Notifications
Clear all
Topic starter
25/06/2026 2:56 pm
TL;DR: Trusted IoT depends on explicitly trusted identities, mutual authentication, and data protection across users, services, and devices, according to DigiCert. The core issue is not cryptography alone but whether identity, certificate lifecycle, and chain-of-custody controls hold across the device-to-cloud path.
NHIMG editorial — based on content published by DigiCert: The Road Ahead for a Trusted IoT
By the numbers:
- When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes, and as quickly as 9 minutes in some cases.
Questions worth separating out
Q: How should security teams govern trust for IoT devices across edge and cloud environments?
A: Treat every device as a governed identity with an owner, a certificate lifecycle, and a revocation path.
Q: Why do traditional network controls often fail in OT and IoT environments?
A: They assume frequent patching, stable connectivity, and fast containment, which do not match operational systems.
Q: What breaks when certificates are treated as static artefacts instead of managed identities?
A: Rotation, renewal, revocation, and ownership all become unclear, which lets trust outlive the system or person responsible for it.
Practitioner guidance
- Inventory all device and service identities Map users, services, devices, certificates, and keys to a single ownership register so every connected entity has an accountable controller, renewal path, and revocation path.
- Bind trust to the full device lifecycle Require onboarding, update, renewal, and decommission steps for every connected asset, including field devices and brownfield deployments that may operate in constrained or air-gapped conditions.
- Move OT security toward identity-first verification Use mutual authentication, managed certificate lifecycles, and continuous trust checks so OT systems do not depend on perimeter controls that cannot scale with operational complexity.
What's in the full article
DigiCert's full blog covers the operational detail this post intentionally leaves for the source:
- How DigiCert maps identity and trust from the device layer through edge and multi-cloud deployment scenarios
- Specific industry examples of OEM onboarding, key and certificate lifecycle management, and secure OTA updates
- The article’s discussion of IT and OT workflow convergence in retail, healthcare, manufacturing, and defense
- The source’s treatment of chip-level trust versus transport and application-layer integration
👉 Read DigiCert’s analysis of trusted IoT, identity, and digital trust →
Trusted IoT and digital trust: what identity teams need to know?
Explore further
25/06/2026 4:11 pm
Trusted IoT is really a chain-of-custody problem, not a device problem. The article’s strongest insight is that identity and trust must survive movement from silicon to transport protocol to application stack. That means the question is not whether a device has a secure element, but whether the trust anchor remains valid when the device starts exchanging data with services, analytics engines, and remote operators. The implication is that device governance cannot be separated from platform governance.
A few things that frame the scale:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap, according to The State of Secrets in AppSec.
A question worth separating out:
Q: How do IAM and NHI programmes support trusted IoT operations?
A: They provide the governance model for who or what can authenticate, how identities are issued, and when access must be removed. IoT expands NHI from service accounts into devices and operational systems, so lifecycle discipline, owner assignment, and trust validation have to span the entire connected estate.
👉 Read our full editorial: Trusted IoT depends on identity, certificates, and chain of custody
