535 Route des Lucioles, Les Aqueducs - Bat 3, 06560 Sophia-Antipolis




TAZAM is the TrustAZUR Asset Management solution to provision, store and manage assets to secure communication between Trusted Applications and Remote Services in the Cloud

TAZAM offers Security Services

Device Identity Management

Asset Provisioning, Storage and Management

Platform Measurements / Attestation

Trusted Messaging / Logging / Reporting

FW Update / FOTA Agent support

TAZDM administrates jobs on device hosting TAZAM

Enables deployment of TAZAM-ready devices

Supports Device Onboarding

Supports Job (set of remote operations) creation

Logs TAZAM activity and Job results


TAZAM is a Trusted Service hosted on Microcontrollers and Application Processors

TAZAM offers Security-related Services to Client Applications

  • Trusted Applications
  • OS Applications
  • Cloud Remote Services

TAZAM establishes and manages Secure Connections (Trusted Links)

TAZAM enables Asset Provisioning from Cloud Remote Services

TAZAM is designed to be portable on Multiple Embedded Architectures

  • Trusted OS-less: execute on Bare Metal HW Enclave
  • Trusted OS-based: execute as an application in an OS Environment (OP-TEE, Arm Trusted Firmware-M)

In IoT space, communication protection is not just about protecting against eavesdropping of data in transit. IoT Devices, which are open devices, can be hacked by installation or injection of malicious data or software at any given time through wireless or wired interfaces.

Because device interfaces are controlled and managed by Non-Trusted software, it is critical that sensitive software and assets stored and processed on the device are protected within a Trusted Enclave, and are safeguarded when remotely accessed from outside of the Trusted Enclave.

The level of protection of software and assets on a given platform depends on the capabilities of fundamental security technologies present on the he platform: Root of Trust, Trusted Enclave, Asset Management.

Protection on today’s IoT Devices

In the absence of all fundamental security technologies on such kind of device, no protection against software attacks can be implemented. Assets, data and software are fully exposed to attacks through the open device OS ( ).
Protection of data in transit can be achieved by using secure protocols, like TLS, which encrypt data before sending it out of the device ( ).

Protection of IoT Devices implementing a Root of Trust

In this case, initial assets and RoT software are protected in the RoT component ( ).
Mitigation mechanisms can be possibly introduced against non-secure software injection and device cloning/impersonation ( ).

Protection of IoT Devices with an RoT and TAZAM

In this case, protection against device cloning/impersonation is achieved, as well as protection of data processed in the Trusted Enclave and sent to Remote Services by the means of a TAZAM Trusted Link ( ).

``I want to protect my device versus impersonation and cloning``

  • TAZAM installs a Trusted Device Identity which ensures that it is an OEM or Service Provider approved device
  • Such Identity is used to remotely authenticate the device

``I want to protect my software running on my platform``

  • TAZAM authenticates SW at Boot Time and Run Time (Attestation)
  • TAZAM supports FW Update Management

``I want to protect my credentials``

  • TAZAM stores sensitive data into its asset storage and provides access control capabilities to this data
  • TAZAM leverages Trusted Domains to isolate Asset Storage areas owned by different Service Providers

``I want to securely communicate with a remote server``

  • TAZAM establishes a Secure Connection (Trusted Link) with Mutual Authentication to a remote server on top of an existing logical connection (MQTT, TCP/IP)

``I want to execute security services in the device from a remote server``

  • Client Applications easily request Security-related Services execution to TAZAM via commands interface

``I want to provision assets into the platform``

  • Cloud Remote Services (leveraging TAZDM reference implementation) can provision assets into TAZAM which can be shared with Trusted Applications

``I want to securely send messages between device and server``

  • TAZAM includes a Trusted Messaging component to exchange messages between Trusted Applications and Remote Services

``Is TAZAM replacing Arm Trusted Firmware-M or Linaro OP-TEE?``

  • TAZAM is extending Arm TF-M and OP-TEE capabilities by providing a secure connection to Remote Services
  • TAZAM can work bare metal if no underlying Trusted OS runs in the Trusted Enclave
  • TAZAM can also be executed as a Secure Application if the platform includes a Trusted OS within the Trusted Enclave

Embedded Platforms

TAZAM-C: Microcontroller Bare Metal

Cypress PSoC 6 (Arm Cortex M0+) / Amazon FreeRTOS NXP LPC55S69 (Arm Cortex M33 -v8M) / AmazonFreeRTOS

TAZAM-M: Arm TF-M Partition

Arm Musca Board (V8-M), Arm Trusted Firmware-M, Arm Mbed OS

TAZAM-T: TEE Trusted Service

Raspberry Pi, Linaro OP-TEE, Linux / Android

Cloud Solutions



IBM Cloud