Workshop Draft - SME review

[DawnmarieDesJardins]

Please leave your review feedback for our authors here.

[swan-am-i]

Please add Jovita Nsoh (Microsoft) as an SME reviewer

Azure IoT Edge Security Model:

To answer the questions:

1. Why do you need a special Security Model for IoT Edge?
2. Why not rely on the security built into operating systems?

Threats and Motivation:

1. Physical Accessibility of Devices
2. Valuable IP and generated insights
3. Critical actions from insights
4. Heterogeneity in silicon, languages and procedures

It is vital that we include the information in this ppt, please include in the White Board Design session slides: AzureIoTEdge_Security.pptx

Please add the following resources:

Helpful background information.

• Azure IoT Edge security model (doc): https://aka.ms/iot-edge-security-manager
• Azure IoT Edge security model (video): https://channel9.msdn.com/Shows/Internet-of-Things-Show/Azure-IoT-Edge-Security-Model
• Attached slide deck explaining the security model – used in video linked above.
• Azure IoT Edge as gateway: https://docs.microsoft.com/en-us/azure/iot-edge/iot-edge-as-gateway
• Certificates in IoT Edge: https://docs.microsoft.com/en-us/azure/iot-edge/iot-edge-certs

IoT Edge as a gateway device is the most popular use case. XTO uses this as well. From a security perspective, there are two main objectives in the current stage of the product evolution:

• Provision the Edge device using DPS
• Edge as Gateway and setting up trust relationships

1. Provision IoT Edge Device using DPS a. Using vTPM in Linux ( virtual or vTPM is sit in for a real TPM): https://docs.microsoft.com/en-us/azure/iot-edge/how-to-auto-provision-simulated-device-linux b. Using sTPM on Windows (software/simulated or sTPM is sit in for a recommended discrete/chip TPM): https://docs.microsoft.com/en-us/azure/iot-edge/how-to-auto-provision-simulated-device-windows c. Use dTPM on Linux (realization of #a. above. Discrete or dTPM is actual chip TPM and recommended for production) using Raspberry Pi: https://catalog.azureiotsolutions.com/details?title=OPTIGA-TPM-SLB-9670-Iridium-Board&source=all-devices-page
2. Edge as Gateway and setting up trust relationships a. Configure to act as transparent gateway: https://docs.microsoft.com/en-us/azure/iot-edge/how-to-create-transparent-gateway b. Authenticate downstream device to IoT Hub: https://docs.microsoft.com/en-us/azure/iot-edge/how-to-authenticate-downstream-device c. Connect downstream device to Edge gateway: https://docs.microsoft.com/en-us/azure/iot-edge/how-to-connect-downstream-device

[givenscj]

Added the resources provided and an objection/customer need for the security module model points above.