Enabling large-scale IoT – Arm Pelion IoT Platform and Intel Secure Device Onboard

Fulfilling Pelion’s “Any device, any data, any cloud” vision

The Internet of Things (IoT) is rapidly transitioning from early deployments into a new phase of aggressive growth that we expect will result in deployment of one trillion connected devices by 2035. However, this is only achievable if the IoT industry transitions to more open and scalable methods for automatically onboarding onto cloud application platforms. Earlier this year, Arm and Intel began exploring opportunities for integrating our respective device provisioning systems with a goal of accelerating this process. Intel® Secure Device Onboard (Intel® SDO) is a dedicated onboarding service that provides a dynamic “late binding” approach to provisioning where the device owner’s target cloud application and access credentials can be assigned at any point in the supply chain. Arm’s Pelion Device Management service automates both device onboarding and provisioning to any cloud application layer and manages devices through their lifecycles. The combination of these two solutions adds more flexibility to Pelion’s supply chain enablement and expands device coverage to include Intel Architecture (x86) platforms.

This week, Arm and Intel are demonstrating a prototype of an integrated Pelion-Intel SDO provisioning system at Arm TechCon and IoT Solutions World Congress. This demo shows deployment-time credential assignment for both Arm and Intel Architecture devices. Intel SDO manages device credentials and specifies the application layer, and The Pelion IoT Platform provisions the device, manages it, and connects it with the selected application layer. This integrated demo is true to Arm’s “any device, any cloud” vision for the Pelion IoT Platform.

You can read more about the full Arm Pelion announcement on our Newsroom.

Zero touch

Today, many IoT devices are delivered to customers in a state that requires manual intervention to provision them for secure connection with application services. For instance, a skilled technician might have to type in or scan the identity of a device or in some cases cut-and-paste key material between devices and services. Clearly, this time consuming and error-prone process is limiting IoT growth. Ideally, IoT devices are installed automatically by simply powering them up and providing access to a network. Each device then contacts its provisioning service, identifies itself, and exchanges authentication information so that the device can trust the service and the service can trust the device. The provisioning service then makes the final connection between the device and the application service. This technique is sometimes called “zero touch” because the whole onboarding process can be directed without physical access to the device. Zero touch is available today from the Pelion Device Management service.

Late binding

Although zero touch is a big improvement over manual configuration, the technique can create a big scaling barrier of its own. If deployment-specific credentials must be configured during device manufacturing then each such configuration is, in effect, a unique manufacturing SKU. These individual SKUs must be managed as unique products through IoT supply chains (manufacturing, distribution, systems integration, installation, etc.). It would be far more efficient to manufacture IoT devices “by the truckload” that are all identical and then customize them for specific deployments late in the supply chain. That customization includes specifying the application service, providing authentication credentials, and in some cases loading new firmware components. Specifying this information at any point in the supply chain is referred to as “late binding” because devices can be bound to applications and cloud frameworks at any time, often just prior to deployment. Arm Pelion Device Management and Intel SDO provide late binding today. Application services and credentials can be specified at any time prior to installation (late binding) and devices can be onboarded automatically (zero touch).

Pelion Device Management and SDO

Intel® SDO complements Pelion by providing formal methods for transferring “ownership” of a device from one party to another. Device ownership is represented by a “digital ownership voucher” which is chain of nested security credentials that identify both the device and its current owner. This digital voucher may also contain deployment credentials such as the device’s application service – Pelion, for instance – as well as connectivity parameters and other data. The digital voucher is like a ledger that is securely passed from one company to another as a device moves through an IoT supply chain. Pelion and other IoT frameworks already have ways of doing this kind of thing but Intel SDO adds value in two ways. First, transfer of ownership is secure and explicit because each owner signs the digital voucher over to the next one in the supply chain. There is no ambiguity about who owns the device, where it came from, or who set the onboarding parameters. Second, Intel SDO is not dependent on any specific platform architecture or operating system. In other words, Intel SDO provides an alternate method for specifying device onboarding parameters that is both secure and device independent.

Intel SDO enables late binding of device and cloud credentials, but it is not an IoT device management system. It manages the ownership and onboarding credentials and delivers them during the onboarding process. Combining Intel SDO with Pelion Device Management provides a complete solution to zero-touch onboarding with late binding of credentials and cloud-independent hosting. Together, Arm’s Pelion Device Management and Intel SDO’s onboarding service allow organizations to manufacture devices without any prior knowledge of customer-specific onboarding credentials or even which application framework the end user will choose, thereby shifting the industry from siloed supply chains to a harmonized framework for the design and sourcing of secure, connectable devices. Any IoT device, Cortex-M, Cortex-A, or Intel Architecture based, can be manufactured without knowledge of who will own it, how it will travel through a supply chain, or which cloud service will ultimately use it, and it will still automatically appear on the correct cloud service using the correct customer account. This is especially beneficial for organizations that have several device types based on different technologies because it enables onboarding credentials to be set the same way for every type of device and at any point in the supply chain.

Arm partner benefits

For silicon providers and device OEMs, the combination of Intel SDO and Pelion means that a single SKU can now serve the needs of multiple customers and applications. This is because application services and user assignments can be made at any point in the supply chain, not just in manufacturing. Sales channel velocity and time-to-market are also improved because customers can separate device procurement decisions from cloud deployment strategies.

System Integrators and IoT application providers benefit because they can receive ownership of a device, add value, optionally specify which cloud application to use, and then pass it along to the end-user or the next node in the IoT supply chain with the device chain of trust intact. This is truly transformational because it enables more companies to add value to IoT devices without compromising security.

“Any device, any cloud” benefits end-users because secure device onboarding, management, and connectivity are no longer bound to specific device architectures, applications, or cloud frameworks. This flexibility reduces cost and business risk.

Conclusion

The combination of Arm Pelion Device Management and Intel® Secure Device Onboard eliminates key IoT scaling barriers by providing platform-agnostic onboarding (any device – Arm-based and x86), cloud-agnostic deployments (any cloud), and improved supply chain efficiency (lower cost and risk). Over the next few months, Arm and Intel will be working with partners to put this new technology into commercial service.

Interested in learning more about Arm Pelion Device Management?

Anonymous