Employee
Over the last few years, many companies have moved their businesses and processes online. While there are many benefits to this, we’ve also seen a rapid increase in how complicated and important it has become for people to manage their credentials securely to all the different websites and services they use daily. Everything from email to social media to financial records revolve around the usage of credentials (usually a username and password) for access. Managing authorized access is a two-way street. The user needs secure credentials to make sure that unauthorized users aren’t using their services or accessing their data, and the server side needs to ensure that their website is protected from attack and the user credentials are secure.
The same challenges apply when the thing at the other end of the server is an IoT device, like a thermostat, a sensor or a video camera. Security is just as important for a device as it is for a person, and the cost of not doing things right can lead to headaches and extra unwanted expenses.
Current IoT Device Authentication is Complex, Costly and Time Consuming
In IoT, devices are typically given a unique identity in one of these ways:
- A device manufacturer inserts a common secret into the firmware of all devices in the factory. When the device first boots and connects to the product cloud, it gets updated it with a permanent unique credential (or certificate) based on some unique device identifier like a Serial Number or MAC Address. The main benefit to this approach is it’s free and easy to do, but if that shared secret is ever lost or compromised, then any malicious device can get access to the product cloud. Since these credentials are stored in device firmware, the only way to deprecate these credentials will have to wait until all the devices get flushed out of the supply chain. Since this isn’t practical, this approach has long-term security implications for any product company, so it is not recommended.
- A device manufacturer injects a unique software-based credential into memory at the factory or manufacturing line. This process is more secure but also more involved because each device has to have a unique secret or certificate injected into it, which means that each unit has to be individually touched. This is expensive because special equipment like a Hardware Security Module (HSM) have to be installed, maintained and secured on a potentially insecure facility. This can cost hundreds of thousands of dollars. Once the device has been uniquely identified in the factory, then the product cloud has to be updated, which requires a stable, secure Internet connection from the factory, wherever it’s located and whoever operates it. If things go wrong or steps are skipped, devices are bricked.
In my past experience as an IoT product manager, I’ve seen companies that have either to deployed complex infrastructure, or make cost-compromised ODM decisions based on trustworthiness or capability to manage this infrastructure, or even worse, assign the responsibility of managing certificates & credentials to a handful of trusted, expensive engineers who would prefer to be working on value creation activities, rather than infrastructure work like this.
Another challenge of both of these approaches is that they both impose inflexibility with ODMs and contract manufacturers. In an age where manufacturing portability is increasingly important, having contractors who have access to sensitive info may be an issue, especially for manufacturers of sensitive IoT products.
- Use of a hardware based secure element with a built-in unique X.509 certificate on the board. In this situation, the device provides tamper resistance and hardening against physical hacking. The benefit of this approach is that it provides additional security at the cost of a specialized chip. However, in many cases, the certificate may still need to be read out on the manufacturing line and injected into the product cloud over a secure Internet connection. All of this adds cost and complexity.
What if you could have all the benefits of (3) above without the requirement of having and maintaining a HSM or secure infrastructure in the manufacturing line? Such a solution would provide manufacturing portability and the added security of a hardware enabled certificate combined with the cost savings of not having to maintain an HSM and secure infrastructure.
CIRRENT™ Cloud ID: A Different, Simpler, Cost-Effective and Secure Approach
Today we’re announcing Cloud ID, a chip-to-cloud service that automates the process of cloud certificate provisioning and simplifies IoT device-cloud authentication. The service makes these tasks easier and more secure, while lowering companies’ total cost of ownership. Cloud ID helps entities manage their IoT device credentials and enable secure product to product cloud communications with a ease of use of (1) with the hardened security of (3) and closer to the cost structure of (1).
This diagram represents how simple, quick and secure how Cloud ID is in the manufacturing process.
This is especially important for verticals where security is a priority, like in Finance, Government or Access Control sector. We’re bringing to market a solution which has the simplicity of (1), but need the additional security of (3), provided at a cost structure that’s equal to or less than (2 or 3), but perhaps slightly more than (1).
CIRRENT™ Cloud ID leverages Infineon’s deep history in semiconductors and security, combined with the cloud capabilities of the CIRRENT™ console. The benefit of this approach is when the chips get installed into IoT products, such as video cameras and locks, customers can download the certificates into a manifest file or have the certificates automatically provisioned from the CIRRENT™ Cloud directly into the product cloud. There’s no need for an HSM on the factory floor or a secure, reliable Internet connection from wherever the factory is to the cloud. This approach saves a tremendous amount of operational and capital expense for both high-volume and low-volume manufacturers.
We will be announcing many more product details in the coming weeks, but for now, you can get started with Cloud ID using a virtual dev. kit. For more detailed directions, click here.
If you have any feedback or questions, please let us know.
Learn more about Cloud ID here.