Introducing FIDO Device Onboard (FDO)
Download as PPTX, PDF•0 likes•2,592 views
The FIDO Alliance introduces the FIDO Device Onboard (FDO) initiative to address the challenges of securely onboarding IoT devices, which includes complexities from diverse hardware, manual processes, and the necessity for trusted staffing. FDO aims to streamline device provisioning through zero-touch onboarding, late binding, and open architecture, ultimately enhancing scalability and security for IoT deployments. The alliance has launched the IoT Technical Working Group and developed the FDO specification, with plans for certification programs and an open-source implementation to further drive industry adoption.
Introducing FIDO Device Onboard (FDO)
- 1. © FIDO Alliance 2021 1 Introducing FIDO Device Onboard (FDO) May 7, 2021
- 2. © FIDO Alliance 2021 2
- 3. © FIDO Alliance 2021 Today’s Speakers Giri Mandyam Senior Director for Technology Qualcomm Co-Chair, IoT TWG Andrew Shikiar Executive Director & CMO FIDO Alliance Richard Kerslake General Manager Industrial Controls and Robotics, IOT Business Unit, Intel Co-Chair, IoT TWG
- 4. © FIDO Alliance 2021 4 How the FIDO Alliance is Solving the IoT Onboarding Challenge
- 5. © FIDO Alliance 2021 The FIDO Alliance brings together the world’s leading technology companies to develop and promote the adoption of a standardized, simpler, and more secure online experience that installs trust and confidence in a digital world. 5
- 6. © FIDO Alliance 2021 + Sponsor members + Associate members + Liaison members 6
- 7. © FIDO Alliance 2021 Track record of successful collaboration 7 Growing Platform Support Hello 3 Sets of Specs Released Increasing Market Adoption
- 8. © FIDO Alliance 2021 8 How long does it take to manually onboard1 10,000 Gateways, Devices, Sensors? Answer: Over 2-man years2 1. Assumes out-of-box to securely streaming data to an IoT Platform 2. Kaiser Associates Research and Analysis, IoT study, August 2017
- 9. © FIDO Alliance 2021 The Onboarding Challenge 9 • Wide variety of IOT devices – hardware and Operating Systems • Most devices headless (i.e. don’t have displays) • Different connectivity – wired / wireless • Manual installation adds cost and time to IOT deployments, impacting program ROI • Manual installation requires trusted and skilled staff
- 10. © FIDO Alliance 2021 Onboarding solutions exist today, but don’t fully meet the needs of the industry • Manual onboarding • Slow • Insecure • Expensive • Proprietary ‘zero touch’ • Linked to one cloud/platform • Only one silicon provider • Require programming of target platform/cloud/user at manufacture Onboarding solutions today 10
- 11. © FIDO Alliance 2021 The FIDO Alliance launched the IoT Technical Working Group (IoT TWG) in June 2019 - members include leading Cloud Service Providers, semiconductor manufacturers, security specialists and OEMs. The IoT TWG analyzed multiple use cases, target architectures and specifications to develop as clear set of requirements. Intel contributed their Secure Device Onboard specification, which served as the starting point for FIDO’s IoT work - the TWG modified and extended the initial specification to meet the defined requirements. FIDO’s Approach to Secure IoT 11 NEWS - The FIDO Device Onboard specification is now available: https://fidoalliance.org/specs/FDO/fido-device-onboard-v1.0-ps-20210323/fido-device-onboard-v1.0-ps-20210323.html
- 12. © FIDO Alliance 2021 Fast, Scalable Device Provisioning, Onboarding & Activation 12 Drop ship device to installation location Power-up & connect to Network Auto-provisions, Onboards to Cloud BENEFITS1 • Zero touch onboarding – integrates readily with existing zero touch solutions • Fast & more secure1 – ~1 minute • Hardware flexibility – any hardware (from ARM MCU to Intel® Xeon® processors) • Any cloud – internet & on-premise • Late binding - of device to cloud greatly reduces number of SKUs vs. other zero touch offerings • Open - LF-Edge SDO project up and running, code now on GitHub 12 1. No product or component can be absolutely secure
- 13. © FIDO Alliance 2021 FIDO Device Onboard: Late Binding in Supply Chain 13 IoT Device Supply Chain Device SKU 2 Device SKU 2 Device SKU 2 Device SKU 2 Device SKU 2 Device SKU 2 Device SKU Customer 1 Custom SKUs Custom SKUs Custom SKUs FDO Late Binding Device Identity Build-to-order Manufacturing Infrastructure Build-to-plan Manufacturing Infrastructure Binding info Binding info Devices Customer 2 Devices Customer n Devices Customer 1 Devices Customer 2 Devices Customer n Devices Zero Touch without FDO IoT device software and security customization happens during manufacturing Result: Complicated build-to-order manufacturing infrastructure, many SKUs, small lot sizes, long lead times, higher cost Zero Touch with FDO IoT device software and security customization happens at the end of the supply chain Benefits: Simplified build-to-plan manufacturing infrastructure, fewer SKUs, large lot sizes, enable stocking distributors, low customization cost Result: Increased supply chain volume and velocity IoT Device Supply Chain Single SKU Late binding reduces costs & complexity in supply chain – a single device SKU for all customers
