Sectigo Buys Embedded OEM And IoT Security Vendor Icon Labs

Buying Icon Labs extends Sectigo's private trust capabilities beyond issuing certificates and into updating, managing, renewing or revoking certificates.

Sectigo has purchased Internet of Things security provider Icon Labs to expand its private trust business beyond issuing certificates and get into verifying firmware and hardening devices.

The Roseland, N.J.-based web security vendor said the embedded tools offered by West Des Moines, Iowa-based Icon Labs are very compatible with Sectigo's PKI (public key infrastructure) offering, according to Jason Soroko, the company's CTO of IoT. Sectigo had been known as Comodo CA until November 2018.

"It's all about solving the tough problems," Soroko said. "IoT security is a big challenge. IoT device vendors need something that allow them to be both secure and economical."

[Related: Comodo CA Buys Website Disaster Recovery Startup CodeGuard]

Terms of the deal, which closed Friday, were not disclosed. Some of the Icon Labs management team is retiring as part of the acquisition, but the company's core technical team led by co-founder and CTO Alan Grau is moving over to Sectigo.

Icon Labs employs less than 10 people, Grau said, and has been focused for more than a quarter-century on providing secure software for embedded and IoT devices such as cars, medical devices, communications systems and factory-controlled systems.

Sectigo's private trust business was historically limited to issuing a certificate and handing it off to an OEM, but as special-purpose devices become more connected, Grau said businesses need to ensure that strong authentication and identity safeguards are in place. Icon Labs extends Sectigo's certificate capabilities beyond issuance and into updating, managing, renewing or revoking certificates, he said.

The on-premises Icon Labs offering, meanwhile, is sufficient in circumstances where the building control or factory control devices only need to talk with other devices in the same system, Grau said. But in order to facilitate communication between an iPhone or Android app and the factory control system, Grau said the public trust tools offered by Sectigo are vital.

"When it comes together, what we have is much more powerful than what we had before," Grau said.

The Icon Labs "walled garden" approach with self-signed certificates has been preferred by certain security-minded customers who prefer a purely on-premises approach, Soroko said. And there will always be some use cases—particularly in the government or manufacturing verticals—where a purely on-premises approach is the right way to go, according to Soroko.

But for the most part, Soroko said customers prefer the interoperability provided by Sectigo's cloud-based approach, and see the value of Icon Labs primarily around device hardening.

"We're able to solve really tough problems in security, and be flexible in ways we never were before," Soroko said.

Sectigo reached out to Icon Labs in February in response to customer interest in being able to provide more ongoing management around their certificates, Soroko said. The company had long enjoyed success around certificate issuance, and Soroko said customer inquiries sparked conversations around attempting to do more.

On the Icon Labs side, meanwhile, Grau said the company's small size meant that worldwide conglomerates and OEMs were sometimes hesitant to work with the company. At 125 employees, Sectigo is somewhat larger, according to LinkedIn. And Icon Labs customers are excited to get private and public trust offerings from a single vendor rather than having to partner with multiple suppliers.

Going forward, Grau said the combined company would like to apply Icon Labs' capabilities beyond embedded devices to address challenges around web servers and DevOps. IoT has expanded the definition of contained environments from more conventional facilities like factories and banks to include environments like airliners, ships or cars, according to Grau.

Being able to issue and manage short-term certificates in unconventional scenarios like an automobile attempting to communicate with highway infrastructure presents the combined Sectigo and Icon Labs organization with a tremendous opportunity, Grau said.

"We've now got a much more complete story, and that's really a compelling story for channel partners," Grau said.