Automating Zero Trust for Edge Secured-core devices

Written by John Hynds, Director of Pre-Sales Engineering, North America

According to a recent study by Microsoft and the Ponemon Institute, 65 percent of companies that have adopted IoT solutions mentioned that security is a top priority when implementing IoT. What is most encouraging is that this is not just noted as a concern, but something they are actively looking at in order to mitigate risk.

In Microsoft’s recent blog titled “Securing your IoT with Edge Secured-core devices,” Deepak Manohar, Principal PM Manager, Azure Edge, and Platform security at Microsoft, announced the release of Microsoft’s Edge Secured-core certification, which will enable their customers to more easily select IoT devices that meet an advanced security designation.

“Edge Secured-core is a certification in the Azure Certified Device program for IoT devices.

Devices that have achieved this certification provide enterprises the confidence that the devices they’re purchasing deliver specific security benefits.

•  Hardware-based device identity: when connecting to Azure IoT Hub and using the IoT Hub device provisioning service.
•  Enforcing system integrity: Using a combination of processor, firmware, and OS support to facilitate measurement of system integrity to help ensure the device works well with Microsoft Azure Attestation.
• Staying up-to-date and is remotely manageable: Receives the necessary device updates for a period of at least 60 months from the date of submission.
• Provides data-at-rest encryption: The device provides built-in support for encrypting the data at rest using up-to-date protocols and algorithms.
• Provides data-in-transit encryption: IoT devices such as gateways, which are often used to connect downstream devices to the cloud, need inherent support for protecting data in transit. Edge Secured-core devices help support up-to-date protocols and algorithms that are used for data-in-transit encryption.
• Built-in security agent and hardening: Edge Secured-core devices are hardened to help reduce the attack surface and include a built-in security agent to help secure them from threats.”

Device Authority’s KeyScaler® platform meets these hardware requirements and supports these capabilities while integrating with key Azure Services including IoT Edge, Microsoft Sphere, DPS, and IoT Hub.

What this looks like in real terms

A current Device Authority customer in the pharmaceutical industry provides a perfect example of using software to meet the Microsoft Edge Secure Core standards. This company has offices in over 15 locations globally and sells products in approximately 125 countries.

They have identified Automated Certificate Lifecycle Management as a core requirement for their manufacturing plants using a tiered Azure IoT Edge gateway approach.

Their IoT Edge gateway architecture requires mapping parent-child relationships between top and lower Azure IoT Edge nested gateways. Currently, they are employing Azure IoT Edge nested gateways with KeyScale® Edge Certificate Management.

Starting with Zero Trust, KeyScaler® automatically provides their device attestation and registration to both KeyScaler and their Azure DPS and IoT Hub.

Automation at scale is critical to creating and maintaining an IoT security blueprint.

The Device Authority solution provides this customer the means to securely register, authenticate, provision, and manage the entire lifecycle of the X.509 certificates for Azure IoT Edge nested gateways.

– Device Authority’s KeyScale® platform is at the core of the Certificate Lifecycle Management, providing automated credential management for Azure IoT Edge gateways and IoT Hub.

– Registration Controls – Automated device registration and authorisation policies for headless onboarding of IoT devices Device Group Management

– The ability to assign devices to groups and assign crypto and certificate provisioning policies at a group level for Azure IoT Hub Connector

– Zero-touch provisioning using X.509 certificates for Azure IoT Hub.

– Internal private PKI – The customer can generate their own internal private root certificate authority and key, to enable the provisioning of self-signed certificates to devices and the IoT Hub service.

How does it work?

After KeyScaler® provides registration and authentication, this multi-hierarchical edge gateway solution generates X.509 identity and signing certificates for the Azure IoT Edge gateways. KeyScaler® Edge is deployed on each gateway to provide device registration, authentication, certificate provisioning, and rotation functions.

1. Gateways on Layer 2 register and get the X.509 certificates from the KeyScaler® Edge gateway on Layer 3.
2. Gateways on layer 3 register and get the X.509 certificates from the KeyScaler® Edge gateway on Layer 4.
3. Gateways on layer 4 register and get the X.509 certificates from KeyScaler® Central.

KeyScaler® Edge provides uninterrupted certificate lifecycle management independent of the connectivity to the cloud.

In addition to it automating Zero Trust provisioning, KeyScaler® can also dynamically quarantine suspect devices and immediately revoke their certificates, preventing those devices from connecting to network assets, and eliminating guesswork and costly delays at a critical moment. This revocation is automatically communicated to Azure, and device access is terminated or suspended pending verification of the device’s true identity.

The perfect pairing

Microsoft Edge Secured-core provides the necessary hardware certifications for IoT device manufacturers. The next step, in conjunction with Edge Secured-core, is implementing and automating a software-based Zero Trust security blueprint.

Our KeyScaler® platform delivers automated device provisioning, authentication, credential management, policy-based end-to-end data security/encryption, and secure updates, providing visibility and management for all device types from a single dashboard.

To further discuss how KeyScaler ® and Microsoft Edge Secured-core complement one another, get in touch here.

To view Microsoft’s blog, click here.