Azure IoT Solution Architecture Best Practices – IoT Devices Provisioning

In the modern IoT Solutions often we have a big number of devices, connected to the back end: thousands hundred thousands or even millions of devices.
All these devices should have initial configuration and to be successfully connected to the back-end and this configuration should be done automatically.

In a sequence of article there will be described the main concepts of automatic provisioning and best practices how to implement it (focusing more on Azure based IoT solutions).

Challenges:

If devices are configured in advance during the manufacturing it will be:

1. very difficult to know in advance the connection settings during the manufacturing. For big solutions it is possible to know the customer, but it is difficult to know details about exact connection in advance.

2. Setting the connection in advance is not secure. This approach will give options if somebody know the settings to initiate connection from a fake device and to compromise the system.

3. In the modern IoT solutions it is recommended to have implemented MFA (multi factor authentication). 

To be possible to have zero touch provisioning is needed to have pre-set of the devices from the back-end.

This initial configuration includes 2 groups of settings:

  • Settings, related to the exact connection of the devices to the back-and : end point and authentication
  • Settings, related to the specific IoT Solution business logic as logical grouping of the devices, which could be done from the back-end 

The first group of settings needs communication between back-end and devices to let them know it’s connection and to provide authentication.

How is possible devices to have automated configuration? The most common approach is to have a common “discovery” service for the whole solution.
This service will not be changed and devices will connect to this service to receive its settings.

To provide MFA for device registration information on manufactured devices with their specific properties should be imported in advance in the system. This import should be based on the information, provided from the device’s manufacturer. It will be not possible somebody non-authenticated from outside to provide this production data import.

Authentication of devices for initial provision should be provided using 2 independent channels (MFA). Usually those c channels are:

  • Import of the manufactured device data
  • Authentication of devices to establish communication channel, used for provisioning

Authentication of devices to establish connection for initial  provisioning can be done in several ways:

  • Basic authentication (not recommended)
  • Integrated authentication using identity management system like Microsoft Active Directory
  • Secure attestation using .X.509 or TPM-based identities

Using authentication with specific credentials brings more complexity and more risk. Most of the modern IoT solutions are designed to use secured connection, based on certificates in different varieties. 

The both parts of the authentication are 2 sequential parts of the provisioning process.

  • Manufacturing step.
  • Solution setup step (back-end setup and device initiated provisioning).

Device provisioning with CA

Fig.1 Provisioning based on manufactured devices data and certificates.

Manufacturing step contains:

  • Base software install and setup.
  • Configuring pre-requisites for device provisioning: global endpoint, certificate etc.

The back-end setup includes:

  • Importing information about devices to the back-end system.
  • Integration with PKI (importing of public certificates in the IoT Solution) – when certificate based security is implemented
  • Integration with identity management system – when authentication is based on this approach.
  • Configuring an appropriate discovery service (IoT Hub Device Provisioning Service in Azure), which is able to assist during the provisioning and when device is authenticated to sent the settings to the correct gateway service (IoT Hub).

When the back-end configuration is done it is possible to start the provisioning process, initiated from the device.

Fig.2 describes detailed the common approach for modern zero-touch device provisioning.

 

IoT Provisioning Concept

Fig.2 IoT provisioning concept.

Next article will be focus on the solution design and implementation about device provisioning when using Azure based IoT solutions with IoTHub and IoTHub Device Provisioning Service (DPS).

If you want more information feel free to contact me at michael@mateev.net Follow my blog : https://mmateev.wordpress.com/  .

You can learn more also if you follow me on Twitter @mihailmateev , and stay in touch on FacebookGoogle+LinkedIn and Bulgarian BI and .Net User Group !

Advertisements

About Mihail Mateev

am a Microsoft Regional Director currently living in Sofia, Bulgaria. My interests range from technology to entrepreneurship. I am also interested in programming, web development, and education. Technical Consultant, Community enthusiast, PASS Regional Mentor for Central Eastern Europe, chapter lead, Microsoft MVP – Microsoft Azure. Organizer of SQLSaturday, Azure Bootcamp, IoT and JavaScript conferences. My experience is in various areas related to Microsoft technologies, including Windows Platform, ASP.Net MVC, MS SQL Server and Microsoft Azure. I have a PhD in cloud computing and am a university lecturer on Smart Homes and Smart Energy IoT Solutions
This entry was posted in Azure, Device Provisioning, DPS, IoT, IoT Device Provisioning, IoT Solutions, IoT Suite, IoTHub, IoTHub Device Provisioning Service, Provisioning, Zero Touch Provisioning. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s