- 14. © FIDO Alliance 2021 Aligning FIDO IOT to Use Case and Ecosystem 14 CSP & On-prem Support IoT Platform ISV Suite Silicon/device Ecosystem SI Ready Connectivity Support Use cases where FIDO IOT delivers maximum value • Industrial and Enterprise devices: Gateways, servers, sensors, actuators, control systems, medical, etc. • Multi-ecosystem applications and services: not tied to specific cloud/platform framework • Distributor sales: deliver from stock, specify binding info after sale to customer • Device resale / redeploy: reset to factory conditions repeat onboarding process with new credentials
- 15. © FIDO Alliance 2021 How FDO Works 15 Build and Ship FDO Enabled Devices 1 Register Ownership to Target Platform 2 Register Device to Rendezvous Service 3 Devices use FDO to find owner location 4 Devices Authenticated and Provisioned 5 Devices send sensor data to IoT Platform 6 Device Recipient 3 Load Owner Voucher at Procurement Supply Chain 5 Late Binding Provisioning 1 Single SKU for Multiple Target clouds Registration 4 Target Cloud (Device Management System) with integrated FDO Owner Rendezvous service IoT Device Device Manufacturer 2 6
- 16. © FIDO Alliance 2021 Processor e.g. Intel, Arm VARs Distribution SI Manufacturing Tool (includes supply chain tools) Client for Arm, Intel, other processors and TPM FDO Owner (IoT Platform SDK) Rendezvous server (runs on Cloud or customer premise) FDO – Major Software Components IOT Device Reseller tool IN T E L ® S E C U R E D E V IC E O N B O A R D FDO Rendezvous Server Target Cloud (Internet or on-premise) 2 1 5 3 4
- 17. © FIDO Alliance 2021 FDO/SDO: LF-Edge project & Open Source 17 The LF Edge Project is an open source implementation of the FDO onboarding specification as a reference/gold implementation. https://www.lfedge.org/projects/securedeviceonboard/ Status • LF Edge accepted Secure Device Onboard as a Phase 1 (At Large) project • Project now active on LF-Edge web site. • Code now Open Source https://github.com/secure-device-onboard • Protocol testing release of FDO RD01; production release of FDO 1.0 2H21
- 18. © FIDO Alliance 2021 Drive industry adoption by building broad industry support across End users, OEMs, ODMs, silicon partners, etc. Launch FDO certification programs later this year. • Functional certification testing • Security certification testing Continue work on v.next based on implementation feedback and to address additional requirements Goals for 2021 18
- 19. © FIDO Alliance 2021 o FIDO has an established security certification program for existing FIDO authenticator specifications (UAF, U2F, FIDO 2.0/Webauthn) o Levels that correspond to achievable security assurance o L1 – Based on vendor questionnaire o SW authenticators, e.g. from an app store o L2 – Design documentation submitted by vendor and assessed by 3rd-party certification lab o Authenticators developed in a trusted SW environment o L3 – Sample device submitted to 3rd-party lab for verification of design and additional penetration testing o Authenticators instantiated in a secure element Certification and Security 19
- 20. © FIDO Alliance 2021 o Multiple security certification levels also appropriate for IoT devices, given large scope of achievable levels of security assurance o Simple devices with o Limited crypto capabilities o No isolation of HW/SW required for security functionality o More complex devices o Advanced crypto capabilities (comparable to smartphones or PC’s) o Isolation of security-impacting SW o Special purpose HW for all secure operations related to onboarding Certification (cont.) 20
- 21. © FIDO Alliance 2021 o FIDO is developing interoperability and security certification programs o Anticipated rollout before end of year, 2021 o FIDO security certification will be assessed against regional regulatory requirements o Existing FIDO security certification leverages ‘companion’ programs o e.g Common Criteria Protection Profiles o FIDO expects to leverage existing IoT security certification programs as potential companion programs Certification (cont.) 21
- 22. © FIDO Alliance 2021 • The FIDO Alliance has a successful track record of bringing standards to market. • FDO addresses the challenge of secure device onboarding – key to IoT growth • FDO has been driven by Cloud, Semiconductor and Security leaders. • FDO open-source software on LF-Edge; alpha code today, full release mid-21. • You can download the specification and the software today to start using and applying FDO. • Interested in driving the evolution of FDO? Join FIDO Alliance today! Summary 22
- 23. © FIDO Alliance 2021 Questions? 23