EDGE COMPUTING & IOT MAKING IT SECURE AND MANAGEABLE FRANCK ROUX MARKETING MANAGER, NXP JUNE 6 2018 PUBLIC
PUBLIC 2
Key concerns with IoT.. PUBLIC 3
Why Edge Computing? CLOUD Too far away Expensive connectivity EDGE Real-time Increased privacy Offline operation IoT NODES Massive data Mission-critical PUBLIC 4
Edge Compute use-cases Security, Building automation Face-recognition, object recognition, pattern detection, temperature, lighting controls Fleet Management Tracking, location, temperature, road conditions, optimized routing Cloud-based Deployment & Management Industrial Analytics Real-time data acquisition, analytics, inventory control, Real-time object recognition, asset tracking. Retail (Inventory Management) Analytics, monitoring, inventory tracking, warehouse management. Healthcare Tracking, analysis, privacy-filtering, emergency response. Retail (Consumer personalization) Face recognition, pattern identification, personalized shopping, targeted ad insertion, product recommendations. PUBLIC 5
E.g. Home and Building Automation Services Stream Analytics AI / ML Voice Triggers & Instant translation Service Media-server Home automation & security Network Security Services Analytics, Content insertion Virtual Assistant (e.g. Alexa) Benefits Eliminate need for separate equipment. DRM management simplified Eliminate need for separate Automation/IoT gateway. Better credential management, critical operations control, privacy control. Offer value added service to generate additional revenue Real-time action based on usage pattern detection. Data collection restricted to customer (privacy). Centralize information within gateway, real-time response, privacy. 3 rd Party Applications Create infrastructure for value-added services PUBLIC 6
Where is the Edge? Media Nodes AWS App Customer Solution Azure App SW Platform Application Framework Linux Platform Firmware Aliyun App Edge computing is the application of cloud technology outside a large data center. Network Cloud Amazon AWS Smart Nodes (Control) Microsoft Azure Smart-nodes can run targeted Edge applications Edge Gateway (Control, Analytics, Machine-Learning) Network Infrastructure (Aggregation, Analytics) Google Cloud Sensor Nodes Gateways are a natural host for Edge computing right balance of Compute, Connectivity and Storage Edge applications can also run on access e.g. Basestations, Central Office costlier pipe, higher latency. AliYun PUBLIC 7
Management and Security Challenges SOLUTION: CLOUD-BASED MANAGEMENT AND SECURITY FOR EDGE Manage devices, apps remotely provisioning, upgrades TRADITIONAL PC, MOBILE DEVICES Multiple authentication mechanisms Cloud-based security and application management EDGE COMPUTING DEVICES Traditionally embedded devices Not physically accessible, or lack display Can be many (10s, 100s, 1000s) per user PUBLIC 8
Device Mgmt Applications Device vs. Application Management Cloud Cloud Applications Applications Edge Applications AliYun Google Cloud Amazon AWS Microsoft Azure Embedded Applications Edge Compute Framework Operating System Application Management Service Customer have choice for Application Management AWS, Azure, Aliyun, Google Home-grown or 3 rd Party Device Management Device Provisioning Device Management Service EdgeScale provides Device Management Security via Hardware Root of Trust Edge Gateway Cloud PUBLIC 9
EdgeScale Device Management EdgeScale Device Management Remotely Manage Edge Compute nodes deployed anywhere in the world Common Portal Enrollment, Firmware updates, Container Deployment, Device Monitoring & More PUBLIC 10
