If we’re going to succeed in enabling true Internet of things (IoT) security, we all need to agree on a few things. Things like IoT SAFE (IoT SIM Applet For Secure End-2-End Communication), a new standard from the GSMA that declares the SIM (subscriber identity module) to be the most secure location within a device from which to process and secure the data exchange from chip to cloud.
Before I explain why IoT SAFE makes so much sense for IoT security, let’s look at what ‘secure location’ means within this context. Today’s IoT devices typically employ any number of isolated and trusted components we call Root (or Roots) of Trust (RoT). Often proprietary, they’re spread across hardware, firmware and software elements, performing specific critical functions.
Standardizing the IoT’s Root of Trust
For manufacturers, establishing these RoTs is the first step in ensuring a new device is built secure. But while each component may be trustworthy in itself, lack of standardization has resulted in inconsistent methods of provisioning, reduced interoperability across vendors and uncertainty from those eager to build IoT devices over whether proprietary security methods are truly secure.
No wonder our recent survey in conjunction with the Economist Business Unit found that—among other things—security concerns still constrained respondents’ IoT ambitions.
Standardizing the RoT within a device’s SIM ensures a common mechanism for secure data communications using a highly trusted and time-tested module. It offers a cost-effective mechanism for cloud authentication and end-to-end security, since SIMs are already used for authentication on mobile networks. That makes IoT SAFE a key step towards uniting the industry in realizing the vision of a truly secure IoT, from chip to cloud.
Arm’s commitment to IoT security goes back to long before we called that global network of diverse devices the ‘Internet of Things’, and it’s something we’re more committed to than ever as the IoT becomes more defined. It’s why we’ve spearheaded IoT security best practices such as PSA Certified, which offers a security framework and independent assessment program to enable IoT developers to build devices that IoT solution deployers trust to readily secure their data channels from chip to cloud.
iSIM takes IoT SAFE further than any other form factor
It’s also why we’ve invested in technologies such as iSIM, which embeds the SIM within a trusted, tamper-resistant enclave at the heart of the device’s system on chip (SoC). We believe it’s the ultimate foundation for a secure IoT SAFE device.
IoT SAFE meets the needs of IoT security for all SIM form factors: SIM, eSIM and iSIM. But if we’re looking to maximize IoT security, it makes most sense to bake that RoT directly into the SoC, where it’s integrated into the heart of a device’s capabilities. iSIM takes IoT SAFE further than any other SIM form factor as iSIM security already offers industry-recognized levels of protection of network and subscriber credentials that are built-in from point of manufacture.
Read More: SIM, eSIM, iSIM: What’s the difference?
And if we need to update that security in future (a somewhat cumbersome and proprietary task until now), IoT SAFE standardizes the delivery and provisioning of over-the-air (OTA) security certificates directly to the most secure place in a device, ensuring that the transfer of information from iSIM chip to cloud can’t be intercepted and modified.
It gives device manufacturers the best chance to mitigate potential attacks, and by using a secure, tamper-resistant hardware element to protect credentials, it reduces the risks associated with spoofing or man-in-the-middle attacks when exchanging sensitive data with the IoT service provider’s cloud.
Secure IoT device provisioning and management with iSIM and IoT SAFE
iSIM also takes the concept of simplifying the SIM SKU count further than other form factors. The SIM or eSIM is until now built on a discrete secure microcontroller (MCU), so it makes perfect sense to add these SIM capabilities into the device’s main SoC, reducing the bill of materials (BOM), optimizing the supply chain and shrinking the physical size of the SoC’s die. That size reduction will be particularly important to IoT SAFE devices that are physically too small (or too well sealed, for example in high-moisture applications) to accommodate SIM or eSIM chips.
And of course, iSIM makes the secure, zero-touch provisioning and ongoing management of these devices using connectivity platforms such as Pelion Connectivity Management that much more seamless and inherently more scalable.
We’ve always believed innovators should be able to choose any device, any data source, any network and any cloud to tailor their solutions. In keeping with this philosophy, the combination of IoT SAFE running on an iSIM allows for self-contained processing and encryption elements to manage security-related workloads for network and cloud authentication in a more integrated yet tamper-resistant way. It enables a vast new range of secure use cases covering a combination of smaller device sizes, ‘baked in’ connectivity and seamless provisioning and lifecycle management.