IoT security from chip to cloud just got a lot more secure and far easier to attain. And that’s great news for IoT device manufacturers, operators, and system integrators.
Semiconductor provider Infineon Technologies is collaborating with GlobalSign to strengthen the trustworthiness of connected device identities in order to streamline enrollment into the Azure IoT Hub. The collaboration eases complex device identity integration challenges and delivers a proven methodology to include IoT device security literally from chip to cloud. The result is that the process of secure device enrollment into Azure cloud services is streamlined and simplified, delivering a secure, low-touch enrollment option.
How Does Security from Chip to Cloud Work?
It starts with hardware. An integrated circuit or smart chip of sorts. Specifically, Infineon’s OPTIGATM TPM SLM 9670 Trusted Platform Module (TPM), a secure crypto processor that is designed to provide data privacy and integrity. TPMs provide a hardware-based approach to managing user authentication, network access, and data protection, and follow strict specifications put forth by the Trusted Computing Group.
A TPM is born with a public/private key pair (referred to as an endorsement key) residing directly within chip memory, providing a trust pathway beginning with the manufacturer. It is a specialized microcontroller that can attest to the trustworthiness and authenticity of a system, providing a starting point for further credentialing. With near-ubiquitous deployment to modern computing platforms, a TPM becomes a core component to a variety of connected devices – everything from gateways, medical equipment, smart grids, or industrial control systems – often authenticating machine to machine communication rather than an individual human user.
Cross-Signing Deepens Trustworthiness
Infineon operates a local, on-premise Certificate Authority (CA) and public key infrastructure that relies on each TPM’s endorsement keys to provision an endorsement certificate that is then embedded onto each TPM alongside the original endorsement keys. In order to attain a higher, more globally recognized level of digital identity assurance however, Infineon requires the partnership of a well-established, WebTrust audited Certificate Authority like GlobalSign to lend more stringent, universally accepted levels of trustworthiness to their TPM endorsement certificates.
GlobalSign is the world-class CA technology partner perfectly suited to harden Infineon’s chain of trust. System integrators or device operators can elect to seamlessly enroll fleets of devices at scale to Azure in a true zero-touch fashion using the cross-signed TPM endorsement certificate. Alternatively, they can choose to request operational certificates from GlobalSign’s registration authority, IoT Edge Enroll on our PKI-based IoT Identity Platform. Operational certificates are also referred to as Locally Significant Device Identifiers (LDevIDs) and can be issued at any stage in the lifecycle of the device to secure device identities downstream in the supply chain.
The WebTrust Principles and Criteria for Certification Authorities program is a global assurance service originally developed by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA). Today it is managed by the Chartered Professional Accountants of Canada, who is charged with auditing global, third-party commercial certificate authorities for compliance to strict principles and criteria. Criteria are consistent with standards developed by the American National Standards Institute (ANSI), International Organization for Standardization (ISO), and Internet Engineering Task Force (IETF).
The value and reliability of a WebTrust audited certificate authority is significant. The audit provides measurable proof that the Certificate Authority is operating under agreed upon industry standards and guidelines and is trusted to verify identity, provision digital certificates that attest to that identity, and manage the digital certificates representing that identity throughout their lifecycles. GlobalSign has been a WebTrust audited Certificate Authority since 1996.
Central to this solution then, is the cross-signing of Infineon’s on-premise CA by GlobalSign’s globally recognized and WebTrust audited CA, expanding the trustworthiness of the endorsement certificates that Infineon self-issues and flashes onto each of their TPMs, and making them verifiable up to a GlobalSign Root CA.
Faster, Easier Connection to Azure Cloud
So how does this deeper level of assuredness and trust facilitate and speed enrollment to Azure IoT Hub and Device Provisioning Service? Once again, it’s all about device identity. Each device enrolled into Azure requires a strong, unique, authenticated device identity for entry. Without it, enrollment is denied.
For connected devices manufactured without pre-authenticated microcontroller identities like Infineon’s OPTIGATM TPM SLM 9670 TPM, the path necessary to provision unique device identity is lengthy. It often entails establishing PKI and CA integrations which can prolong development schedules and burden budgets for systems integrators, as well as delay go-to-market strategies for device operators.
The cross-signed TPM certificates deliver a low-touch option for Azure enrollment. They provide the proper level of trustworthiness needed to meet Azure device authentication policies, minimizing the effort needed for system integrators and device operators to securely enroll their devices into Azure.
The credibility and reach of the cross-signed TPM endorsement certificate extends beyond the initial TPM production run, to secure it as it gets assembled into an electronic component, which in turn gets assembled as part of a connected smart device, which in turn is sold and deployed in the field. In fact, by including the cross-signed TPM as part of a device component early in a product’s design, it ensures authentication can be performed throughout the remaining device lifecycle stages. Original Design Manufacturers (ODMs), Original Equipment Manufacturers (OEMs), programmers at electronic manufacturing services (EMSs), and device operators at deployment and even post deployment experience a minimum of programming and integration efforts.
The Infineon and GlobalSign partnership delivers a faster, easier connection to Azure; one that is streamlined and simplified while maintaining commercial grade levels of assurance that uphold IoT security best practices.