The Device Chronicle interviews Ole Herman Elgesem, Product Manager for configuration management tools market leader CFEngine and Northern.tech domain expert, to learn about how configuration and reporting can be handled in IoT device fleets.
CFEngine and Mender.io are solutions for server and IoT configuration management, and IoT device management from Northern.tech respectively.
Ole started by describing the 3 key trends he sees in IoT and configuration management tools:
More devices means you will need a system which can handle the scale of hundreds of thousands of devices, giving you up to date information about them and allowing you to manage everything.
More complex devices means that flexible functionality is needed for making changes, with a mechanism for continuously enforcing policies and more extensible reporting.
More security requirements from government regulation, security teams concerned with minimizing risks, as well as marketing teams seeing security as a competitive advantage, means you will need ways to implement security policies, continuously enforce them, and prove it with compliance reports.
Ole then describes the importance of configuration management tools and reporting in a world where IoT fleets are scaling into the thousands and the hundreds of thousands of devices. Ole believes that proper configuration management provides an overview of every device that you have in your fleet. And as you add more devices, the more difficult it becomes to deal with older devices. Of course, different generations of devices feature different levels of processing capacity, memory, features and capabilities, and this throws up additional challenges. With different generations of devices, Ole says that you typically end up having to deal with different versions of your product, but the requirement is still there to manage the whole fleet in one coherent way and for them all to have their software updated securely. You will also be concerned with maintaining control and a pan optical view of all of your devices to optimise their performance and health. You will want to know if a device is misbehaving, and you could face some serious trouble if the device is not accessible and in plain sight. Ole says “Most often, the adverse effect of this is that your customer ends up having a poor experience, and the first you will know of the trouble with your device is through the customer complaint.”
Ole points out that increasingly, organisations will have to manage heterogeneous device fleets made up of both highly constrained devices, and more powerful devices depending on the blend of use cases where their IoT products are applied. He says that configuration management and reporting becomes even more critical in this kind of scenario. “It is almost inevitable that a growing device fleet diversifies as new versions of a product are added to the fleet. You will want to make more products and different revisions. The older products will still be online and this will naturally increase the complexity.” Ole advises that the best way to handle this sort of device heterogeneity is to have everything in one system. He says “You need to be able to see everything in one system, and to have all (device) assets included in your reports.
Ole admits that if all your devices are new and homogeneous, then a public cloud service can address their basic configuration and reporting needs. On the other hand, if you have IoT products that have been developed with multiple generations of devices over many years, then you need a capability with detailed reporting and configuration flexibility and power. You will also need to be able to support a wide variety of embedded operating systems from Raspberry Pi OS to Yocto, Debian and Ubuntu-based systems.
Ole explains what it means to perform proper configuration management and reporting for a large fleet of heterogeneous IoT devices developed over many years and combining several systems. He advises “It is important to be able to describe the desired state of all of the devices in the fleet and you will want to be able to do this in a way where you can set the requirements that you have.” These requirements could include compliance such as if a user is allowed to log in over the network with a password. Ole shares a concrete example: “A common requirement is that password based login over SSH should be disabled. And then you will want all of your devices to be able to report on the compliance of that, on whether that’s actually true. And all of your devices should automatically correct that if it’s not true, fix the configuration.” Ole says configuration management tools allow you to express your requirements quite simply in a language and then on different platforms the way that the change is done might be implemented differently. So you don’t have to program how to do this change on each different system. You simply describe once what you want configured everywhere across your fleet. You need a configuration management system that can address such differences.”
Development, management, and security workflows for IoT are less mature than they would be for servers. Ole says “In the server world, best practices in security and compliance have accumulated. In IoT, compliance requirements are just being developed from legislation into recommendations. Soon, there will be mandates. In many cases, users have to follow some requirements for their servers, but not for their IoT devices. Ole adds that we are starting to see companies thinking about building security by design into their IoT products and also about the best ways to remote manage, diagnose and configure their IoT devices once they have been deployed in the field. “And since the regulations have not been fully enforced yet, informed IoT product managers leverage the best practices and the experiences they have from general IT. Ole foresees a scenario where as the regulation develops, they will typically include a list of high level things that IoT product managers will have to implement in their products such as a mechanism to securely and robustly update their devices, and being able to track vulnerabilities for patching with a patch management system. A mechanism to create compliance reports for all of the IoT devices will also be required.
Ole concludes by introducing the configuration management solution CFEngine. He describes CFEngine as “a tool running continuously on your devices, ensuring compliance with your requirements and policies.” Ole says “Users specify the requirements, the desired state, and CFEngine continuously enforces them on all their devices.” Requirements can be related to security, dependencies or deployment of applications or tools / possibilities you need for troubleshooting. In addition to enforcing your policy (making changes) you can get detailed reporting information about each device: inventory information, hardware and performance related monitoring , and live information on what applications are running, what ports are open, etc.. Ole says, “This detailed and up-to-date information can be critical for security teams and on top of it, a high-level compliance report can be created where the requirements are specified and how many hosts are compliant, or not, is shown. Users can then drill down and figure out why some devices are not compliant and fix them.”
We wish Ole and the team at CFEngine well as they continue to perform configuration management at scale on all types of devices.
Read another article on IoT device management and Mender.io from another Northern.tech expert and Mender.io CTO Eystein Maloy Stenberg.