Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
SlideShare a Scribd company logo

Removing Security Roadblocks to IoT Deployment Success

Download as PPTX, PDF
M
Microsoft Tech Community

1) The document discusses securing IoT devices and infrastructure through X.509 certificate-based identity and attestation, TLS-based encryption, and secure provisioning and management. 2) It describes securing the cloud infrastructure with Azure Security Center, Azure Active Directory, Key Vault, and policy-based access controls. 3) The document promotes building security into devices and infrastructure from the start through standards-based and custom secure hardware modules.

1 of 47
Removing Security Roadblocks to IoT Deployment Success
Removing Security Roadblocks to IoT Deployment Success
Connection Security X.509/TLS-Based Handshake and Encryption Device Security X.509 Certificate Based Identity and Attestation Device Provisioning, Authorization & Management Support for Diverse Hardware Secure Modules Securely connect millions of devices… …over a secure internet connection… …to Microsoft Azure – built with security from the ground up Cloud Security Azure Security Center | Azure Active Directory Key Vault | Policy-Based Access Control
GLOBA L INDUSTR Y REGIONA L HIPAA / HITECHAct FERPAGxP 21 CFR Part11 ISO 27001 SOC 1 Type 2ISO 27018 CSA STAR Self-Assessment FISC Japan CDSA Shared Assessments FACT UK GLBA PCI DSS Level 1 MARS-E FFIEC SOC 2 Type 2 SOC 3 MPAA ISO 22301 Japan My ENISA Japan CS Spain Spain India Canada Privacy GermanyIT Number Act IAF Mark Gold ENS DPA MeitY Privacy Laws Shield Grundschutz workbook CSA STAR Certification CSA STAR Attestation HITRUST IG ToolkitUK Argentina EU UK China China China Singapore Australia New Zealand PDPA Model Clauses G-Cloud DJCP GB 18030 TRUCS MTCS IRAP/CCSL GCIO ISO 27017
>90% of Fortune 500 use Microsoft Cloud
Key Questions Does the device have a unique, unforgeable identity that is inseparablefrom the hardware? Is most of the device’s software outside thedevice’s trusted computing base? Is the devicestill protected if the security of one layer of device software is breached? Does a failure in one component of the device requirea reboot of theentire device to return to operation? Does thedevice use certificates instead of passwords for authentication? Is the device’s softwareupdated automatically? Property Hardware-based Small Trusted Defense Compartmentalization Certificate- Renewable Failure Root of Trust Computing Base in Depth based Authentication Security Reporting Does the device report failures toits manufacturer?
high integrity software operations Choice of Secure Hardware - Many secure silicon providers including - Standards based and custom secure silicon - TPM - DICE https://aka.ms/RightSecureIoTHardware
Authentication Attestation Access Controls 1 Share Access Secrets (SAS) Tokens Shared Access Key - Permission based - Role based - Action based - Per device granularity 2 Certificate Based Mutual Authentication Certificate Thumbprint 3 Certificate Based Mutual Authentication Certificate Authority IoT Hub Device Connection Security X.509/TLS-Based Handshake and Encryption
IoT Device Methods Device Twin Properties Desired Reported IoT Hub Device Twin Tags Methods Telemetry Properties Desired Reported Telemetry channel Commands Cloud owned, device visible Device owned, cloud visible Cloud only, device metadata Cloud initiated C2D with response Cloud initiated C2D message
Device Provisioning Service Automate device provisioning at scale and eliminate security threats from manual handling X X X XIoT Solution US IoT Solution Germany IoT Solution China
Removing Security Roadblocks to IoT Deployment Success
Removing Security Roadblocks to IoT Deployment Success
Removing Security Roadblocks to IoT Deployment Success
https://azure.microsoft.com/en-us/blog/securing-the-intelligent-edge/ Threats Readily available tools and experience Rich development environment Heterogeneous hardware Physical accessibility Subject to physical analysis like on power and timing, and attacks based on micro-probing, fault injections, and environmental tampering. Non-standard security protocols Expands threat surface across architecture, vendor, and capabilities unlike a relatively more uniform datacenter hardware. The necessary mixture of scripted and compiled software using many technologies to enrich user experience also increases the probability for vulnerabilities. Proprietary hardware procedures for common security needs like secure hardware enforcements for secure boot and firmware updates precludes public scrutiny. The same tools and experience from other disciplines like failure analysis and patent research are easily repurposed for attacks. Requires assertive defense Requires uniformity
Cloud Gateway ActionsIoT Edge IoT Hub Insights Insights Actions
A Framework for Ecosystem Managed Security Hardware Root of Trust Secure Boot/Updates Secure Execution Environment Protected General Computing Application execution with runtime integrity checking Privileged executions and systems resource access control Bootstrapping and recovery Trust anchor and tamper resistance Azure IoT Edge Device IoT Hub Principles Realization
Removing Security Roadblocks to IoT Deployment Success
 Communicate diligence in security  Administered by 3rd Party Labs for transparency (coming soon)  Open standards procedures  Certificate based signed device promise attestations (coming soon) Promise Standard Secure Element Secure Enclave Secure silicon None Standalone security processor e.g. TPM Integrated security processor Maximum protection to be expected in malicious custody None Secrets like cryptographic keys Secrets and the trusted computing base Typical transactions All with adequate risk mitigation Authentication, session key generation, certificates processing. All secure element transactions plus the trusted computing base for transactions such as metering, billing, secure I/O, secure logging. Maximum grade possible Level 2 Level 4 Level 4 Grade Level 1 Level 2 Level 3 Level 4 Requirements Custom implementations in lieu of using Azure IoT Device SDK Azure IoT Device SDK - Azure IoT Device SDK - FIPS 140-2 Level 2 - Common Criteria EAL 3+ (PP coming soon) - Azure IoT Device SDK - FIPS 140-2 Level 3 - Common Criteria EAL 4+ (PP coming soon)
