Secure Device Onboarding
AnyConnect accelerates onboarding of IoT devices – from minutes to seconds – with a secure, automated process. This onboarding process begins when a device is first powered on and ends when the device’s owner takes control.
AnyConnect has automated onboarding process and security. AnyConnect Secure Device Onboarding delivers automated IoT security that protects each device during its entire security lifecycle: from protected boot and authentication at first power on, to secure pairing with its first owner, to an instant update of the device’s firmware.
Secure Device Onboarding supports both factory and field provisioning.
Factory & Field Provisioning
Onboarding with factory provisioning
With factory provisioning, the Provisioning Secret does not leave your control.
As illustrated, you first create a Provisioning Key and Secret in AnyConnect’s Console. Using your Provisioning Key and Secret, Console then creates a .csv file containing a number of Endpoint Keys and Secrets.
Finally, you write your Endpoint Keys and Secrets (one to each device) at manufacturing time “in the factory.”
Onboarding with field provisioning
With field provisioning, you first create a Provisioning Key and Secret.
You program your Provisioning Key and Secret (one to each device) into each device.
Once each device is “in the field”, AnyConnect’s Access Helper Library will get a unique Endpoint Key and Secret from AnyConnect’s Access REST Service.
IoT also presents a unique set of access control challenges due to variable power requirements of and bandwidth between IoT devices, distributed and ad-hoc networks, and huge numbers of IoT devices.
AnyConnect accelerates access control of IoT devices with a robust, centralized process. The user accesses AnyConnect’s cloud-based REST services that authorize the request and relay data between the user and the IoT devices.
Access control ensures that only authorized users can access a device, for example, to view a camera, to access sensor data, or to command an actuator to perform an operation. It also enables new IoT business models such as Cameras As a Service or Sensors as a Service, where you might sell camera access or sensor data to customers.
Once a device’s Key and Secret has been registered by Access, the device is provided with an Endpoint ID. However, endpoints cannot arbitrarily send data to other endpoints. AnyConnect’s Access service (as well as Connect and Stream services) will only allow an endpoint to communicate with another endpoint if those endpoints are “paired”.
To pair, one device asks the Access REST service for a “Pairing Key”. This pairing key is passed out of band to the other device which supplies it back to the Access REST service, which adds the devices to each other’s “Access Control List” (ACL). This out of band exchange can be done through any medium. AnyConnect’s “pairing” sample app, for example, does this exchange through the Ubuntu file system. While helpful for instructive purposes, file system exchange is unlikely to be useful in production. AnyConnect’s Access helper library uses BLE to pass this information (as well as WiFi onboarding information) from a device to its application.
User Identity and the ACL
Two Endpoint Keys in an ACL may only communicate if at least one of the Endpoints has a User Identity logged into it. This restriction sounds more complicated than it is.
ACL Example Figure
In the example, E cannot communicate through Access to anything else because E is not in the ACL. C and D cannot communicate because they do not have a user logged into them.
Consider the common use case of mobile applications having a viewer application installed that can connect to several Stream based IP cameras. The application can talk to the cameras because the user is logged in to the application. The cameras cannot communicate because the user is not logged in to the camera.
Consider another common use case of a single camera with the same user having multiple mobile devices, and being logged in on each. The camera can communicate with each of the mobile devices — so when the camera detects an event, the camera can send that event to each of the mobile applications. It is also the case that the mobile applications can communicate with each other.