Securely connect IoT devices to cloud services

Article By : Majeed Ahmad

Developers can securely connect IoT devices to cloud services like AWS and Azure without being a security expert.

When there is talk about IoT security and cloud connectivity, it usually includes a mention of two technical terms: onboarding and zero-touch provisioning.

So, when EDN spoke to Philippe Dubois, vice president and general manager of the secure edge identification unit at NXP regarding the launch of the company’s EdgeLock 2GO IoT security management service built around the EdgeLock SE050 secure element, providing a basic understanding of these two technologies was the first agenda item.

NXP EdgeLock IoT security illustration

What’s onboarding?

Onboarding refers to creating a VPN connection between an end device and an application inside the cloud. To manage IoT devices in the field, a device manufacturer or OEM must have an account with a cloud service and then establish a VPN connection to register the devices to this account.

Here, as Dubois pointed out, the secure element IC can automatically establish a VPN connection to the device manufacturer’s cloud account without the device manufacturer having to inject something into the device or a third-party manually registering the device. The first time a device registers to an account in the cloud is called onboarding.

How zero-touch provisioning works

Now that the device manufacturer has registered its devices onto the cloud and the devices are identified and configured online, the second stage is even more critical. That’s when a group of connected devices wants to use a service in another cloud and thus needs to establish a VPN connection for that particular cloud service.

Here, if the account inside the cloud already knows that it has to connect the new devices and has pre-informed the application, it establishes a pathway to recognize the new devices. In other words, there is a service in the cloud that knows what kind of hardware it is going to recognize and makes sure that it’s registering the right device.

Secure cloud connectivity simplified

NXP is claiming to have automated the above processes with its EdgeLock 2GO service, which can connect a vast number of IoT devices to cloud services without human intervention. The EdgeLock SE050 secure element, a specialized security chip, executes security operations on behalf of device manufacturers. And the EdgeLock 2GO platform streamlines secure cloud onboarding and access to IoT devices from different cloud service providers.

NXP EdgeLock SE050 security chip illustration

Together, the EdgeLock SE050 secure element and the EdgeLock 2GO service simplify application credential management with zero-touch connectivity to public and private clouds and edge computing platforms and infrastructure. That, in turn, allows device manufacturers to dynamically connect their IoT devices to multiple cloud service providers.

For instance, EdgeLock 2GO provides tailored options for OEMs to register their devices on Amazon Web Services (AWS) using multi-account registration, just-in-time provisioning, and just-in-time registration. Likewise, it simplifies the registration of IoT devices into Azure IoT Hub device provisioning service (DPS) to remove the overhead of device identity management.

Dubois said that it gets complicated when developers connect their devices to cloud services like AWS and Azure, primarily when they handle security protocols such as secure sockets layer (SSL) and transport layer security (TLS). “Even if they understand how it works, it’s easy for hackers to find a weakness in the process,” Dubois said.

The EdgeLock 2GO service is tailored for three options. First, EdgeLock 2GO Ready is suitable for simple use cases such as device onboarding to public clouds with pre-provisioned EdgeLock SE050 security chips. Second, EdgeLock 2GO Custom helps create a custom EdgeLock SE050 security solution to support complex configurations. Third, EdgeLock 2GO Managed is recommended for managing credentials and multiple services throughout the device lifecycle.

In the final analysis, the services like EdgeLock 2GO enable IoT developers to manage connections with cloud services like AWS and Azure without being a security expert. Such services act as a VPN agent, and all developers have to do is decide which cloud service they want to access.

This article was originally published on EDN.

Majeed Ahmad, Editor-in-Chief of EDN, has covered the electronics design industry for more than two decades.

Related articles:

Leave a comment