best practices with iot security - february online tech talks
TRANSCRIPT
![Page 1: Best Practices with IoT Security - February Online Tech Talks](https://reader033.vdocument.in/reader033/viewer/2022052117/58ade5a11a28abeb2e8b525b/html5/thumbnails/1.jpg)
© 20167 Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Andrew Kiggins
Feb 2017
AWS IoTSecurity
![Page 2: Best Practices with IoT Security - February Online Tech Talks](https://reader033.vdocument.in/reader033/viewer/2022052117/58ade5a11a28abeb2e8b525b/html5/thumbnails/2.jpg)
Today’s Webinar
IoT overview
The risks
Protecting communications
Protecting the devices
![Page 3: Best Practices with IoT Security - February Online Tech Talks](https://reader033.vdocument.in/reader033/viewer/2022052117/58ade5a11a28abeb2e8b525b/html5/thumbnails/3.jpg)
All things around us are getting connected
![Page 4: Best Practices with IoT Security - February Online Tech Talks](https://reader033.vdocument.in/reader033/viewer/2022052117/58ade5a11a28abeb2e8b525b/html5/thumbnails/4.jpg)
AWS IoT
DEVICE SDKSet of client libraries to
connect, authenticate and
exchange messages
DEVICE GATEWAYCommunicate with devices via
MQTT and HTTP
AUTHENTICATION
AUTHORIZATIONSecure with mutual
authentication and encryption
RULES ENGINETransform messages
based on rules and
route to AWS Services
AWS Services
- - - - -
3P Services
DEVICE SHADOWPersistent thing state
during intermittent
connections
APPLICATIONS
AWS IoT API
DEVICE REGISTRYIdentity and Management of
your things
![Page 5: Best Practices with IoT Security - February Online Tech Talks](https://reader033.vdocument.in/reader033/viewer/2022052117/58ade5a11a28abeb2e8b525b/html5/thumbnails/5.jpg)
Security and Identity
AUTHENTICATIONSecure with mutual
authentication and encryption
![Page 6: Best Practices with IoT Security - February Online Tech Talks](https://reader033.vdocument.in/reader033/viewer/2022052117/58ade5a11a28abeb2e8b525b/html5/thumbnails/6.jpg)
AWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure
Regions
Availability Zones
Edge Locations
Client-side Data Encryption
Server-side Data Encryption
Network Traffic Protection
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer applications & content
Cu
sto
mer
s
Security shared responsibility
Customers are
responsible for
their security IN
the Cloud
AWS is
responsible for
the security OF
the Cloud
![Page 7: Best Practices with IoT Security - February Online Tech Talks](https://reader033.vdocument.in/reader033/viewer/2022052117/58ade5a11a28abeb2e8b525b/html5/thumbnails/7.jpg)
The Risk
I’m a thing
pwn’d
![Page 8: Best Practices with IoT Security - February Online Tech Talks](https://reader033.vdocument.in/reader033/viewer/2022052117/58ade5a11a28abeb2e8b525b/html5/thumbnails/8.jpg)
Protocol Support
![Page 9: Best Practices with IoT Security - February Online Tech Talks](https://reader033.vdocument.in/reader033/viewer/2022052117/58ade5a11a28abeb2e8b525b/html5/thumbnails/9.jpg)
AWS IoT Protocols
MQTT over
TLS
MQTT over
Web Sockets
HTTPS
Server Auth Cert Cert Cert
Client Auth Cert AWS API Keys AWS API Keys
Cert
Confidentiality TLS TLS TLS
Protocol MQTT Web Sockets
MQTT
HTTP/MQTT
![Page 10: Best Practices with IoT Security - February Online Tech Talks](https://reader033.vdocument.in/reader033/viewer/2022052117/58ade5a11a28abeb2e8b525b/html5/thumbnails/10.jpg)
AWS IoT Identities
![Page 11: Best Practices with IoT Security - February Online Tech Talks](https://reader033.vdocument.in/reader033/viewer/2022052117/58ade5a11a28abeb2e8b525b/html5/thumbnails/11.jpg)
Credentials Overview
![Page 12: Best Practices with IoT Security - February Online Tech Talks](https://reader033.vdocument.in/reader033/viewer/2022052117/58ade5a11a28abeb2e8b525b/html5/thumbnails/12.jpg)
Security and Identity
Identity Principles Usage
X.509 certificates Device identity
IAM users, groups and roles Application layer access for
HTTP or Websockets
Amazon Cognito Identities API Access
![Page 13: Best Practices with IoT Security - February Online Tech Talks](https://reader033.vdocument.in/reader033/viewer/2022052117/58ade5a11a28abeb2e8b525b/html5/thumbnails/13.jpg)
Authentication
![Page 14: Best Practices with IoT Security - February Online Tech Talks](https://reader033.vdocument.in/reader033/viewer/2022052117/58ade5a11a28abeb2e8b525b/html5/thumbnails/14.jpg)
Security and Identity
![Page 15: Best Practices with IoT Security - February Online Tech Talks](https://reader033.vdocument.in/reader033/viewer/2022052117/58ade5a11a28abeb2e8b525b/html5/thumbnails/15.jpg)
Certificate management
Certificate creation
mechanism
Pros Cons
AWS IoT created certificate
(including public/private
keypair)
Everything handled by AWS
IoT
Private key has to be
transmitted between AWS
IoT and customer
AWS IoT created certificate
(Certificate Signing
Request(CSR) based)
Certificate creation handled
by AWS. AWS never has the
private key.
Customer has to create the
public/private keypair and
CSR.
