A Secure OS that Ensures a Secure Product

Developing secure IoT products not only requires a secure operating system, but an OS that is also user friendly, manufacturing friendly, and certification friendly. To achieve this, the ZAYA real-time operating system (RTOS) has achieved PSA Certified Level 1 and PSA Functional API Certification and combines security with other key features, such as isolation between application and independent executables.

UK, Cambridge-based ZAYA (which is named after a Tibetan word for victorious woman) draws from its founders’ experience in the highly regulated and mature payment-systems market to offer a feature-rich RTOS that can be personalized for small devices across multiple IoT verticals.

“IoT security is still in its infancy and the rules of the game are changing,” explains founder and CEO, Murat Cakmak. “IoT device manufacturers are finally waking up to the need to protect data and ensure privacy, so we added security as a design element that not only ensures the OS is secure but helps secure the product, too.”

Just 2-years ago, ZAYA was secure but when manufacturers asked for proof, we didn’t have any. Now we don’t have to convince them we’re secure, we can just show them the PSA Certified accreditation, which proves we’ve been tested by an independent authority.
Murak Cakmak, CEO and Founder, ZAYA

Legislation Creates a Perfect Storm

Faced with new legislation all over the world (including the EU, UK, and the US) device manufacturers must balance the need for security with limited resources and rising costs. Cakmak sees PSA Certified as a major step forward in the standardization of IoT security that can help achieve that balance and satisfy regulatory requirements.

“The PSA Certified program means you can implement a solution that has been independently verified as secure and is supported by industry leaders and the global Arm ecosystem,” he explains. “PSA Certified not only requires you to meet security standards, but it offers solutions you can implement to help you meet its certification requirements.”

For ZAYA, the journey to certification was relatively fast since the company was familiar with payment-system security and already met a significant number of PSA requirements. However, one change made during the process was to adapt its software to secure application and non-secure application hardware mechanisms.

“The OS had to work on PSA Functional API Certified device, we used the Arm Musca-B1 Test Chip Boards and we ported our OS across,” Cakmak explains. “This was an eye-opening experience and we were able to adapt our OS quickly to this new hardware architecture.”

Lab Assessments Run Smoothly

As a fiscally prudent CEO of a relatively young startup, Cakmak was also cognizant of the high cost of engaging with security experts in lab assessments, where hourly rates can quickly add up. A main advantage of the PSA Certified process is the ability to test the requirements internally using a test suite before submitting to lab assessment.

“PSA Certified offers functional API test suites that you can use on your own laptop, so you can see if you meet the requirements before going into the lab,” he says. “When you know you’re ready, you can go to the lab to be assessed and certified without facing multiple costly assessment rounds.”

In addition to offering the highest level of protection using Trusted Firmware-M on TrustZone for Armv8-M, ZAYA now offers a smooth and secure migration to Armv7-M through its secure kernel. PSA Functional API Certified means it is proven to help transform non-secure Armv7-M Arm MCUs to functionally secure devices.

“Standards are essential and certification by a third-party means we can offer credible end-to-end security solutions where there are currently security leaks,” Cakmak says. “Just 2-years ago, ZAYA was secure but when manufacturers asked for proof, we didn’t have any. Now we can just show them the PSA Certified accreditation, which proves we’ve been assessed by an independent authority.”

The Partnership Democratizing Security

PSA Certified is a global partnership of companies with a proven commitment to security. Through third-party lab evaluation, PSA Certified makes it easier to choose and use trusted products built on a standardized Root of Trust.

Next Steps

Join the fastest growing security ecosystem, all aligned on a common foundation that builds trust in the Internet of Things.

Share this page

The PSA Certified name, PSA Certified logos, PSA Functional API Certified logo featured on this website are registered trademarks or trademarks of Arm Limited (or its subsidiaries) in the US and/or elsewhere. All rights reserved. Other brands and names mentioned on this website may be the trademarks of their respective owners.

Copyright © 2021 Arm Limited (or its affiliates). All rights reserved.

Sign Up to Receive the Latest from PSA Certified