Man
Professional
- Messages
- 3,051
- Reaction score
- 577
- Points
- 113
A modern IoT network is a complex of thousands or millions of devices, in which everything is automated: launch, management, identification, management, security system, access rights, replacement of failed ones, and so on. The world plans to release 150,000 new IoT devices per minute. Such a fleet cannot be managed manually.
Management platforms
To manage an IoT network, specialized platforms such as Balena or Ubuntu IoT Device Management are deployed .
The management platform can establish a connection with a device, obtain information about its state, and in some cases change the state of the device. Such solutions are often delivered as software or platform as a service (PaaS).
The diagram roughly illustrates the composite models of a modern containerized PaaS platform for IoT.
Global IoT platforms are often managed via public clouds, while industrial devices are usually connected to on-premises platforms with stricter security requirements.
The functions of IoT management platforms can range from simple messaging between devices to performing complex operations such as updating software and tuning AI models on specific devices.
Monitoring connected devices is just the beginning. As the number of devices gradually increases, the management platform grows and evolves with it. The variety and complexity of technology increases exponentially. This determines the need for advanced platforms that not only perform monitoring, but also use all the technical capabilities of the devices.
One of the most important functions of modern IoT platforms is authentication and security as part of the lifecycle management of device identifiers, i.e. IoT Identity.
Authentication and Security
Throughout the lifecycle of devices, IoT Identity supports a range of operations, including certificate and key management, token issuance, and secure code signing.
If the platform is installed directly at the device manufacturer, then the IoT Identity system is also implemented straight from the assembly line.
IoT Identity (PKIaaS) platform at a smart meter manufacturer, source
The diagram may look like this:
- Production CA
This certification authority (CA, as in the diagram) signs keys on endpoints. The server generates unique public/private key pairs for endpoints and sends batches of CSR signing requests. The CA returns signed endpoint certificates, which are distributed to all production locations.
- Firmware signing CA
This CA creates a firmware signing certificate. This is another element in the trust hierarchy, but it is located in a secure cloud and is accessed very rarely and only by authorized persons.
- Code Verification CA
This CA issues certificates for individual devices that potentially interact with millions of endpoints. A unique key pair is generated for each device, the public key is sent to the CA for signing, and certificates are dynamically distributed to endpoints to verify signed critical commands (for example, proprietary vendor network interfaces may be used).
Recently, the analytical company ABI Research published an independent analysis of IoT Identity platforms .
The rating is based on the most relevant aspects of IoT implementation, including security, identity management, network deployment, partner ecosystem size, and intelligent automated services.
The ABI Research report included eight certification authorities (CAs) operating in this market. Based on the assessment results, the companies were divided into three groups:
- Market leaders: Device Authority, Entrust, Digicert, GlobalSign
- Mainstream: HID Global, Sectigo
- Followers: WISeKey, Nexus
The authors of the report note that market leaders offer not only a standard ecosystem, but also specific services focused on specific IoT applications. These include additional digital certificate options (besides X.509), non-standard management methods taking into account bandwidth restrictions and specific connection requirements: “Ultimately, users get the ability to customize their IoT Identity system themselves,” commented on the results of the study Dimitrios Pavlakis, Senior Analyst for IoT and Digital Security at ABI Research.
The ecosystem of market leaders includes a variety of service options that adapt to different IoT architectures, device specifications and application needs, modern and legacy technology stacks (greenfield and brownfield), containers and serverless options, as well as for agentless deployments. The solutions are suitable for different markets and industries, different hardware. They are able to integrate with any chips on any architecture.
The ABI Research report specifically mentions the GlobalSign IoT Edge Enroll platform. This is the first of its kind Registration Authority as a Service (RaaS) for identifying and authenticating certificate applicants.
Registration Authority (RA) as a cloud-based, managed service is a new approach to solving a problem that many device manufacturers and operators face.
In short, Edge Enroll is a key component of the IoT Identity Platform. It is a scalable, high-performance certificate issuance engine for IoT device manufacturers and operators who are looking for a turnkey RA solution that is reliable, available, and scalable. They get a well-designed commercial registration authority at a fraction of the cost of on-premises setup, management, and maintenance.
Source