JiTR/BYOC (Bring Your Own
Certificate)
AWS never has the private
key. Customer controls
certificate creation
Customer has to create a
certificate for every device.
![Page 16: Best Practices with IoT Security - February Online Tech Talks](https://reader033.vdocument.in/reader033/viewer/2022052117/58ade5a11a28abeb2e8b525b/html5/thumbnails/16.jpg)
When is a certificate not a valid certificate
t1
t2
• t1 is earlier than t2, (i.e. the server cert is in the future)
• No realtime clock
• No NTP update (chicken and egg)
• Don’t valid the timestamp if you’ve never connected to the NTP Server
• Don’t validate the timestamp if the device has been on the shelf for a long time
![Page 17: Best Practices with IoT Security - February Online Tech Talks](https://reader033.vdocument.in/reader033/viewer/2022052117/58ade5a11a28abeb2e8b525b/html5/thumbnails/17.jpg)
Authorization
![Page 18: Best Practices with IoT Security - February Online Tech Talks](https://reader033.vdocument.in/reader033/viewer/2022052117/58ade5a11a28abeb2e8b525b/html5/thumbnails/18.jpg)
Fine grained policies
• Effect
• Action
• Principal
• Substitution
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"iot:Publish"
],
"Resource":[
"arn:aws:iot:us-east-
1:123456789012:topic/${iot:Connection.Thing.
ThingTypeName}/${iot:Connection.Thing.ThingN
ame}"
]
}
]
}
![Page 19: Best Practices with IoT Security - February Online Tech Talks](https://reader033.vdocument.in/reader033/viewer/2022052117/58ade5a11a28abeb2e8b525b/html5/thumbnails/19.jpg)
Policy and certificates
Device Policy
Truck 1 Allow to connect and publish
Truck 2 Allow to connect / publish /
subscribe
Truck 3 Allow to connect / publish
/subscribe / unsubscribe
![Page 20: Best Practices with IoT Security - February Online Tech Talks](https://reader033.vdocument.in/reader033/viewer/2022052117/58ade5a11a28abeb2e8b525b/html5/thumbnails/20.jpg)
Policy actions
• Connect
• Publish
• Subscribe
• Unsubscribe
• Receive
![Page 21: Best Practices with IoT Security - February Online Tech Talks](https://reader033.vdocument.in/reader033/viewer/2022052117/58ade5a11a28abeb2e8b525b/html5/thumbnails/21.jpg)
Encryption
![Page 22: Best Practices with IoT Security - February Online Tech Talks](https://reader033.vdocument.in/reader033/viewer/2022052117/58ade5a11a28abeb2e8b525b/html5/thumbnails/22.jpg)
History of TLS/SSL
Evolution of Web Encryption Technologies
1995
SSL2.0
1996
SSL3.0
2006
TLS1.1
2008
TLS1.2
2014/09
POODLE
2011
BEAST
2014/04
Heartbleed
2016/03
DROWN
Battle Against Vulnerabilities
1999
TLS1.0
2015
FREAK
2013
Planning of
TLS1.3 starts
![Page 23: Best Practices with IoT Security - February Online Tech Talks](https://reader033.vdocument.in/reader033/viewer/2022052117/58ade5a11a28abeb2e8b525b/html5/thumbnails/23.jpg)
Greater Enforcement by Industry/Vendors
Battle Against Vulnerabilities
2014/09
POODLE
2011
BEAST
2014/04
Heartbleed
2016/03
DROWN
Industry Enforcement
2015
FREAK
2015/12
Indexing
HTTPS Pages
by Default
2016/04
PCI DSS v3.2
2016/07
Mandatory
ATS
2016/08
HTTP Strict
Transport
Security (HSTS)
2017/06/30
Mandatory
TLS1.2
![Page 24: Best Practices with IoT Security - February Online Tech Talks](https://reader033.vdocument.in/reader033/viewer/2022052117/58ade5a11a28abeb2e8b525b/html5/thumbnails/24.jpg)
TLS1.2 in AWS IoT
• Client side certs should be at least
• 2048 for RSA
• P-256 and P-384 curves for ECC
• Recommended cipher suites
• ECDHE-ECDSA-AES128-GCM-SHA256
• ECDHE-RSA-AES128-GCM-SHA256
• 2048-bit primes for DH
![Page 25: Best Practices with IoT Security - February Online Tech Talks](https://reader033.vdocument.in/reader033/viewer/2022052117/58ade5a11a28abeb2e8b525b/html5/thumbnails/25.jpg)
Securing your thing
![Page 26: Best Practices with IoT Security - February Online Tech Talks](https://reader033.vdocument.in/reader033/viewer/2022052117/58ade5a11a28abeb2e8b525b/html5/thumbnails/26.jpg)
Certificates & keys
• Securing private keys
• Hardware based solutions
• Securing certificates
• Manufacturing
• Install on boot
![Page 27: Best Practices with IoT Security - February Online Tech Talks](https://reader033.vdocument.in/reader033/viewer/2022052117/58ade5a11a28abeb2e8b525b/html5/thumbnails/27.jpg)
Identifying misbehavior
• Pen-testing
• Open ports
• Manufacturing
• In-service
• On Thing agent
• Vulnerability scanning
• CIS
• CVE
• Telemetry
![Page 28: Best Practices with IoT Security - February Online Tech Talks](https://reader033.vdocument.in/reader033/viewer/2022052117/58ade5a11a28abeb2e8b525b/html5/thumbnails/28.jpg)
Thanks !
https://docs.aws.amazon.com/iot/latest/developerguide/iot-
security-identity.html