Virtualization Technologies Best Suited for Edge Computing Container Container Container CPUs I/O Guest OS Virtual Hardware Memory CPUs Linux Kernel I/O Guest OS Virtual Hardware Memory App App App LXC Docker Docker Linux Kernel CPUs I/O Memory CPUs I/O Memory Hardware Hardware KVM Linux kernel driver to spin up VMs Complete CPU, Memory, I/O virtualization. Ability to run Multiple OS within VMs Requires significant memory, CPU Orchestration via OpenStack, ONF Linux Containers Docker, LXC Application-level virtualization Leverages underlying Linux kernel for IO, storage. Lightweight overhead compared to KVM Orchestration via Kubernetes or OpenStack. Best Suited for Cloud Computing PUBLIC 11
Edge Computing Frameworks IBM Cloud AliYun Google Cloud Microsoft Azure Private Cloud Amazon AWS IBM Apps AliYun Apps Google Apps Azure Apps Customer Apps AWS Apps AWS Apps IBM IoT SDK Docker Alibaba IoT SDK Docker Google IoT SDK Docker Azure IoT SDK Docker Private IoT SDK Docker AWS IoT SDK Docker Greengrass Docker Engine Protocol Adaptor Data processing Data filter Cgroup, Namespace File-System Network Stack Ethernet, Crypto Kernel Trust Zone Device Mgmt Common Platform... PUBLIC 12
Security Requirements for the Edge CHAIN OF TRUST Security starts with hardware root of trust End-to-end security is a chain of inter-locked security elements 01 Manufacturing 02 Enrollment 03 Device Monitoring Credentials may be installed in on-chip Layerscape fused memory or via external Element 04 Container Deployment 05 Application Deployment SECURE DEVICE MANAGEMENT manufacturing enrollment device monitoring and firmware management container deployment app management and deployment PUBLIC 13
Hardware Root of Trust Hardware based security features to ease the development of trustworthy systems All Layerscape SoCs support Trust Architecture General Purpose Processor General Purpose Processor DDR Controller Manufacturing Protection Boot Battery Back-up Security Fuses PreBoot Loader HV MMU ARM TrustZone HV MMU Coherent Interconnect Strong Partitioning 7 8 1 2 Storage Security Monitor IOMMU IOMMU Tamper Detect(s) Internal BootROM Power Mgmt SD/MMC SPI DUART I 2 C IFC USB SATA Clocks/Reset SEC Engine Crypto, RNG Keys UID, Runtime Integrity Check Mgmt Control QMan BMan AIOP FMAN WRIOP Eth, PCI Debug Controller Real Time Debug Watchpoint Perf Monitor Aurora CoreNet Trace Tamper Detection 6 5 Debug 4 3 Key Revocation Key Protection CCSR GPIO Security sub-system Data-path sub-system PUBLIC 14
Chain of Trust Unique ID Public/Private Key Signed Provisioning Image Enrollment Device Certificate Signed Firmware Image Signed Firmware updates Containers AWS/Azure certificate Signed Containers Payment Signed Applications Manufacturing Device Monitoring Applications Hardware forms the Root of trust. Multiple layers of tamper-detection - each level validates the next. Multiple levels of secrets can revoke at any layer. Mutual authentication between device and cloud using Asymmetric cryptography. PUBLIC 15
NXP Solutions for Edge Computing IoT Nodes Edge Gateways Cloud Infrastructure HOME GATEWAY ETHERNET SWITCH Data Analytics Machine Learning WIRELESS ROUTER INDUSTRIAL CONTROLLER Customer Solution App App App NXP SW Platform Middleware RTOS, Linux, Android Application Management Device Management Multiple Cloud Frameworks NXP Kinetis, i.mx Family NXP Layerscape, i.mx Family NXP EdgeScale Suite PUBLIC 16
Summary IoT deployments are driving Edge Computing. Edge Computing provides real-time, offline operation, privacy and cost-reduction. Edge Gateways need to be securely managed from the cloud. Edge Gateways need to support multiple Edge compute frameworks. Security is a chain of trust starting from the Hardware. EdgeScale provides a solution for securely managing Edge Gateways. PUBLIC 17
NXP and the NXP logo are trademarks of NXP B.V. All other product or service names are the property of their respective owners. 2017 NXP B.V.