Abstract

The client, a leading heat pump manufacturer, was developing a long anticipated IoT solution for their heat pumps. The target was to give their customers added value through the ability to control their heat pump device remotely, and the ability for the client to collect diagnostics on installed product units and push important updates to the product remotely. The company engaged Omegapoint as a development partner. A critical part of the solution would be to enable secure end-to-end communication. Omegapoint leveraged AWS Private Certificate Authority and developed a small Registration Authority service with custom business logic as part of a PKIaaS (as a Service) solution, ending up costing a fraction of what the competitive packaged solutions cost.

Background

The IoT solution being developed by the client required a secure means of end-to-end communication between the devices, the diagnostics services, and the customers. As the heat pumps have a lifetime of 15-20 years, there is also a need for the solution to be secure in the long-term and housed on a reliable platform that can evolve over time.

The Solution

Omegapoint created a PKI (Public Key Infrastructure) based solution where X.509 certificates are issued to the IoT devices and are used for authentication and to secure end-to-end communication through intermediary services. The choice was to use AWS Private Certificate Authority for issuing all certificates and developed a Registration Authority service (RA) that implements the necessary custom business logic and controls for enrolment and request verification. The RA is completely serverless.

As part of the PKI setup, Omegapoint also implemented a code signing API that the client uses as part of the software delivery process to digitally sign software and firmware updates, that are then delivered over-the-air and verified by the IoT devices before installation. The signing API protects the secret keys from the rest of the code development pipeline and employs additional quality assurance controls.

The services are being delivered through Amazon CloudFront on its own DNS (Domain Name Server) domain, managed by Amazon Route53. The necessary resources are well protected using AWS Control Tower and a dedicated structure in AWS Organizations. A range of security services have been employed to monitor and lock down operations to accommodate least privileges, including custom AWS IAM (Identity and Access Management) roles and Service Control Policies.

Results at the fraction of the price

The solution provided by Omegapoint met the client's current security requirements, with flexibility to evolve over time as security best practices and recommended protocols and standards evolve. A combination of short-lived and long-lived certificates are employed to deliver an optimal balance between benefits, risk exposure, and administrative overhead that comes with operating a PKI (Public Key Infrastructure). The implemented solution yields a long-term operational running cost that is ~20% of the cost attributed to the commercial alternatives evaluated as part of the project. By letting AWS Private CA and Amazon CloudFront do most of the heavy lifting, the delivered resilience and service uptime far exceeds most other service offerings, or any self-hosted alternative.

Powered by