Security Beyond the Edge

placeholder

The Edge Era began with the migration of artificial intelligence (AI) from the cloud to the network edge. Smart connected IoT devices in our homes, offices, factories and cars now outnumber the billions of existing cloud-connected PCs and smartphones.

By 2025, an estimated 50 billion connected devices will generate enormous amounts of data. But processing and acting on terabytes of data generated by even a single device can be a daunting task.

In the traditional IoT connectivity paradigm, the data is transmitted to the cloud for processing, analysis and decision making. However, as machine intelligence and computing power shift to the edge of the network, creating an “application edge,” we’re seeing the rise of autonomous, edge-based decision making in smart homes, factory and process automation, transportation, smart city and public safety systems, precision farming and agriculture.

Processing critical data locally, meaning at the edge, reduces roundtrip latency for time-sensitive applications and eases the burden on network infrastructure, lowering total cost of ownership. An edge device running a pre-trained ML model can make real-time decisions locally, improving the overall user experience. Even without a cloud connection, for example, a smart door lock with built-in facial recognition can unlock automatically when it recognizes the homeowner. Moreover, the smart home data remains private and more secure when processed and stored locally at the edge.

How Best to Secure the Edge

These intelligent edge devices generate large quantities of data, some of which may still be shared with the cloud, and it is becoming increasingly critical to protect these devices from intrusions and malicious attacks. Any device that connects to other devices or to the cloud is a potential entry point for attackers to steal data, hijack operations or gain unauthorized access to the cloud. Edge devices are especially attractive, high-value targets for attackers. Edge devices collect raw data from sensors and process data closer to where it’s generated while also sharing information with remote and cloud-based services as needed. In most cases, this information contains sensitive, private data that must be protected.

Securing data has become even more challenging with the increasing number of data sources from edge devices, the value of that data and the required collaboration between devices and networks. This makes it vital to have a security-by-design approach that starts with integration at the silicon level. Ideally this continues throughout, from design concept and modeling, to deployment and lifecycle management, including over-the-air (OTA) updates.

A Holistic Approach to Security: Expanding and Enhancing

At NXP, we believe security is a holistic system process and not an add-on feature. A system is as secure as its weakest component that an attacker can reach. Edge devices, in particular, can be a lucrative attack target, particularly if connected to, and communicating with, many other devices. These edge devices must be protected with robust, easy-to-deploy security technology.

Additional protection and some level of intrusion detection must be implemented for edge devices. At the system-on-chip (SoC) level, integrated hardware capabilities, such as root of trust, tamper detection, secure boot and secure enclaves, combined with software mitigation techniques can all be used to protect devices and thwart intrusions and attacks. This is the heart of the NXP approach to security.

EdgeLock® secure enclave ‘Security HQ’

Formidable Edge Device Security with EdgeLock® Secure Enclave

Embedded hardware security is a core competency of NXP i.MX crossover MCUs and applications processor families, which are used in a wide range of edge ML applications. Depending on application needs, the security capability can be integrated or isolated with a secure subsystem. NXP also provides security software to enable secure cloud connectivity for data sharing and OTA updates for lifecycle management.

To further build trust and ease development of secure edge devices, the EdgeLock® secure enclave announced in 2021 is a preconfigured, self-managed and autonomous security subsystem that enables embedded developers to achieve their device security goals without requiring security expertise. This accessibility to secure any edge device is key in NXP’s mission.

The EdgeLock secure enclave functions like a “security HQ” inside an i.MX SoC, overseeing security functions to protect devices against various types of local and remote security attacks. The enclave eases the complexity of implementing robust, device-wide security intelligence for IoT applications through autonomous management of critical security functions, such as root of trust, run-time attestation, trust provisioning, secure boot, key management and cryptographic services.

Because system security rules are kept isolated inside of the enclave, critical security functions can be offloaded from the rest of the SoC. This means various security assets (like secret keys) are not co-located within or visible from the same environment as user or OEM deployed software and firmware on the chip. Compared to common integrated security, this isolation increases protection against spoofing and can significantly minimize the attack surface. Furthermore, to help prevent new attack surfaces from emerging, the enclave can intelligently track power transitions when applications are running.

Another major benefit is that the secure enclave can be independently certified against various relevant schemes, allowing for OEM reusability. One interesting example is FIPS certification, (such as this i.MX applications processor example ) which is mandatory for certain applications. Select secure enclave deployments are FIPS certified as integrated cryptographic modules, which saves the end-device developer the time and money usually spent through the certification process.

The fully integrated, on-die EdgeLock security subsystem is a standard feature across NXP i.MX 8ULP and i.MX 9 applications processors, providing scalable options to deploy security in thousands of edge applications, from wearables to smart home devices to industrial automation.

The intelligent edge has great potential to change how we interact with our world in a more productive, safe and efficient way. There’s much more to creating intelligent edge devices than adding ML capabilities like vision and voice recognition. It’s critical to develop edge ML applications with the latest security technologies. Start by working with an edge computing platform supplier that embeds robust security at the silicon level. Built-in security technologies like EdgeLock secure enclave will help simplify the path to final device certification through real-time isolation, trust provisioning and device lifecycle management.

Tags: AI/ML, Edge Computing, Technologies

Author

Maulin Patel

Maulin Patel

Vice President of Engineering, Edge Processing, NXP Semiconductors

Maulin Patel is Vice President of Systems and Applications Engineering for the Edge Processing business line at NXP. He leads global engineering teams focused on edge processing products, including security and machine learning enablement. He has more than 30 years of experience in the field of software and systems engineering and has held various leadership roles at global technology companies including Intel, Conexant Systems, Trident Semiconductors and IBM in addition to NXP. He earned his BSEE from SP University, India and MSEE degree from Kansas State University, USA and holds eleven patents in the field of software engineering. He is passionate about building platforms with superior end user experiences, an ease-of-use focus and product quality.