Pelion Device Management (October 2018)
In our latest release of Pelion Device Management (formerly Mbed Cloud) we are introducing several new features and enhancements, including:
- Device Management On Premises, allowing customers to deploy Device Management in a customer data center or on private cloud infrastructure.
- Device Management Client Lite, enabling customers to manage constrained devices with limited memory and processing capabilities.
- Enhanced device security, ensuring secure IoT deployments with the ability to generate keys in devices, renew device certificates and attest devices using multi-layer certificate chains.
Unprecedented flexibility and scalability in deployment options - Device Management On Premises
The modern cloud offerings have helped many companies to deploy their products faster, reduce data center costs, move CapEx to OpEx, and provide scalability around the different use cases. However, in a world of data breaches, strict regulations, security and data policies, we are seeing an increasing number of companies requiring the full control of their device management system and processes, in an isolated environment. Device Management On Premises is designed to satisfy these needs.
Device Management On Premises provides identical features and capabilities to Device Management on a public cloud. This brings significant value to control the overall usage of devices, data, security aspects, and customization of the environment, with the customer-ready integration aspects. The use of commonly used cloud-based technologies, such as Kubernetes, load balancers, firewalls, root certificates/CAs and many others, running physical HW on top of OpenStack is a modern way to deploy software on-premises.
Device Management On Premises provides a cost-efficient way to scale up new IoT devices under management at a lower cost margin. Once the investment for the infrastructure is complete, the customers do not have to keep paying service providers to add extra devices or to store more data.
Device Management On Premises provides versatile integration and extension interfaces for external applications, vendors, platforms and solutions. For example, customer’s proprietary software, billing and payment solutions, additional dashboards, portals and administrative consoles can be easily integrated via REST API to Device Management On Premises services.
Device Management On Premises is deployable on physical HW, customer-operated datacenters, independent IaaS services or your main-stream public clouds, such as AWS, Azure or Google Cloud.
In this version, Device Management On Premises is released as Limited Availability level and provided as a managed service by Arm.
Widening the spectrum of supported devices - Device Management Client Lite
The IoT landscape spans a wide range of connected devices, from very constrained low-cost sensors to more expensive and complex devices.
Device Management IoT Platform provides powerful device management capabilities to handle this diverse landscape by supporting multiple Device Management Client profiles addressing requirements and constraints of a wide range of connected devices.
Customers can now use the Device Management Client Lite profile for constrained devices - specifically, for cost-sensitive devices with limited memory and processing capabilities.
Although constrained, these devices can still communicate using the IP protocol. To support the hardware constraints of these devices, Device Management Client Lite employs protocol stacks specifically designed for constrained nodes (such as CoAP over UDP/DTLS) instead of the full internet protocol stacks such as HTTP and related security protocols and XML-based data representations.
To minimize requirements for RAM and processing power, the Device Management Client Lite profile establishes channel security over UDP using DTLS. To reduce the memory footprint even further our Device Management Client Lite utilizes Pre-shared-key (PSK) instead of using public key cryptography.
Device Management Client Lite maintains many of the same benefits as our full Device Management Client, namely support for CoAP over UDP with compact encoding to reduce the message size, and remote secure firmware update.
Device Management Client Lite is released at General Availability level and is available to all Device Management customers.
Enhanced device security
Device-generated keys
Device Management uses unique pairs of asymmetric keys to authenticate connected devices. There are two sets of keys: Bootstrap keys and LwM2M keys. Bootstrap keys are configured at the factory and are used to verify the device identity and authenticity when a device first connects to the bootstrap server. LwM2M keys are configured during the bootstrap process and are used for device authentication during normal operation.
Device Management now supports generation of keys in the device, resulting in a much higher level of security. When enabled, the device is instructed to generate a new key pair of private and public keys. The public key is exported from the device and is signed by a certificate authority which creates a device certificate. Private keys never leave the device making it much more difficult for an attacker to get access to the key.
Customers can benefit from the increased levels of security both when configuring keys at the time of manufacturing using factory provisioning tools, and when connecting devices using the Device Management bootstrap service.
This feature is released at General Availability level available to all commercial customers.
Device certificate renewal
During normal operation, devices are identified by means of a LwM2M device certificate issued by the Device Management bootstrap server. The certificate can be signed either by a Device Management server or 3rd party certificate authority, such as GlobalSign.
Customers can now instruct the Device Management service to renew the device keys and certificate without resetting the device. When a customer application uses the Device Management API to initiate this action, the server initiates a certificate renewal handshake with the specified device. The device generates a new pair of asymmetric keys and uses the Enrollment over Secure Transport (EST) protocol to deliver its new public key to the server. The server signs the keys engaging an external certificate authority if configured to do so and creates a new device certificate that will be used in normal operation of the device.
The same procedure can be used to renew any custom certificates that can be configured in the device.
This feature is released at General Availability level available to all commercial customers.
Certificate chains in device identity
Device Management identifies and authenticates devices using bootstrap and LwM2M certificates. The certificate is signed by an external or internal certificate authority attesting that device is authentic.
Device Management now supports attesting of devices using chains of certificates. In this case, the device certificate is signed by an intermediate certificate authority, whose certificate is signed by a higher order CA. There can be several levels in the chain with multiple intermediate CAs.
The certificate chains are supported for both bootstrap certificates configured in the factory and LwM2M certificates configured during the bootstrap process.
This feature is released at General Availability level available to all commercial customers.
Device enrollment enhancements
Assigning the device to a Device Management owner account is a key capability of IoT device management. Device Management now allows pre-assigning in advance during the production stage or a First-to-Claim by enrollment assigning the device at later stage. Additionally, our First-to-Claim by enrollment is now enhanced with the ability to enroll devices in bulk.
If you want ask any questions or provide feedback about this release, contact us.