Provisioning for true zero-touch secure identity management for IoT

Publié le 25 septembre, 2017

Senior Program Manager

When you’re on a mission to deliver an awesome, complex IoT experience, the last thing you want to be doing is babysitting device identities at any stage of your solution. If you’re building a smart vehicle experience, you want to be thinking fleets, services, operational telemetry and not how to transfer vehicle identities between owners, renters, insurance companies, and service providers. If you’re developing for a mobile factory experience like a cruise ship or an airline, you want to be thinking geography optimal predictive maintenance, and not about cloud connection points and sovereign cloud specific requirements. How you provision your IoT devices makes a world of a difference with operational efficiency. Provisioning for true zero-touch secure identity management is the promise to minimize operational burden and maximize focus on the experience.

Until now, most claims for zero-touch provisioning have been about giving devices identities to connect to a cloud. What happens thereafter has largely been a mystery relegated to the IoT solutions developer. Developers of complex solutions are often left with no choice but to hack custom accommodations for their backends or manually manage hand-off of device identities in operations. Both options are costly, burdensome, and most of all, detracts focus from envisioned experience. Shouldn’t secure device identity and complete lifecycle management be a scalable building block in the IoT solution developer’s toolbox, so they can focus on just IoT experience?

Well, we believe it should. Microsoft has been building towards answering this very question, and in the past few months, collaborated with partners to make this a reality. The solution originates with anchoring trust in secure silicon, from which standards are used to derive device unique certificate identities that are ingested, authenticated, and lifecycle managed at scale by Azure Device Provisioning Service (DPS).

Earlier this year, as part of Microsoft’s commitment to IoT security, we announced adoption of Trusted Computing Group’s DICE standard and new HSM partners committed to availing DICE hardware. We now extend this announcement to welcome Microchip into the fold. Microchip has made availability of DICE hardware a reality through its CEC1702 family of secure silicon chips and evaluation kit offering. You may also learn about this offering from the Azure IoT Catalog and purchase directly from the Microchip Website. Designed for security and trust from the ground up, CEC1702 roots trust in secure silicon hardware and implements the DICE standard to generate device unique certificate identities that are trusted by any cloud service including Azure DPS.

microchipAzure DPS takes it from here to fully realize provisioning for a truly zero-touch secure identity management for the lifecycle of IoT devices. DPS extends trust from the secure silicon hardware into the cloud domain where it creates registries to facilitate managed identity services to include location, mapping, aging, and retirement. This wealth of capability is exposed to the IoT solutions developers as simple routing rules to keep their full attention on the IoT experience they are creating. They only need to add a DPS compliant secure hardware like CEC1702 into their IoT devices.

IoT has evolved to the stage where connecting to a cloud is no longer a novelty. Secured and lifecycle-managed device identity should just be another component of the IoT developers standard toolbox. Microsoft in collaboration with secure silicon partners is making this a reality. To learn more about Azure Device Provisioning Service, please visit our tutorial documentation