IoT Role Example Scenario OEM Investment optimal decision. Decide which market to play in. - Manufacture and certify for secure element devices for solutions with simple needs line authentication - Manufacture and certify for secure enclave devices for solutions with complex needs like monetization SI Cost optimal decisions. Balance device cost with deployments risk assessment - Secure element devices for endpoint identity - Secure enclave devices for endpoint identity and execution integrity Operator Optimal risk management. Balance between device security and personnel access controls - Less elaborate personnel access controls with secure element/enclave promise devices - More elaborate access controls with standard promise devices IoT Edge Module Developer Empowerment. Use signed attestations to programmatically detect and deploy accordingly - Detect and deploy to secure element devices for node count control - Detect and deploy to secure enclave devices for IP protection or metered usage
SEQUITUR LABS LS1012A SAMA5D2 Demo Demo Blog Blog Blog Runtime Attestation via Hardware RTiC Module Runtime Attestation via Hardware ICM Module IoTHub
Removing Security Roadblocks to IoT Deployment Success
“hackers have infiltrated the critical safety systems for industrial control units used in nuclear, oil and gas plants, halting operations at at least one facility” “The hackers used sophisticated malware, dubbed ‘Triton’, to take remote control of a safety control workstation” “Some controllers entered a failsafe mode as the hackers attempted to reprogram them”
Properties of TCPS Separation of critical execution Help protect critical infrastructure from malware threats by separating non-critical from critical operations and concentrating on using hardware isolation to protect control of physical systems. Inspectability of execution process Ensure that any code that handles critical operations must be auditable by operators through source code review. Attestability of processing environment During operation, each component must be able to verify that data is received and sent only from trustworthy sources. A component also needs to attest its trustworthiness to other components. Minimizing number of entities that need to be trusted Reducing the number of trusted entities significantly reduces the attack surface for critical infrastructure. In the ideal TCPS solution, the operator will maintain the only root of trust for critical code execution. The device owner/operator is in complete control of critical systems
SCADA system Factory Line Automation Attack to SCADA System SCADA System Attack vectors on factoryline Attacker Attack to Factory Line Automation Factory Line ControllerController
SCADA System OPC UA message SCADA application SCADA/HMI System OPC UA message SCADA Application TEE Message Authorization Policy Decision Engine Attacker will simulate user input or directly issue control messages (e.g. OPC UA) using the SCADA system’s message authentication Attacker OPC UA message authenticated by TEE TEE Trusted UI terminal to approve messages Trusted UI (TEE) Protecting the SCADA/HMI system Policy Decision Engine
i.MX6 + Windows IoT Core Transport stack (TCP/IP) i.MX6 + Windows IoT Core Transport Stack (TCP/IP) TrustZone (OP-TEE) OPC UA L AN Port i.MX6 Security Layer SPI Port i.MX6 SPI-LAN Adapter with TCP/IP Legacy OPC UA Device Attacker OPC UA Protecting factory line automation OPC UA Gateway Controller Factory Line Policy Decision Engine
Host Operating System Edge Client Transport stack Trusted Execution Environment Security Layer Trusted I/O Cloud services Message Gateway Controller Factory Line Azure Policy Decision Engine Azure Confidential Computing Tamper- resistant logging Configuration and Provisioning Service Factory Line Control
Additional information about TCPS TCPS Overview http://aka.ms/TCPS_TwoPager_HMI2018 Blog post http://aka.ms/TCPS_HMI2018 Whitepaper http://aka.ms/TCPS_Whitepaper Preview coming soon
Removing Security Roadblocks to IoT Deployment Success
Windows IoT securitypromise Windows IoT provides the best endpoint security to protect your data at rest, in motion and during execution. Windows IoT devices are build with security in mind. Security is not in the way of your development, deployment and operation.
Removing Security Roadblocks to IoT Deployment Success
Removing Security Roadblocks to IoT Deployment Success
Removing Security Roadblocks to IoT Deployment Success
Is my IoT infrastructure developed, deployed and operated securely? By deploying IoT what security risks am I taking for the rest of my business? Who can evaluate my IoT infrastructure and give me a threat assessment?
Consider the threats most relevant to your IoT infrastructure Identify the consequences that are most important to your business Select evaluation strategies that provide the most value http://aka.ms/IoTSecurityEval
Removing Security Roadblocks to IoT Deployment Success
Removing Security Roadblocks to IoT Deployment Success
Microsoft’s Security Program for Azure IoT connects customers with partners who are experts at evaluating an IoT infrastructure end-to-end. Not all partners may be listed; check internetofyourthings.com for latest status
Removing Security Roadblocks to IoT Deployment Success
Standards for IoT Security None holistic in existence No end-to-end IoT Security standard Existing standards retrofitting IT security to IoT No scope for physical attacks such as tampering Microsoft actively engaged in 25+ standards organizations and consortia to help address IoT security challenges
 Microsoft champions and chairs the IoT Security Maturity Model development at the Industrial Internet Consortium (IIC)  SMM assists with: • Security target definition • Current security maturity assessment • Security gap analysis • Security maturity enhancement planning
Removing Security Roadblocks to IoT Deployment Success
https://www.microsoft.com/en-us/internet-of-things/security
Solution operator Hardware manufacturers or integrators Solution developer Solution deployer http://aka.ms/iotbestpractices
Secure and power the intelligent edge with Azure Sphere 1:00pm-2:15pm, WSCC: Rooms 612 Azure IoT Solutions - Get your IoTproject started in minutes with SaaS and preconfigured solutions
Removing Security Roadblocks to IoT Deployment Success
Removing Security Roadblocks to IoT Deployment Success

