IoT Edge Security - Zero Touch Provisioning at Scale


An integrated, edge-to-cloud solution for Zero-Touch Provisioning at scale

IoT Edge Security: secure IoT begins with Zero-Touch Provisioning at scale

The path to IoT Edge security and the secure deployment of IoT projects starts with an hardware root-of-trust at the device level, a simple concept that belies the complexity of managing a chain of trust that extends from every edge device to the core of the network.

To win the challenges of IoT security lifecycle management, Eurotech partnered up with GlobalSign, Infineon and Microsoft to provide an integrated solution for a zero touch provisioning service that goes from edge to cloud for certificates-based identity lifecycle management for connected devices. Partners offer an ready-to-use solution for a simpler, cost-effective cloud enrollment of IoT Edge devices. 

White Paper: Secure IoT begins with Zero-Touch Provisioning at scale

What's the largest roadblock to realizing the promise of the Internet of Things? For many organizations, the obstacle delaying widespread deployments is the strategy for onboarding the necessary edge resources for a lifetime of secure operation. This paper presents the solution offered by Infineon Technologies, GlobalSign, Eurotech and Microsoft to address the complex task of the onboarding of edge devices to the cloud application infrastructure. 


IoT Edge security

IoT Edge security complexity

Eurotech delivers enhanced computing, communication technologies, and innovative IoT building blocks to provide competitive advantages for its customers. It’s rugged Multi-service IoT Edge Gateways are designed to offer a robust and secure foundation for developing and deploying edge to cloud IoT applications in demanding vertical markets, such as industrial/manufacturing, energy & utilities, medical, transportation, agriculture and mining.

That robust and secure foundation does rely on implementing and maintaining IoT Edge security best practice and leveraging proven standards from the beginning. Strong and protected device/asset identity, is a foundation building block for secure IoT solutions. But for many organizations, a solid device and identity management throughout the lifecycle of a product, (including the supply chain), is technically challenging. It results in Device Identity management being a substantial factor in the TCO (Total Cost of Ownership) of secure IoT infrastructures.

Combining partners technology and best practice from a IoT Edge Security, IT and OT perspective allows to productize an integrated solution to address the above points most effectively.

IoT Edge security challenges

  • How to ensure the integrity of devices?
  • How to safeguard device keys and secrets?
  • How do I extend the chain of trust to the customer when transferring ownership?
  • How to guarantee that credentials are only issued to trusted devices?
  • How do I protect the devices beyond onboarding?
  • How to do all of this efficiently at scale?

Enabling Zero-Touch Provisioning of IoT Edge devices

Addressing the challenges associated with IIoT requires an ecosystem with strong partners – especially when it comes with IoT Edge security. Eurotech has joined forces with Infineon, Microsoft and GlobalSign to deliver zero-touch provisioning for IoT Edge projects and simplify large scale, secure roll outs of connected devices. This collaboration delivers assurance by extending the secured device identity chain from the edge to the cloud.

For both customers and system integration partners, it results in products, services and best practice blueprints, that reduce the complexities and costs associated with IoT Edge security such as device attestation and device integrity.

A typical IoT project flow begins when an enterprise or it preferred integration partner authorizes a Certificate Authority and receives an intermediate certificate, which it registers to the Azure Digital provisioning Service (DPS) for device attestation.

This establishes the basis for all device identities associated with the zero-touch devices in a given project. In turn, the customer engages with Eurotech to supply hardware devices pre-configured for zero-touch onboarding.

Secure IoT Edge device identities (IDevIDs)

Eurotech devices feature device identities based on the 802.1AR standard. They are globally unique-per-device identities that are cryptographically bound to a device.

At manufacturing time, Eurotech creates and installs an Initial Device identifier (IDevID). The IDevID certificate, signed by Eurotech, extends chain-of-trust to the device and attests the platform integrity by identifying it as a genuine Eurotech device and specifying its device type and its serial number.

The IDevID key and certificates are respectively stored in the Endorsement and Platform Hierarchy of the TPM 2.0, making them immutable and unmodifiable for the lifetime of the device.

To enable zero-touch provisioning, Eurotech offers a customization service to install complementary Locally Significant Device Identifiers (LDevIDs) at the point of manufacture time.

The LDevID is affiliated to the device owner and signed by its CA. This pre-configuration supplements the IDevID and it is used for authentication and device authorization, as well as the installation/configuration of the Azure IoT Identity Service (with its own unique LdevID).

LDevIDs, which are anchored and stored in the TPM, and leverage the owner accessible Storage Hierarchy . The creation and management of these identities is controlled through an enterprise class PKI infrastructure and through standard-based protocols.

The benefits for customers and partners: automated Zero-Touch Provisioning and IoT security from edge to cloud

Many companies today support elements of Zero-Touch Provisioning, but leave the end customer responsible for part of the implementation. The joint solution presented by Eurotech, Infineon, GlobalSign and Microsoft addresses each step of the manufacturing process to provide a secure, automated identity chain that extends throughout the operational lifecycle of the device and system.

For customers and system integration partners that require further support and services, Eurotech offers a comprehensive professional services portfolio. This offering includes, but is not limited to development and design services to have Edge Computers & IoT Gateways further customized and optimized for their specific use case, but also the implementation of new and legacy field protocols, project management, certifications, consulting and long product life support.

Eurotech can now offer natively-secure, ready-to-deploy devices to customers and system integrators that can be enrolled for cloud deployments with a drastic reduction of costs.  The collaboration with the partners offers a zero-touch cloud onboarding, while maintaining best-in-class IoT Edge security.

Do you want to know more about IoT Edge security best practices and how our components enable end-to-end security? Read our Solution Overview

Solution Overview: An end-to-end approach to IoT security

The IoT ecosystem is composed of many standards, vendors using different hardware, software and third-party services and APIs. This huge fragmentation makes the ecosystem very vulnerable to all sorts of attacks, both at the edge and in the cloud. To achieve IoT security, both at the edge and in the cloud, we need to establish solid solutions for device discovery with secure identity, authentication and encrypted communications or the underline protocols are subject to abuse.


IoT Edge security
This website or third-party tools used in it uses cookies useful for the proper functioning of the site and for the purposes described in the cookie policy. If you want to learn more or opt out of all or some cookies, see the
cookie policy
By closing this banner, scrolling this page, clicking on a link or continuing navigation in any other way, you allow the use of cookies.