Article

How do you ensure accountability, identity in a smart connected world?

One of the biggest changes over the last few years has been the shift from product ownership to buying those same products as-a-service. Both consumers and industry increasingly prefer to pay for the use of a product as and when needed, rather than incur large initial capital investments to purchase a product outright.

But when the service becomes ‘smart’ and ‘connected’, the disaggregation of ownership from just one organization to potentially multiple companies in the value chain brings a completely new challenge: who owns what, who’s liable for service delivery levels, and how do you manage identity in order to establish accountability?

This is a question which will become more and more relevant as we start seeing more smart services. To illustrate the challenge, take lighting-as-a-service (LaaS) an as an example. The development of smart cities is one of the major factors driving LaaS market growth. Benefits for the end-user include no upfront costs, lower energy conservation, no maintenance liability, improved lighting experience, and energy savings. In addition, they might also be able to purchase add-on functions such as remote management, data collection, and inter-device communication.

The global smart lighting market is forecasted to reach US$27 billion by 2023, a compound annual growth rate of over 20%, according to market research. The increased use of internet of things (IoT) for the design and functioning of street lighting is also anticipated to propel the demand. Many of the leading manufacturers are getting into this market to offer the service – such as Cree, Hubbell Lighting, Philips, Osram, Schneider Electric and many more.

Who’s the owner, who’s delivering the service?

Now consider this. It’s not necessarily the smart lighting device maker that might ultimately offer the service to the end-user. The building owner may offer this as a value-added service that can be offered to customers, and hence ‘buy’ the devices or the service from the manufacturer. Or there may even be another level – where an intermediary or agent is leasing out the building and then becomes the interface to the end-user.

It’s now apparent that ownership, and therefore accountability and liability for the service, could potentially be placed anywhere in this value chain – the device manufacturer, the building owner, or a property agent. In this scenario, the questions that arise are things like: who’s responsible for the commissioning of the devices, who’s responsible for providing updates (and accountable if for example important security updates are not delivered), and who should ensure the device is decommissioned at the end of its life (say when a lightbulb needs replacing)? How do you manage this entire lifecycle of commissioning, updates, and end of life? And what about billing for different service levels?

Root of Trust (RoT) ensures clear identity

The only sure way of addressing this is to enable unique, cryptographically secured device identity using a root of trust (RoT). This creates a secure foundation for ‘as-a-service’ business models, which enable the management of ownership as well as change of ownership. Embedded Trust is the first development toolchain that supports the integration of such a secure device identity right from the beginning in program code. Based on a RoT, which is configured during the software development phase, it can be ensured that the identity meets specific requirements – such as for a products as-a-service model.

Later during manufacturing the Secure Deploy technology generates the necessary cryptographic keys and seeds them in the individual devices according to the previous definition of the RoT during the development phase with Embedded Trust. As a result, device individual keys, which prove the identity, are not exposed in the development environment. Nevertheless, the seeding of a flexible RoT can be configured during IoT device software development. The availability of such an infrastructure to manage cryptographically secured identities is found within the Secure Thingz / IAR Systems toolchain unique and also for the first time available outside highly secure environments such as the development of payment smart cards.

Managing your own device identities applies not just for lighting-as-a-service but for any ‘as-a-service’ models, including for example mobility-as-a-service, which is being talked about a lot now not just by the new disruptors in industry like Uber and Lyft, but also traditional car makers and electronics systems developers. An example of the latter is the recent announcement by Fujitsu and Ford, where Fujitsu and Autonomic, a wholly owned subsidiary of Ford Smart Mobility, are collaborating to offer OEMs a fast and flexible solution to support the automotive industry's transformation to mobility-as-a-service models.

Again, the only way to ensure confidence in identity, security, and trust across the value chain in mobility-as-a-service is to implement a RoT right at the beginning.