More Related Content

What's hot

Build end-to-end solutions with BlueMix, Avi Vizel & Ziv Dai, IBM
Build end-to-end solutions with BlueMix, Avi Vizel & Ziv Dai, IBMBuild end-to-end solutions with BlueMix, Avi Vizel & Ziv Dai, IBM
Build end-to-end solutions with BlueMix, Avi Vizel & Ziv Dai, IBM
Codemotion Tel Aviv
 
Smart building mendix azure influx / smart City / IoT
Smart building mendix azure influx / smart City / IoT Smart building mendix azure influx / smart City / IoT
Smart building mendix azure influx / smart City / IoT
Conclusion Connect enabling industry 4.0 with IoT
 
Legacy application modernization with microsoft azure
Legacy application modernization with microsoft azureLegacy application modernization with microsoft azure
Legacy application modernization with microsoft azure
OptiSol Business Solutions
 
2016-09-eclipse-iot-cf-summit
2016-09-eclipse-iot-cf-summit2016-09-eclipse-iot-cf-summit
2016-09-eclipse-iot-cf-summit
Mike Milinkovich
 
Azure Hybid
Azure HybidAzure Hybid
Azure Hybid
Thomas Treml
 
Gab2016 - Découverte d'Azure IoT Hub
Gab2016 - Découverte d'Azure IoT Hub Gab2016 - Découverte d'Azure IoT Hub
Gab2016 - Découverte d'Azure IoT Hub
Samir Arezki ☁
 
InfoSec: Evolve Thyself to Keep Pace in the Age of DevOps
InfoSec: Evolve Thyself to Keep Pace in the Age of DevOpsInfoSec: Evolve Thyself to Keep Pace in the Age of DevOps
InfoSec: Evolve Thyself to Keep Pace in the Age of DevOps
VMware Tanzu
 
