How to Enable Secure, Zero-Touch Provisioning in IoT Deployments using CENTAURI 200
The Internet of Things (IoT) is all around the world, transforming things into smarter and connected ones. Nowadays, more companies are focusing on designing and building next-generation cutting-edge solutions. While implementing the IoT solution, the major concern that arises in front is having a “strong security”.
According to research, 95% of the adopters have experienced failure in the Proof of Concept (POC) stage due to the technical complexity of various components, time-consuming process, high cost of scaling, and lack of trust in scalability platforms.
Although there are several developed IoT Platforms and Cloud Infrastructures in the market, one of the major reasons behind the failures is the scalability and infrastructure required to configure each device while onboarding and establishing communication with the cloud.
Each device needs to be configured with a unique certificate to authenticate the device with the cloud. To mitigate these challenges, ACL Digital, NXP and Microsoft introduced Zero-Touch Provisioning Solution that offers a strong security mechanism for IoT devices and makes device management simpler and risk-free.
Zero-Touch Provisioning Solution
Let’s understand how we developed a zero-touch provisioning solution using the CENTAURI 200 IoT Gateway platform, integrated with NXP EdgeLock SE050 and Microsoft Azure Cloud. The process for onboarding an IoT device is divided into two parts –
Authenticate and Register the Device to Microsoft Cloud
To deploy an IoT network, manual onboarding of the device requires a high labor cost and time to train the personnel. Thus, to improve the process during the manufacturing, one common configuration file is loaded in devices by the manufacturers, which follows IEEE 802.1AR standard and fetches device identifiers in the form of initial device identifier certificate and leaf device identifier certificate. These device identifiers are globally unique and secured
The certificates issued for these device identifiers are already authenticated initially with the cloud. So, once the devices are powered on, they can be onboarded to the cloud automatically without human interaction hence named Zero-Touch
Communicate with the Microsoft Azure Cloud to Run the User Application
Once the devices are authenticated and registered on the cloud, they can connect with IoT Hub instances of Microsoft Azure cloud and can communicate with services like device twin, message to the device, perform different operations based on user application
CENTAURI 200 IoT Gateway platform is integrated with the NXP SE050 TPM chip. It has an inbuilt cryptographic function and SSL engine which provides security to ACL Digital CENTAURI 200 to establish a connection with the cloud services. The combination of CENTAURI 200 Gateway and NXP secure element SE050 has achieved zero-touch provisioning by collaborating with NXP, Globalsign and Microsoft, where the identifiers are fetched from NXP and Globalsign cloud service and devices are onboarded to Microsoft Azure Cloud
How Zero-Touch Provisioning ensures Chip-to-cloud Security?
The process of zero-touch provisioning is secured with an NXP SE050 trusted platform module, which provides a root of trust at the chip level. The secure element NXP SE050 has an independent common criteria EAL 6+ security certification up to OS level and supports asymmetric cryptographic algorithms with high key length and future proof ECC curves.
The latest security measures provided by the SE050 chip protects the device against sophisticated non-invasive and invasive attack scenarios. This secure element performs cryptographic operations and generates the cryptographic keys which are used to fetch the device identifiers certificates and securely store them in the chip itself.
The private keys of these device identifiers are secured and stored inside the SE050 chip which can be accessed only using SE050 secure library middleware. Thus, the certificate private keys are secured even if the device hardware is compromised against any attack. The cloud connectivity is also performed by the secure element itself by using the stored device identifiers and is driven by the device. Here, all the cloud operations are performed over TLS 1.3 authentication which makes the connection even more secure.
Benefits of using Zero-Touch Provisioning as a Complete Solution
Strong Security Mechanism
Introduction of IEEE 802.1AR and secure element enhance the security as the device identifier certificates are fetched automatically and stored securely in a secure element. The secure element along with communication-based on TLS 1.3 authentication makes the zero-touch onboarded device secured and robust
Provisioning of a Gateway on Microsoft Azure Cloud
Microsoft cloud provides device provisioning services that help to onboard the gateway device automatically. The issued certificates of device identifier are uploaded initially so that all the unique device identifier certificates are authenticated during onboarding and devices added to IoT hub services. Here, the devices can be controlled with the help of device twin services
Cost Reduction
With a zero-touch provisioning solution, the cost of complete IT infrastructure where all the devices need to be authenticated and require necessary certificates are reduced. The automated process of the solution helps to reduce the manual efforts where the user can save high labor costs and time to train the personnel for any project, which improves the overall productivity of delivering any IoT product
Easy Deployment
As the zero-touch provisioning process is accomplished during manufacturing, the devices will automatically connect to the cloud services without any manual configuration. Hence, the user can deploy an IoT network effortlessly using this solution