GlobalSign Blog

Secure, Zero-Touch IoT Device Provisioning to the Cloud

Secure, Zero-Touch IoT Device Provisioning to the Cloud

A Proven Chip-to-Cloud Blueprint that Empowers IoT Device Operators and Systems Integrators 

Bringing an IoT system and its devices securely online is no easy task. It is still a complex process, often requiring organizations operating the devices to stitch together solutions from multiple vendors.  It requires expertise in several specialized domains: 

  • a Hardware Security Module (HSM) – usually a trusted platform module (TPM) to initiate the chain of trust with an endorsement key, and secure all credentials
  • an IoT Public Key Infrastructure (PKI) for certificate-based identity, authentication, and encryption
  • an IoT/IIoT device manufacturer to integrate the blueprint during manufacturing
  • a Cloud Services provider to manage devices and their data at scale  

Until now, IoT solution builders eager to launch secure IoT devices had to investigate each component in the IoT chain of trust and develop a proof of concept (PoC) to be validated prior to production. They had to research the appropriate resources, integrate with each independent domain, and hope that each domain was interoperable with the others. Sometimes that took an inordinate amount of time to accomplish. Other times it took additional resources and subject matter expertise that was lacking in their launch budgets or internal developer teams. It added tremendous expense that was often cost prohibitive and almost always, the proof of concept could not scale. Issues around certificate credential management, certificate protection and hardening, and production operations could not be resolved, prohibiting the organization from moving from PoC into production.  

The unfortunate result was that IoT devices were launched without being secure, putting both device operators and end users at risk. And as anyone in the IoT industry is aware, the risk generated by unauthorized and unsecured devices is a genuine concern. It brings operational, financial, and potentially compliance and regulatory consequences that could cripple an organization.  

Identifying the IoT security problem 

Recognizing these unique challenges, four international and independent IoT domain experts collaborated to develop a solution: Infineon, GlobalSign, Eurotech and  Microsoft Azure. The result is noteworthy: customers can now purchase a Eurotech Industrial IoT gateway with a GlobalSign embedded PKI identity that is protected by an Infineon TPM, and capable of autoenrollment to the Azure cloud.

IGEM_Device-Identity-Lifecycle_scheme_1200x628_HR_DEF.png

 

All companies had previously established trusted relationships with most of the partners in this collaboration, empowering the group to foster innovation. Each company contributed the requisite expertise to secure an IoT device literally from chip-to-cloud. It was an incremental process, where successful individual integrations were used as the groundwork. Expanding the integrations to include all partners was the key component that brought it all together. They started with a proof of concept, adopted industry standards, worked through multi-vendor integrations, and incorporated best practices to deliver a proven methodology that can be adopted by systems integrators and IoT device operators alike. 

 

Global experts combine capabilities to advance IoT device security

Infineon, a German based semiconductor, HSM and TPM manufacturer, is a leader in hardware-based security. Infineon and GlobalSign have a long history of collaboration. Most recently they teamed up to strengthen the trustworthiness of connected device identities to streamline enrollment to the Azure cloud. This included using Infineon’s TPMs to secure GlobalSign’s PKI credentials and using the GlobalSign certificate authority to cross-sign the Infineon TPM endorsement keys resulting in a higher, more globally recognized level of digital identity assurance. In this partnership, the team is again relying on the cryptographic and secure storage capabilities of Infineon’s OPTIGA® TPMs for hardware-based protection of device identity credentials. 

GlobalSign is a global Certificate Authority (CA) and leading provider of identity and security solutions for the IoT. Our IoT Edge Enroll enrollment service provisions device certificates through our PKI-based, IoT Identity Platform, powered by our Atlas infrastructure. It uses the standards-based IETF RFC 7030 Enrollment over Secure Transport (EST) communication protocol and features automated provisioning. PKI-based IoT identity is the de facto, identity credentialing mechanism for IoT security and contributes the software-based root of trust to this collaboration.

Eurotech is a leading multinational company that designs and develops embedded boards and modules, edge computers, High Performance Embedded Computing (HPEC) and IoT platforms to enable digital transformation. Eurotech and Infineon have also shared a long-term relationship, and in 2019 collaborated to include Infineon’s OPTIGA® TPM 2.0 chips in Eurotech’s multi-service IoT Edge gateways, helping to protect device identities. As the OEM in this partnership, Eurotech serves as the edge device integrator, assembling the device to include a certificate-authenticated identity from GlobalSign along with the hardware protection of the Infineon TPM. In 2019 Eurotech joined the Microsoft Azure Certified for IoT device catalog of pre-tested and verified products that ensures customers get IoT solutions up and running quickly. They have introduced embedded device identities on their ReliaGATE, DynaGATE and BoltGATE gateway devices that employ this partnership blueprint.

Microsoft Azure is the globally recognized Cloud Service Provider, whose open and flexible cloud computing platform enables IoT devices and their networks to launch, operate and scale, regardless of the compute or data storage requirements. Microsoft has established relationships with GlobalSign, Eurotech and Infineon to secure, simplify and streamline the onboarding of IoT devices to their Azure cloud.

In 2020 Microsoft and GlobalSign collaborated along with Infineon to strengthen and simplify enrollment to Azure. Their leading cloud services make them the preferred cloud provider of choice for IoT.  

Following the 802.1AR architectural standard

Strong, unique, and protected device identities are critical to IoT security. They also enable smooth enrollment to cloud services, which are the go-to platform for large-scale device deployment. But when the identity is embedded onto the device, there needs to be a mechanism that accounts for how the device’s lifecycle plays out. In other words, during manufacturing the device receives an identity. Once that device is sold and deployed, the device needs to have a means to identify and authenticate itself inside its new and local operational network. 

The remedy is a Device Identity (DevID) certificate architecture based on the IEEE 802.1AR standard. Initial device identities (IDevIDs) represent the identities that were provisioned during manufacturing. Those can then be used as authentication when the device is deployed, requiring a local, operational identity (LDevID). Either IDevIDs or LDevIDs can be used for authentication during cloud enrollment, paving the way for automated, secure device enrollment to the cloud at scale. 

A Proven Chip-to-Cloud Blueprint 

Infineon, GlobalSign, Eurotech and Microsoft Azure have created what no other group has yet delivered – a secure, zero-touch IoT device provisioning to the cloud solution which operates at scale and that reduces the risk of supply chain compromise. Through proven integrations along the IoT device chain of trust, adoption of the 802.1AR specification, and the unambiguous domain expertise of each company, we’ve made it possible for IoT security to be implemented from the very beginning of a device’s lifecycle.  

It’s a game changer that will likely have lasting impact on the overall number of IoT devices that can now include IoT security as part of their launch plan, securing their devices from chip-to-cloud. IoT solution builders benefit from the solution blueprint by reducing the complexity to a simple 3 step process. 

  1. Create a PKI account and receive ICA certificate
  2. Register ICA to cloud
  3. Provide custom device configuration and receive custom ordering code

Solution preview 3-step process graphic.png

Our new collaborative blueprint is a proven, interoperable proof of concept that helps IoT operators and systems integrators accelerate time to market, eliminate integration challenges, reduce the need for multi-domain expertise of their development teams, and reduce operational expense to secure IoT devices at scale. 

Explore some of the links below to learn more. Watch our webinar, download our technical whitepaper, or read the individual company blog posts on the topic.

IoT webcast CTA2.jpg

Share this Post