Build embedded and IoT solutions with Microsoft Windows IoT Core (BRK30077)
Build embedded and IoT solutions with Microsoft Windows IoT Core (BRK30077)Build embedded and IoT solutions with Microsoft Windows IoT Core (BRK30077)
Build embedded and IoT solutions with Microsoft Windows IoT Core (BRK30077)
Callon Campbell
 
Architecting io t solutions with microisoft azure ignite tour version
Architecting io t solutions with microisoft azure ignite tour versionArchitecting io t solutions with microisoft azure ignite tour version
Architecting io t solutions with microisoft azure ignite tour version
Alon Fliess
 
DevOps Security: A New Paradigm
DevOps Security: A New ParadigmDevOps Security: A New Paradigm
DevOps Security: A New Paradigm
Tripwire
 
App Modernization
App ModernizationApp Modernization
App Modernization
PT Datacomm Diangraha
 
Mendix Maker Meetup - London (2019-10-17)
Mendix Maker Meetup - London (2019-10-17)Mendix Maker Meetup - London (2019-10-17)
Mendix Maker Meetup - London (2019-10-17)
Iain Lindsay
 
Azure Application Modernization
Azure Application ModernizationAzure Application Modernization
Azure Application Modernization
Karina Matos
 
Using Modern Tools and Technologies to Improve Your Software Architecture
Using Modern Tools and Technologies to Improve Your Software ArchitectureUsing Modern Tools and Technologies to Improve Your Software Architecture
Using Modern Tools and Technologies to Improve Your Software Architecture
Eran Stiller
 
Java Application Modernization Patterns and Stories from the IBM Garage
Java Application Modernization Patterns and Stories from the IBM GarageJava Application Modernization Patterns and Stories from the IBM Garage
Java Application Modernization Patterns and Stories from the IBM Garage
Holly Cummins
 
Introduction to Microsoft IoT Central
Introduction to Microsoft IoT Central Introduction to Microsoft IoT Central
Introduction to Microsoft IoT Central
Codit
 
Introducing PagerDuty Process Automation
Introducing PagerDuty Process AutomationIntroducing PagerDuty Process Automation
Introducing PagerDuty Process Automation
Rundeck
 
Cap2194 migration from weblogic to v fabric - cloud application platform
Cap2194 migration from weblogic to v fabric - cloud application platformCap2194 migration from weblogic to v fabric - cloud application platform
Cap2194 migration from weblogic to v fabric - cloud application platform
Ramarao Kanneganti
 
Azure DevOps
Azure DevOpsAzure DevOps
Azure DevOps
Juan Fabian
 
Infrastructure less development with Azure Service Fabric
Infrastructure less development with Azure Service FabricInfrastructure less development with Azure Service Fabric
Infrastructure less development with Azure Service Fabric
Saba Jamalian
 

What's hot (20)

Build end-to-end solutions with BlueMix, Avi Vizel & Ziv Dai, IBM
Build end-to-end solutions with BlueMix, Avi Vizel & Ziv Dai, IBMBuild end-to-end solutions with BlueMix, Avi Vizel & Ziv Dai, IBM
Build end-to-end solutions with BlueMix, Avi Vizel & Ziv Dai, IBM
 
Smart building mendix azure influx / smart City / IoT
Smart building mendix azure influx / smart City / IoT Smart building mendix azure influx / smart City / IoT
Smart building mendix azure influx / smart City / IoT
 
Legacy application modernization with microsoft azure
Legacy application modernization with microsoft azureLegacy application modernization with microsoft azure
Legacy application modernization with microsoft azure
 
2016-09-eclipse-iot-cf-summit
2016-09-eclipse-iot-cf-summit2016-09-eclipse-iot-cf-summit
2016-09-eclipse-iot-cf-summit
 
Azure Hybid
Azure HybidAzure Hybid
Azure Hybid
 
Gab2016 - Découverte d'Azure IoT Hub
Gab2016 - Découverte d'Azure IoT Hub Gab2016 - Découverte d'Azure IoT Hub
Gab2016 - Découverte d'Azure IoT Hub
 
InfoSec: Evolve Thyself to Keep Pace in the Age of DevOps
InfoSec: Evolve Thyself to Keep Pace in the Age of DevOpsInfoSec: Evolve Thyself to Keep Pace in the Age of DevOps
InfoSec: Evolve Thyself to Keep Pace in the Age of DevOps
 
Build embedded and IoT solutions with Microsoft Windows IoT Core (BRK30077)
Build embedded and IoT solutions with Microsoft Windows IoT Core (BRK30077)Build embedded and IoT solutions with Microsoft Windows IoT Core (BRK30077)
Build embedded and IoT solutions with Microsoft Windows IoT Core (BRK30077)
 
