Transitioning from Software Based Security to Hardware Based Security – How to Make the Leap

The need for security is not debatable. What is debatable is HOW and WHEN to implement it. OEMs of any size are challenged with how to design, produce and manage secure devices. Cloud based web services will require IoT devices to have secure credentials before they can use their device management services. To mitigate risk, many OEMs design software based security into their product. Keys and certificates are injected into the firmware of the product via software update mechanisms. The OEMs use mutual authentication over a secure protocol to authenticate device identity. Although software based security is better than no security, many experts agree that s/w based security is vulnerable to a variety of attack vectors. The most effective security is to extend the s/w security model down to the hardware level. In this model, tamper-resistant secure elements or secure microcontrollers are used to protect device key pairs, certificates and other credentials. Once these cryptographic functions are established on the device, OEMs can leverage cloud based web services to manage and monitor the device throughout the products’ lifecycle. This presentation examines how OEMs can adapt their product designs from a s/w based security model to a h/w based security model and methods to provision devices in production cost-effectively. It also discusses how OEMs can build on basic device authentication for more complex models including FW encryption to leverage cloud based web services.