security in the internet of things (november 2014)
DESCRIPTION
Security in the Internet of Things. How Identity Management can help to alleviate the pain and reduce the impact of security breaches.TRANSCRIPT
![Page 2: Security in the Internet of Things (November 2014)](https://reader034.vdocument.in/reader034/viewer/2022052600/557dddd6d8b42abf6c8b4571/html5/thumbnails/2.jpg)
2
About me ! 26 years experience in the IT Industry.
! Ericsson, IBM, 3Com, Sun Microsystems & ForgeRock
! Co-Founder of ForgeRock
! CTO Office
http://www.forgerock.com
![Page 3: Security in the Internet of Things (November 2014)](https://reader034.vdocument.in/reader034/viewer/2022052600/557dddd6d8b42abf6c8b4571/html5/thumbnails/3.jpg)
3
World Wide Web
Mobile Internet
Internet of things Image Source: Kelsey Austin. https://www.flickr.com/photos/kelseyrage/15362515989
![Page 4: Security in the Internet of Things (November 2014)](https://reader034.vdocument.in/reader034/viewer/2022052600/557dddd6d8b42abf6c8b4571/html5/thumbnails/4.jpg)
4
Despite the wave Information is the common key deliverable
Telemetry (Health, Rockets, Energy, Aviation, etc)
Device Identification Sensed Information
Metered information
Forget the HONEY!
Source: Meadows R (2012) Understanding the Flight of the Bumblebee. PLoS Biol 10(9)
![Page 5: Security in the Internet of Things (November 2014)](https://reader034.vdocument.in/reader034/viewer/2022052600/557dddd6d8b42abf6c8b4571/html5/thumbnails/5.jpg)
5
Increasing Amount OF
Security, Privacy & Safety
Concerns
![Page 6: Security in the Internet of Things (November 2014)](https://reader034.vdocument.in/reader034/viewer/2022052600/557dddd6d8b42abf6c8b4571/html5/thumbnails/6.jpg)
6
Top barriers to iot and m2m adoption
Source: Infonetics, January 2014.
![Page 7: Security in the Internet of Things (November 2014)](https://reader034.vdocument.in/reader034/viewer/2022052600/557dddd6d8b42abf6c8b4571/html5/thumbnails/7.jpg)
7
Data in Transit
Data
Access
ACCESS
Access
Data
Security and privacy Things MOBILE/
gateway CLOUD ENterprise
Data
ACCESS
Data
![Page 8: Security in the Internet of Things (November 2014)](https://reader034.vdocument.in/reader034/viewer/2022052600/557dddd6d8b42abf6c8b4571/html5/thumbnails/8.jpg)
8
Security vs Comfort / RISK vs REWARD
Low friction human interaction Unique device identification Device Authenticity
Nature of the data
challenges
Device-user association
Image Source: Sharkawi Che Din. https://www.flickr.com/photos/sharkawi3d/15374262331/
![Page 9: Security in the Internet of Things (November 2014)](https://reader034.vdocument.in/reader034/viewer/2022052600/557dddd6d8b42abf6c8b4571/html5/thumbnails/9.jpg)
9
More challenges
Limited encryption capabilities Limited resources (RAM/ROM)
Firmware must be upgraded from time to time Limited clock synchronization
Image Soruce: Massimo Piccoli. https://www.flickr.com/photos/massimo_piccoli/12680390774/
![Page 10: Security in the Internet of Things (November 2014)](https://reader034.vdocument.in/reader034/viewer/2022052600/557dddd6d8b42abf6c8b4571/html5/thumbnails/10.jpg)
10
IoT security design rules " Build Security in, it can not be added later
" Keep security mechanisms simple
" Use existing standards
" Obscurity does not provide security
Image source: http://cdn.blickers.com/wp-content/uploads/2013/12/Leonardo-da-vinci2.jpg
![Page 11: Security in the Internet of Things (November 2014)](https://reader034.vdocument.in/reader034/viewer/2022052600/557dddd6d8b42abf6c8b4571/html5/thumbnails/11.jpg)
11
IoT security design rules " Encrypt sensitive data at rest and in transit
" Use well-studied cryptographic building blocks
" Identity and Access Management must be part of the design
" Develop a realistic threat model
Image source: http://cdn.blickers.com/wp-content/uploads/2013/12/Leonardo-da-vinci2.jpg
![Page 12: Security in the Internet of Things (November 2014)](https://reader034.vdocument.in/reader034/viewer/2022052600/557dddd6d8b42abf6c8b4571/html5/thumbnails/12.jpg)
12
Common Security Issues
![Page 13: Security in the Internet of Things (November 2014)](https://reader034.vdocument.in/reader034/viewer/2022052600/557dddd6d8b42abf6c8b4571/html5/thumbnails/13.jpg)
13
Web, mobile & cloud interfaces " Do not allow default credentials
" Assume device accessed from everywhere
" Credentials should not be stored in plain text nor travel in unencrypted channels
" Protect against account enumeration & implement account lockout
" Protect against XSS, CSRF, SQLi
" Implement Identity and Access Management Image source: http://cdn.blickers.com/wp-content/uploads/2013/12/Leonardo-da-vinci2.jpg
