Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at Intel.pdf
•
0 likes•60 views
FIDO Taipei Workshop: Securing the Edge with FDO
Recommended
More Related Content
Similar to Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at Intel.pdf
Similar to Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at Intel.pdf (20)
More from FIDO Alliance
More from FIDO Alliance (20)
Recently uploaded
Recently uploaded (20)
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at Intel.pdf
- 1. © FIDO Alliance 2024 Confidential 1 Choosing the right FDO deployment model for your application Geoffrey Cooper, Intel Corporation FIDO Alliance, IOT Technical Working Group, Co-Chair April, 2024
- 2. FDO Deployment Issues Device Manufacturer Ownership Voucher (OV) FDO Manufacturing tool FDO Client & Credentials Device Initialization (DI) Target Cloud FDO owner Rendezvous server (RV) FDO Client & credentials TO0 & TO1 Device Discovers Server T02 protocol Device Onboards Onboarding Data → • The Ownership Voucher is invalidated after the device onboards. The Target Cloud gets a new OV, to allow only it to use FDO in the future. Where is device? Where to Send OV? TO0 protocol TO1 protocol Device shipped Device installed Is Target Cloud on Prem / Internet? Single- Multi-tenant?
- 3. We need Zero Trust → Ownership Voucher • Ownership Voucher is a new concept in FDO • Popular Zero trust security model is “never trust, always verify.” • Problem for onboarding, device doesn’t know server yet! • Ownership Voucher provides credentials for the device to trust, because OV & Device both came from same factory Target Cloud FDO owner FDO Client & credentials Onboarding Data → Ownership Voucher (OV) SERVER TRUST FROM FACTORY CLIENT TRUST FROM FACTORY Zero Trust Concept in FDO Verify Trust
- 4. Choosing the right FDO deployment model for your application FDO is very flexible. Several architectures are available. Architectures are based on network configuration: Single Cloud Multi-Cloud Closed Network Cloud Service Multi-Tenant Cloud Service X In this presentation, we look at scenarios with FDO deployments for different network configurations
- 5. Scenario 1: Onboarding devices with direct internet access, single cloud/platform Cloud 1 Devices
- 6. Scenario 1: Onboarding devices with direct internet access, single cloud/platform Customer Cloud Manufacturer Manufacturer Server • Sets FDO device credentials • Creates FDO Ownership Voucher FDO Device Initialize (DI) FDO Device under manufacture RV Cloud Controller (FDO Owner) • Receives Ownership Vouchers • Runs FDO server to onboard • Runs cloud services Ownership Vouchers for each device TO2 Protocol FSIM’s download configs, code, data, keys, etc. Device is drop-shipped to customer location. Device access via Internet TO1 Protocol After onboard, access cloud services Manufacturer sends OV for each device to same customer cloud
- 7. Scenario 2: Onboarding devices with direct internet access, multiple clouds Cloud 1 US Cloud 2 Asia Clouds can be in different geographies Same type of hardware is deployed to different Clouds
- 8. Scenario 2: Onboarding devices with direct internet access, multiple clouds Customer Cloud 2 RV Manufacturer Manufacturer Server • Sets FDO device credentials • Creates FDO Ownership Voucher FDO Device Initialize (DI) FDO Device under manufacture TO2 Protocol FSIM’s download configs, code, data, keys, etc. Devices drop-shipped to customer locations. After onboard, access cloud services Customer Cloud 1 RV TO1 TO2 FSIM’s Cloud Controller (FDO Owner) Cloud Controller (FDO Owner) Orders for each device include cloud address to send OV Order Processing Orders specify where to send OV (e.g., by geography, by ordering company) Ownership Vouchers for each device determine which cloud onboards TO0 Protocol
- 9. Scenario 3: Onboarding devices: no direct internet access (on-premises/Closed Network) Customer Premise
- 10. Scenario 3: Onboarding devices without direct internet access (on-premise/Closed Network) Customer Premise Manufacturer Manufacturer Server • Sets FDO device credentials • Creates FDO Ownership Voucher FDO Device Initialize (DI) FDO Device under manufacture RV Cloud Controller (FDO Owner) • Receives Ownership Vouchers • Runs FDO server to onboard • Offers network services Ownership Vouchers for each device, sent to customer TO2 Protocol FSIM’s download configs, code, data, keys, etc. Device powers on and onboards using FDO Device is drop-shipped to customer location. Customer Portal or Email Customer retrieves Ownership Vouchers and places them in FDO server in closed network. Manufacturer can send Ownership Vouchers by email instead of using a portal. After onboard, access network services Customer distributes OV
- 11. Scenario 4: Onboarding devices – some Local, Some Internet Cloud 1 Cloud 2 Cloud 3
- 12. Scenario 4: Onboarding devices – some with and some without direct internet access Roaming Devices Manufacturer Manufacturer Server • Sets FDO device credentials • Creates FDO Ownership Voucher FDO Device Initialize (DI) FDO Device under manufacture TO2 Protocol FSIM’s download configs, code, data, keys, etc. Device is drop- shipped to customer location. Customer Premise RV Shared FDO Owner • Receives Ownership Vouchers • Runs FDO server to onboard • Application servers Ownership Vouchers TO2 FSIM’s etc TO1 Protocol TO1 After onboard, access intranet services
- 13. Scenario 5: Onboarding devices with direct internet access, single cloud/platform, multi-tenant Cloud 1 Tenant 1 Tenant 2 Tenant 3 Customer 1 Customer 2 Customer 3
- 14. Scenario 5: Onboarding devices on internet, single multi-tenant cloud Multi-Tenant Host Cloud Customer N Premise (= Tenant A) Customer N Infrastructur e Customer N Infrastructur e Manufacturer Manufacturer Server • Sets FDO device credentials • Creates FDO Ownership Voucher FDO Device Initialize (DI) FDO Device under manufacture Ownership Vouchers for each device, labeled with Tenant ID TO2 Protocol FSIM’s download configs, code, data, keys, etc. Device powers on and onboards using FDO. Device connects to tenant infrastructure within Host Cloud Device is drop-shipped to customer location. Orders with Tenant ID Tenant A Infrastructure RV Cloud Controller (FDO Owner) • Receives Ownership Vouchers • Runs FDO server to onboard TO1 Protocol Tenants Tenant A Tenant B Tenant C
- 15. Scenario 6: Onboarding devices on internet and closed network, single cloud/platform, Roaming customers and multi-tenant Cloud 1 Tenant 1 Tenant 2 Tenant 3 Customer 1 Internet & embedded cloud 2 Customer 2 Customer 3 (roaming) Cloud 2
- 16. Scenario 6: Onboarding devices with internet access and Closed Network, single cloud/platform, multi-tenant Closed Network Manufacturer Manufacturer Server • Sets FDO device credentials • Creates FDO Ownership Voucher FDO-DI FDO Device under manufacture RV Cloud Controller (FDO Owner) Services for all devices Customer Portal / Email FDO Protocols Ownership Vouchers Internet Multi-Tenant Orders by Tenant ID Ownership Vouchers with Tenant ID RV Cloud Controller (FDO Owner) Tenant Servers FDO Protocols Tenant Services Intranet + Roaming RV Cloud Controller (FDO Owner) Application Servers for all users FDO Protocols Intranet + Roaming FDO Protocols Local Services Intranet Services
- 17. Conclusion Ownership Voucher allows FDO to implement Zero Trust Many client configurations are supported by sending Ownership Vouchers to servers using combinations of: Single Cloud Multi-Cloud Closed Network Cloud Service Multi-Tenant Cloud Service X
- 18. © FIDO Alliance 2024 Confidential 22 Thank you