IoT Deep Dive: What Embitel’s Experts Are Building Next #1

Employing Multitenant Architecture in Firmware-Over-The-Air (FOTA) Solutions

In the first edition of our new series – IoT Deep Dive: What Embitel’s Experts Are Building Next, we have a conversation with Abhijit Roy, Cloud Architect at Embitel Technologies.

Q. Hi Abhijit, it’s wonderful to have you here with us today. Before we get into the tech talk, let’s get to know you. Please describe yourself in a few words.

A. Thanks for having me here! I’m Abhijit Roy. I have been in the software industry for the past two decades. My long career in this industry has helped me explore and contribute to technology development in every phase of the Software Development Life Cycle (SDLC).

Q. That’s impressive! Could you give us a brief insight into your current focus area?

A. Sure, I have been working on the development of IoT cloud solutions. Recently, our team of IoT experts developed an Over-The-Air Firmware Update Accelerator Solution that is a potential game-changer for OEMs.

As an architect, I was responsible for designing the landscape for our FOTA accelerator solution.

Q. Before we dive into Embitel’s proprietary FOTA accelerator solution, could you explain what is FOTA and how is it changing an OEM approach to updating firmware?

A. FOTA is a technology that allows for the remote update of firmware on devices, such as smartphones or automotive systems.

Modern automotive OEMs often face the challenge of meeting customer demands to deliver sophisticated and user-friendly ecosystems. OEMs are relying on software packages to deliver these connected ecosystems. Since Over-The-Air (OTA) technologies enable wireless delivery of updates/upgrades, FOTA services have become increasingly important in the automotive industry.

The automotive industry’s reliance on FOTA falls in line with the rise of connected cars and electric vehicles that rely on software to deliver various functionalities. FOTA updates include packages to update the in-vehicle infotainment system, navigation software, engine control units, and other electronic components.

With the advent of cloud computing, the entire processing of FOTA shifted from on-premises to cloud computing servers for any automotive OEM.

Q. How is Embitel’s FOTA Accelerator Solution contributing to the maturing of FOTA technology?

A. By analyzing the gaps in the market mentioned above, we have developed an MVP solution that can be used by any prospective customer in the automotive domain to develop an OTA solution in half the time!

The MVP solution primarily focuses on device provisioning, FOTA campaign creation, real-time firmware updates of millions of vehicles over a secured network, collecting telematics data, getting business insights using the telematics data, and so on.

Q. If you’d like to discuss one concept crucial to the development of the FOTA Update Accelerator, what would it be?

A. I would like to highlight why and how we implemented multi-tenant architecture in this solution.

The reason why we chose to employ a multi-tenant architecture stems from our deep understanding of how an automotive OEM structures their operations and IT department.

Q. Why did we choose to employ a multi-tenant architecture?

A. A multi-tenant architecture allows multiple cloud customers to access the same cloud computing resource. Doing so will enable the efficient use of software and hardware resources, which in return drives down the total cost of ownership and maintenance of the solution. Let’s understand this using the example below.

Let’s assume X is one of the OEMs who are continuously:

• Introducing new brands of two-wheelers
• Upgrading the existing brand to a more sophisticated version

Now each of this brand’s customer segments is different, and so are the Operations and IT departments. Look at the image below to gain a visual understanding.



Figure 1: OEM Brands Structure

By employing a multi-tenant architecture Automotive OEM X can enable brands A,B, and C’s Operations and IT Departments to utilize a centralized computing power with pre-determined privileges.

Q. Where can Embitel’s FOTA Accelerator Package be implemented in the above example? What else does multi-tenancy offer OEMs?

A. Embitel’s FOTA accelerator solution shall be deployed at the root of the organization where any OEM has the flexibility to introduce any new service specific to a particular brand or brands. The solution provides enterprise backend along with rich UI for backend operation at different levels to manage the following:

• Custom user roles
• Custom users
• Tenants
• Services
• Custom branding
• Tenant-specific device provisioning
• Tenant-specific campaign
• Telematics data ingestion and processing

And many more.

Q. What lies at the core of our FOTA Accelerator Solution?

A. The entire solution is hosted on AWS. Many AWS services have been used in the solution.

The FOTA solution is not a SaaS-based product but a solution accelerator i.e. the entire platform can be deployed into the client environment and any further enhancement can be made at the client site.

Q. When there are multiple tenants, how do you ensure no data is shared between each tenant?

A. After understanding the above OEM structure, we treat each brand and its associated customer segment as an isolated tenant. This architecture enables superAdmin users at the root level of the organization to onboard a new tenant whenever they deem necessary.

Any external entities from a specific brand, like specific operation users, vehicles/devices, mobile app users, inventory information, sales information, applications, etc are isolated from each other.

This is done so that no other tenant has access to the data, devices, and associated applications.

Q. How are external entities mentioned above authenticated to be onboarded in the multi-tenant architecture?

A. Authentication and authorization are vital parts of validating external entities.

Typically, AWS IoT devices use X.509 certificates, while mobile applications use Amazon Cognito identities. Web and desktop applications use IAM or federated identities.

So, for mobile and web user authentication and authorization we used the AWS Cognito service.

When onboarding a tenant, we isolate the tenant users and application using the AWS Cognito user pool and identity pool. This means, that for each tenant, there will be a completely isolated userpool and identity pool created at runtime. Any further interaction with the platform will be via a specific tenant user pool and identity pool.

Q. How is data isolated and segregated when there are several user roles in an OEM?

A. At the database level, we are using a multi-database approach for the entire solution.  We use RLS (Row level security) to ensure data is isolated from another tenant or tenants.

It is a feature that allows you to control access to rows in a table based on the characteristics of the user executing the query. This means you can define policies that determine which rows of a table a particular user or role can access, thus providing a fine-grained level of security.

RLS is particularly useful in multi-tenant applications or scenarios where data needs to be segregated based on user roles, enhancing both security and data privacy.

Q. OEMs run on transactions; what methodology have you employed to isolate transactional data between tenants?

A. We employ NoSQL database (MongoDB atlas) for storing transactional data. Here, we used the database per tenant strategy as a common approach in multi-tenant applications to isolate data and ensure that each tenant (customer or client) has a dedicated database.

Q. Could you provide a high-level diagram to showcase how a single tenant operates in the multitenant architecture of our FOTA Update Accelerator?

A. Yes, of course! The diagram below does not include deeper strategic implementations



Thank you for taking time out of your busy schedule for this discussion, Abhijit.

Stay tuned for more such insightful discussions on IoT Technologies with Embitel’s experts!