![Page 14: Security in the Internet of Things (November 2014)](https://reader034.vdocument.in/reader034/viewer/2022052600/557dddd6d8b42abf6c8b4571/html5/thumbnails/14.jpg)
14
Identity Relationship Management for
the Internet of things
![Page 15: Security in the Internet of Things (November 2014)](https://reader034.vdocument.in/reader034/viewer/2022052600/557dddd6d8b42abf6c8b4571/html5/thumbnails/15.jpg)
15
I’m an Authentic device I’m unique (Device D) Verify authenticity
and registers device Register me
OpenIDM
PKI (SE)
Provisioning Device Identity
![Page 16: Security in the Internet of Things (November 2014)](https://reader034.vdocument.in/reader034/viewer/2022052600/557dddd6d8b42abf6c8b4571/html5/thumbnails/16.jpg)
16
Register me
I own device D
Verify identity of user, Register user
Authenticate
OpenIDM & OpenAM
PKI (SE)
Register user, AuthN, claim ownership
Authenticate user
Proof possession of Device. Create Relationship User-device
![Page 17: Security in the Internet of Things (November 2014)](https://reader034.vdocument.in/reader034/viewer/2022052600/557dddd6d8b42abf6c8b4571/html5/thumbnails/17.jpg)
17
I allow device D to send data on my behalf to service S1 for 1 day Generates OAuth2 Token
Provision Refresh and Access Token to device
Authenticate
Store R & A Tokens
OpenAM
PKI (SE)
Allow to send data on user’s behalf
Authenticate user
![Page 18: Security in the Internet of Things (November 2014)](https://reader034.vdocument.in/reader034/viewer/2022052600/557dddd6d8b42abf6c8b4571/html5/thumbnails/18.jpg)
18
Send Data (OAuth2 Token) Verify Device, OAuth2 Access Token validity and Scope (authorization)
Refresh Token
Associate data to Alice
Negotiate new Access token
…. Token expired
New Access Token Store A.Token
PKI (SE)
Device send data on behalf of user
OpenAM
![Page 19: Security in the Internet of Things (November 2014)](https://reader034.vdocument.in/reader034/viewer/2022052600/557dddd6d8b42abf6c8b4571/html5/thumbnails/19.jpg)
19
Authenticate
Revoke token
I want to Share my data with My Insurance Company
…. Lost my device
OpenAM with UMA
HTTP, MQTT, SASL
PKI (SE)
User shares data, revokes tokens
![Page 20: Security in the Internet of Things (November 2014)](https://reader034.vdocument.in/reader034/viewer/2022052600/557dddd6d8b42abf6c8b4571/html5/thumbnails/20.jpg)
20
Network Services
" Ensure only necessary ports are open
" Ensure services are not vulnerable to buffer overflow and fuzzing attacks
" Ensure services are not vulnerable to DoS attacks
![Page 21: Security in the Internet of Things (November 2014)](https://reader034.vdocument.in/reader034/viewer/2022052600/557dddd6d8b42abf6c8b4571/html5/thumbnails/21.jpg)
21
Transport encryption
" Ensure data and credentials are encrypted while in transit
" Use secure encrypted channels
" Use good key lengths and good algorithms (Elliptic Curve provides efficient encrypting)
" Protect against replay attacks
![Page 22: Security in the Internet of Things (November 2014)](https://reader034.vdocument.in/reader034/viewer/2022052600/557dddd6d8b42abf6c8b4571/html5/thumbnails/22.jpg)
22
Privacy as part of the design
" Collect only the minimum necessary data for the functionality of the device
" Ensure any sensitive data collected is properly protected with encryption
" Ensure the device properly protects personal data
Photo Source: Brian M (OCDBri): https://www.flickr.com/photos/ocdbri/14438661513
![Page 23: Security in the Internet of Things (November 2014)](https://reader034.vdocument.in/reader034/viewer/2022052600/557dddd6d8b42abf6c8b4571/html5/thumbnails/23.jpg)
23
Software/Firmware " Ensure your firmware does not contain hardcoded
credentials or sensitive data
" Use a secure channel to transmit the firmware during upgrades
" Ensure the update is signed and verified before allowing the update
" Do not send the public key with the firmware, use a hash
" Ensure your SVN/GIT repositories do not contain the private keys
![Page 24: Security in the Internet of Things (November 2014)](https://reader034.vdocument.in/reader034/viewer/2022052600/557dddd6d8b42abf6c8b4571/html5/thumbnails/24.jpg)
24
Physical Security
" Ensure physical access to your device is controlled
" Accessible USB or SD ports can be a weakness
" Can it be easily disassembled to access the internal storage (RAM/ROM)
" If local data is sensitive, consider encrypting the data
Image Source: http://conflictresearchgroupintl.com/wp-content/uploads/2014/03/How-to-Look-Like-a-Bouncer1.jpg
![Page 25: Security in the Internet of Things (November 2014)](https://reader034.vdocument.in/reader034/viewer/2022052600/557dddd6d8b42abf6c8b4571/html5/thumbnails/25.jpg)
25
Thank You!
Security in the Internet of Things
FORGEROCK.COM | LEGAL INFORMATION
Victor Ake [email protected]
CTO Office