Secure Your Edge-to-Cloud IoT Solution with Intel and AWS - IOT337 - re:Invent 2017

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS re:INVENT
SECURE YOUR EDGE-TO-CLOUD IOT
SOLUTION WITH INTEL & AWS
S e s h S e s h a g i r i , S r . D i r e c t o r / G M , I n t e l I o T G r o u p

H o w l o n g d o e s i t t a k e
t o s e c u r e l y o n b o a r d 1 1 0 , 0 0 0
I o T l i g h t b u l b s ?
1. Assumes out-of-box to securely streaming data
to an IoT Platform
A n s w e r :
O v e r 2 m a n y e a r s

MANUAL IOT ONBOARDING IS SLOWING
ADOPTION
D e v i c e a r r i v e s o n - s i t e
T e c h n i c i a n i n s t a l l s ,
t u r n s o n d e v i c e
M a n u a l p r o v i s i o n i n g
I T b a c k e n d a c c e p t s d e v i c e
c r e d e n t i a l s a n d c o n n e c t s i t
t o d e v i c e m a n a g e m e n t
s y s t e m
D e v i c e s t a r t s w o r k i n g
§ Major Barrier for IoT - Only
way we get to 50B devices by
2020 is automation.
Tremendous ROI drag.
§ Missing Element for Security –
Must solve Mirai style attacks:
“ship default passwords” for
headless devices and users.
§ Privacy - Need to preserve
device anonymity.
§ Traditional PKI Identity - Still
has role to play for IoT but is
too heavyweight and costly to
embed in hardware at scale.
1
2
3
4
5
Ecosystem wants automated “SIM” like” approach that ties identity to platform initiated activation. No-one is solving.

IOT SECURITY IS ESSENTIAL TO SCALE IOT
DEPLOYMENTS
Isolation and added
protections of HW security
has recognized role
Barrier to IoT Adoption1 Most Important Items for IoT Platform2
Hackers exploiting
poor device security
1. No device can be absolutely secure. 2. Gartner 2016 IoT Backbone Survey. 3. Trusted Computing Group: What Embedded and IoT Developers Think About IoT Security.
Pattern to secure and
role of HW is defined
HW security moving from
shadows to key RFP request
H W S e c u r i t y i s a n
I o T P r i o r i t y
N e w S p e c s C u s t o m e r R e q u i r e m e n t
1#
Hardware
Security
RFPDevice
Security Solutions designed-in to hardware are keys to accelerating adoption and scale.

TRUSTED IOT ONBOARDING IN SECONDS
§ A u t o m a t e d
§ S e c u r e
§ I n s e c o n d s
IOT
PlatformEPID
Identity
PROVISION
AND MANAGE
P l a c e , P o w e r ,
P r o v i s i o n
Onboard Service
Hardware
Security
Device
ATTEST IDENTITY
ZERO
TOUCH
Intel® Secure Device Onboard drives scalability to move POCs to production. Increases devices in use.
I n t e l ® S e c u r e D e v i c e O n b o a r d

I n t e l ® S e c u r e D e v i c e
O n b o a r d E n a b l e s
I o T S c a l a b i l i t y t o B i l l i o n s
o f D e v i c e s
§ Takes seconds at power on
§ Provisions dynamically to
customer’s IoT platform of choice
§ Hardware secured
§ Designed-in, ready for Device ODMs
D e v i c e
M a n a g e m e n t
P l a t f o r m s
P l a c e , P o w e r ,
P r o v i s i o n

INTEL® ENHANCED PRIVACY ID
I m m u t a b l e I d e n t i t y f o r E v e r y D e v i c e

I n t e l ® E n h a n c e d P r i v a c y I D ( I n t e l ® E P I D )
Target/key problem
For IoT device
manufacturers
and service providers
who need to secure
their IoT offerings
Solution
EPID is the IoT Identity
HW Root of Trust that
immutably identifies
an IoT device
Open international standard created by world renown cryptographers. Solves privacy for IoT.
1. No device can be absolutely secure.
Differentiation
§ Scales with IoT
§ Preserves privacy
§ Simplifies certificate management
Supports distributed, direct device-to-
service trust, eliminating a centralized,
3rd-party trust authority, with its single
point of vulnerability and potential
vendor-lock
§ Pre-provisioned before 1st boot
§ Use as a best practice identity for device
onboarding to set up secure1 anonymous
channel
DESIGNED IN FOUNDATION – DEVICE HW
IDENTITY
EPID
Identity
“ E v e r y o n e i n o u r f i r s t m e e t i n g s i s c o n c e r n e d
w i t h s e c u r i t y , b u t w h e n i t c o m e s t o o n b o a r d i n g
d e v i c e s t h e y g e t i m p a t i e n t a n d s k i m p o n
s e c u r i t y . T h e y d o n ’ t s e e c o n s e q u e n c e s u n t i l i t s
t o o l a t e . ”
– Sr Systems Architect, Major Industrial Manufacturer

CREATED FOR IOT…PROVEN AT SCALE1
§ TCG/ISO standard with privacy
preserving group authentication
scheme- UNIQUE and
IN-DEMAND
§ Used to open secure,
authenticated channel for
remote attestation and
authentication
§ Open source SDK
§ Proven - 2.7 billion keys
inherently distributed with Intel
platforms
Pvt-Key 1 Pvt-Key 2 Pvt-Key X…
Intel® EPID
EPID vs. PKI
Traditional PKI
1-to-1 key match,
standard signature
every time
Pvt-Key
1-to-many key match,
unique signature every
time, ANONYMOUS
Baseline Minimum
HW Root of Trust
HW Identity
Attest SW
Secure App
Container “TEE”
Prevents Attack Mapping- Protects device
data vs PKI that reveals data to hack device
Enables customers to deliver many use cases where privacy and attestation are key requirements
EPID
Identity
“ I n t e l E P I D ® u n i q u e l y c o m b i n e s v e r i f i a b l e h a r d w a r e
s e c u r e d i d e n t i t y w i t h p r i v a c y p r e s e r v i n g c a p a b i l i t i e s
a n d t h e f l e x i b i l i t y t o m e e t t h e n e e d s o f c h i p m a k e r s ,
O E M s , c h a n n e l p a r t n e r s , a n d u s e r s . W e s e e I n t e l ®
E P I D t e c h n o l o g y a s a p p l i c a b l e t o m a n y d i f f e r e n t I o T
u s e c a s e s a n d i d e n t i t y s c e n a r i o s . ”
- Steve Hoffenberg, Director of Industry Analysis for IoT, VDC
Research

EPID 2.0 ECOSYSTEM ENABLEMENT
Intel® Trust
Services
Infrastructure
§ Certificate Path
Validation
§ Revocation Lists
Verifier
Issuer (Intel)
Private
Keys 1.. n
Chip
OEM
Device
OEM
Group
Issuing
Private
Key
Group
Public
Key
Group
Private
Key
Inherent Key
Distribution
CLOUD
SERVICEIntel ®EPID Attestation
Member
(Edge Device)

A SUPERIOR OUT-OF-BOX CUSTOMER
EXPERIENCE “Zero Touch” onboarding
§ Separate roles of installer/network controller
‐ Installer: plugs in machine, verifies location
‐ Network controller: takes control of device over
network
§ Proxy Installation by Cloud Service
‐ Owner chooses which Cloud Service by presenting
them
his digital ownership proxy
‐ New device automatically provisioned to user’s account
in a cloud service as part of the sales transaction
User doesn’t have to configure passwords, keys, GUIDs
Privacy of sales and installations (No Attack Maps)
§ Adversary cannot trace devices from factory to owner
to owner (blockchain opportunity)
§ EPID establishes anonymous secure channel where
endpoint authentication is hidden—unlike traditional
PKI where its traceable
Device Drop-Ship
from Factory
Connect Power,
Internet
Device is
automatically
onboarded to the
customer’s IoT
Platform account

H o w I t W o r k s
US E C A S E : S E C UR E O NBO A R D I NG FO R O I L A ND GA S
P r o b l e m :
Remote oil rigs with devices/sensors that
monitor temp, air quality, pressure, and
motion are hard to activate, and they
manage critical infrastructure that must
maintain high security levels.
S o l u t i o n s :
Devices enabled for 0-touch onboarding
model, which leverage a gateway for edge
analytics and secure comms to an
onboarding service that automatically
registers devices at power on to HDC.
V a l u e :
Lowers activation costs, delivers high
assurance, HW enforced security,
addresses regulatory functional
safety, and lowers liability.
Device
Management
Platform
Provision
and Manage
Rendezvous
Onboard Service
Data Center
Operations and
Analytics
Gateway

US E C A S E : S MA R T PA R KI NG GA R A GE
H o w I t W o r k s
Wasted fuel, excess lighting costs.
Frustrating parking experience to
navigate to open spot. Garage
operations not able to monitor
or direct.
Lighting, smart cameras, air quality
sensors, and IoT Gateway for edge
analytics onboarded to central OT
garage/security management platform.
Reduced install time. Operations
can be run at remote management
location. Secure baseline for software
updates. Addresses air quality
functional safety concern.
Customer Garage
Operations Platform
Update
and Manage
Intel and AWS IoT
platform Solution
P r o b l e m : S o l u t i o n s : V a l u e :
Onboard Service
Gateway

H o w I t W o r k s
Use C ase : A sse t T rack in g
Real-time asset visibility in
distribution. Need to distribute spatial
map data with tracking info to
distributed OT systems.
Intel® Secure Device Onboard-enabled
devices provide onboarding and
scan/tracking to CSP platform asset
tracking service.
Enables customer to track and identify
devices and combine with map APIs
for fast use by 3rd party logistics
providers and customers.
EPID HW
Identity
ODM Device
Gateway assisted comms
3rd Party Logistics or
Customer Console
IoT
Platform
SDO Service

H o w I t W o r k s
Use C ase : Min in g O p e rat io n s
Safety improvement, asset
automation, and the management
and control of mine operations.
Embedded sensors on autonomous
trucks and infrastructure are
onboarded to IoT Platform for
analytics and OT control.
Real time knowledge of
worker/machine location, air
quality, temp, control ventilation
systems savings.
OT Mine Control Center
(hundreds of miles from pit mines)
EPID in IA TEE
ODM Tool
GUID, URL, EPID
IoT
Platform
SDO Service

Intel + AWS

AWS – Intel End-to-End IoT Reference Platform
MESSAGE
BROKER
Communicate with devices via
MQTT and HTTP
AUTHENTICATION
AUTHORIZATION
Secure with mutual authentication and
encryption
RULES
ENGINE
Transform messages
based on rules and route
to AWS Services
AWS Services
- - - - -
3P Services
SHADOW
Persistent thing state during
intermittent connections
APPLICATIONS
Device attributesMCU
• WiFi + LP WiFi
• Bluetooth®
Technology +
BTLE
• 3G/4G/LTE
(GPRS)
• ZigBee*, Zwave*
• 6LoWPAN*
• WiHART*
• Ethernet
• RFID
Gateway
MCU
I/O
Sensor
Actuator
Sensor
Actuator
Sensor
Sensor
AWS IoT
Device
SDK
5
1
6
8
7
4
9
13
14
AWS IoT API
ODM GW
Manufacturer
Management
Console
Control
Plane
Int
el
M
E
Intel EPID
Credential
s Tool
Device Security,
Configuration & Management
2
310
11
REGISTRY
Identity and Management of your
things
12
AWS
Greengrass
AWS
Greengrass

Use Case: Ecosystem Enabling for
Customer
Customer and SI
IoT Platform
Management
Providers
OEMs/
ODMs
Devices
Intel and
MCUs
Sample Onboarding Ecosystem
1. Customer Project - has an IoT POC started using IoT
Platform Provider which will serve as data & device
mgt back end.
2. Scale Need - realizes that proprietery onboarding methods
have high configuration cost and won‘t scale for devices
they need onboarded so they choose the IoT Platform‘s
Zero Touch Onboard Capability-powered by Intel
3. Customer RFP - the customer‘s SI
determines 500 gateways, 2 IA devices,
and 2 MCU devices make up spectrum
of devices for project. They specifify
SDO enabled devices as requirement in
project RFP they send to ecosystem.
4. RFP Response - ODMs &
devices that have pre-enabled
or agree to enable using SDO
SDKs win larger orders.
5. Implementation - ecosystem requiring
enablement download SDKs from Intel
developer zone site. Customers distribution
chain digitally signs order in transit and
installer powers on. Device phones home
to IoT platform to onboard in seconds.

INTEL DEMO BOOTH

Intel® Secure Device Onboard (SDO)
* Other names and brands may be claimed by their owners
AWS:IoT,
Greengrass
MQTT/TLS
SDO Transfer
Owner Protocol
PHASE 2
SDO Transfer Owner
Protocol PHASE 1
HTTPS
Intel®SDO
RendezvousServer
SDO Transfer Owner
Protocol PHASE 0
IoTDevice (RobotGateway)
Running Amazon*Greengrass
Setup
Script
AWS
Security
Credentials
Configuration &
Installation Files
Configured &
Installed
Setup Script
AWS
Security
Credentials
AWSS3
CloudFile
Storage
Configuration &
Installation Files
Intel®SDO
Owner&
Provisioning
Servers
SDOOwnershipProxy:
Gives the Owner Server the
credentials needed to
claim ownership of the IoT
Device when it contacts the
Intel® SDO Rendezvous
Server
RobotArm&Vibration
Sensor
AWS Console
http://intel.ly/2zBtATb

Summary
I n t e l ® S e c u r e D e v i c e O n b o a r d e n a b l e s s c a l a b l e
I o T d e p l o y m e n t s t o b i l l i o n s o f d e v i c e s
• Z e r o - t o u c h a c t i v a t i o n i n s e c o n d s i n s t e a d o f m i n u t e s
L e v e r a g e s I n t e l ® E n h a n c e d P r i v a c y I D ( I n t e l ®
E P I D )
• I m m u t a b l e i d e n t i t y f o r e v e r y d e v i c e — b u i l t - i n
• H a r d w a r e - e n a b l e d s e c u r i t y — g r e a t f o r I T a n d O T
E n a b l e d t h r o u g h I o T v a l u e c h a i n
• E m b e d d e d i n s i l i c o n
• D e l i v e r e d t h r o u g h v a l u e c h a i n
• A t t e s t e d b y I n t e l S e c u r e D e v i c e O n b o a r d s e r v i c e
Contact Your IoT Platform Service Provider to Get a PoC Started.
EPID
Identity

THANK YOU!

Secure Your Edge-to-Cloud IoT Solution with Intel and AWS - IOT337 - re:Invent 2017

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Secure Your Edge-to-Cloud IoT Solution with Intel and AWS - IOT337 - re:Invent 2017

Similar to Secure Your Edge-to-Cloud IoT Solution with Intel and AWS - IOT337 - re:Invent 2017 (20)

More from Amazon Web Services

More from Amazon Web Services (20)

Secure Your Edge-to-Cloud IoT Solution with Intel and AWS - IOT337 - re:Invent 2017