The specific role they assign to manufacturers, sellers, and regulators in device identity adoption
• Their examples of IoT devices as part of human, object, and robot identity control

👉 Read DigiCert's guest opinion on IoT device identity, conformity, and security →

IoT device identity and certificates: what IAM teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →