IoT security fundamentals: connecting securely to IoT Cloud services
service connection requirements. In practice, however, developers will typically need to turn to more advanced approaches designed to simplify provisioning of IoT devices in real-world applications. Both Azure IoT and AWS IoT support a wide variety of methods that allow more automated provisioning of individual devices or large numbers of IoT devices in a large-scale deployment. With AWS IoT, for example, developers can use a bootstrap method for certificate provisioning. Here, the smart product ships with a bootstrap certificate associated with the minimal access rights needed to request and access a new certificate (Figure 5). Using the bootstrap certificate, the device connects to the Cloud (‘1’ in Figure 5), requests (‘2’) a new certificate, receives (‘3’) the URL of the certificate generated by an AWS serverless Lambda function, and retrieves (‘4’) that certificate from an AWS Simple Storage Services (S3) bucket. Using that new certificate, the device then logs back into AWS IoT (‘5’) to proceed with normal operations. AWS offers other Cloud services that support dynamic provisioning of authentication tokens using execution resources like AWS Lambda functions. For example, an automotive application might rely on a series of ephemeral connections where use of a token is both more practical and more secure. Here, after an AWS
module for IoT authentication and authorisation approves the request for a token, the AWS Security Token Service (STS) generates a token for delivery to the vehicle’s systems. Using that token, those systems
can access AWS services subject to validation by the AWS Identity and Access Management (IAM) service (Figure 6).
this toolset and its sample code packages, developers create an object for the IoT device in Azure IoT Hub and use a provided file to provision the associated identity registry with the credentials and other metadata required to connect the IoT board to Azure IoT Hub (Figure 3). The Azure IoT Device Workbench provides additional support software and metadata that lets developers quickly load the AZ3166 board with sample code and begin transmitting measurements from the board’s temperature and humidity sensor to Azure IoT Hub. The steps involved in creating a representation for the physical IoT device in the IoT Cloud and for provisioning the associated registry are needed just to connect devices with the IoT Cloud. To take advantage of Cloud services, however, the Azure IoT Hub needs an access rights policy. To monitor the device-to-Cloud messages
coming from the AZ3166 sensor, developers can simply use the Azure shared access policies screen to select a prebuilt policy designed to quickly enable the required access rights (Figure 4). When working with AWS IoT, developers can turn to development kits such as Microchip Technology’s AT88CKECC-AWS- XSTK-B Zero Touch Provisioning kit and accompanying software to quickly evaluate Cloud connectivity. This updated version of an earlier Microchip Zero Touch Provisioning kit comes preloaded with authentication credentials. Using additional scripts provided with the kit, developers can rapidly connect the board to AWS IoT without dealing with private keys and certificates (see, ‘Take the Zero- Touch Approach to Securely Lock Down an IoT Device’).
Other development kits, including Renesas’ RTK5RX65N0S01000BE RX65N Cloud Kit and Infineon Technologies’ KITXMC48IOTAWSWIFITOBO1 AWS IoT kit, extend support for AWS IoT connectivity with support for rapid development of applications based on Amazon FreeRTOS. AWS provides detailed directions for registering the boards, creating authentication credentials, and loading provided JSON policies needed to connect to AWS IoT and use AWS services. Simplifying provisioning for large-scale IoT deployments Development kits such as those described above serve as effective platforms both for rapid prototyping of IoT applications and for exploring IoT Cloud
AWS provides a similar capability
Figure 5. AWS IoT supports a method to bootstrap certificate provisioning in IoT devices. Credit: DigiKey, from Amazon Web Services
Figure 6. Leading Cloud service providers support other forms of attestation for authentication such as this process for dynamic generation of security tokens by AWS Security Token Service (STS). Credit: Amazon Web Services
Figure 4. Developers can use prebuilt policies to easily authorize use of Azure Cloud services with sensor data from the Seeed Technology AZ3166 IoT Developer Kit. Credit: Microsoft Azure
we get technical
28
29
Powered by FlippingBook