We’re struggling to balance stringent security requirements with the low-latency connectivity needs of our IoT deployment on Cisco Kinetic Security. Our security team mandates TLS 1.3, mutual TLS authentication, and certificate revocation checking for all device connections, but these requirements are adding 200-400ms latency to each connection establishment.
For real-time applications like industrial automation and vehicle telemetry, this latency is unacceptable. I’m exploring tiered security policies where critical devices get full security enforcement while less-sensitive devices use lighter authentication. I’m also investigating hardware-accelerated encryption and certificate caching to reduce overhead.
What approaches have you used to maintain security without sacrificing real-time connectivity performance? How do you classify devices for risk-based security policies, and where should policy enforcement happen - at the edge gateway or cloud platform?
Risk-based device classification should consider multiple factors: device function, data sensitivity, network exposure, and potential impact of compromise. We use a scoring system where each factor contributes points, and the total score determines the security tier. Industrial controllers score highest (tier 1), environmental sensors lowest (tier 3). Review classifications quarterly as threat landscape changes.
Tiered security policies are the right approach. We classify devices into three tiers: critical (industrial controllers), standard (sensors), and low-risk (environmental monitors). Critical devices get full mTLS with CRL checking, standard devices use mTLS with OCSP stapling, and low-risk devices use simple TLS with pre-shared keys. This reduced our average connection latency from 350ms to 80ms.
The hardware acceleration numbers are impressive. How do you handle certificate caching without compromising security? I’m concerned about caching revocation status - if we cache for too long, we might allow compromised certificates. What’s a reasonable cache TTL that balances security and performance?