Architecting io t solutions with microisoft azure ignite tour version
Architecting io t solutions with microisoft azure ignite tour versionArchitecting io t solutions with microisoft azure ignite tour version
Architecting io t solutions with microisoft azure ignite tour version
 
DevOps Security: A New Paradigm
DevOps Security: A New ParadigmDevOps Security: A New Paradigm
DevOps Security: A New Paradigm
 
App Modernization
App ModernizationApp Modernization
App Modernization
 
Mendix Maker Meetup - London (2019-10-17)
Mendix Maker Meetup - London (2019-10-17)Mendix Maker Meetup - London (2019-10-17)
Mendix Maker Meetup - London (2019-10-17)
 
Azure Application Modernization
Azure Application ModernizationAzure Application Modernization
Azure Application Modernization
 
Using Modern Tools and Technologies to Improve Your Software Architecture
Using Modern Tools and Technologies to Improve Your Software ArchitectureUsing Modern Tools and Technologies to Improve Your Software Architecture
Using Modern Tools and Technologies to Improve Your Software Architecture
 
Java Application Modernization Patterns and Stories from the IBM Garage
Java Application Modernization Patterns and Stories from the IBM GarageJava Application Modernization Patterns and Stories from the IBM Garage
Java Application Modernization Patterns and Stories from the IBM Garage
 
Introduction to Microsoft IoT Central
Introduction to Microsoft IoT Central Introduction to Microsoft IoT Central
Introduction to Microsoft IoT Central
 
Introducing PagerDuty Process Automation
Introducing PagerDuty Process AutomationIntroducing PagerDuty Process Automation
Introducing PagerDuty Process Automation
 
Cap2194 migration from weblogic to v fabric - cloud application platform
Cap2194 migration from weblogic to v fabric - cloud application platformCap2194 migration from weblogic to v fabric - cloud application platform
Cap2194 migration from weblogic to v fabric - cloud application platform
 
Azure DevOps
Azure DevOpsAzure DevOps
Azure DevOps
 
Infrastructure less development with Azure Service Fabric
Infrastructure less development with Azure Service FabricInfrastructure less development with Azure Service Fabric
Infrastructure less development with Azure Service Fabric
 

Similar to Removing Security Roadblocks to IoT Deployment Success

Secure-by-Design Using Hardware and Software Protection for FDA Compliance
Secure-by-Design Using Hardware and Software Protection for FDA ComplianceSecure-by-Design Using Hardware and Software Protection for FDA Compliance
Secure-by-Design Using Hardware and Software Protection for FDA Compliance
ICS
 
ICC Networking Data Security
ICC Networking Data SecurityICC Networking Data Security
ICC Networking Data Security
International Communications Corporation
 
ICC Networking Data Security
ICC Networking Data SecurityICC Networking Data Security
ICC Networking Data Security
International Communications Corporation
 
Safe and secure autonomous systems
Safe and secure autonomous systemsSafe and secure autonomous systems
Safe and secure autonomous systems
Alan Tatourian
 
Proving the Security of Low-Level Software Components & TEEs
Proving the Security of Low-Level Software Components & TEEsProving the Security of Low-Level Software Components & TEEs
Proving the Security of Low-Level Software Components & TEEs
Ashley Zupkus
 
Workshop 16 october 2015 paris
Workshop 16 october 2015 parisWorkshop 16 october 2015 paris
Workshop 16 october 2015 paris
Marcel Hartgerink
 
Kl iot cebit_dg_200317_finalmktg
Kl iot cebit_dg_200317_finalmktgKl iot cebit_dg_200317_finalmktg
Kl iot cebit_dg_200317_finalmktg
L. Duke Golden
 
Next Generation Embedded Systems Security for IOT: Powered by Kaspersky
Next Generation Embedded Systems Security for IOT: Powered by KasperskyNext Generation Embedded Systems Security for IOT: Powered by Kaspersky
Next Generation Embedded Systems Security for IOT: Powered by Kaspersky
L. Duke Golden
 
The 300 Leonidas Solution
The 300 Leonidas SolutionThe 300 Leonidas Solution
The 300 Leonidas Solution
matthew.maisel
 
Hardwar based Security of Systems
Hardwar based Security of SystemsHardwar based Security of Systems
Hardwar based Security of Systems
Jamal Jamali
 
Are you ready for Microsoft Azure Sphere?
Are you ready for Microsoft Azure Sphere?Are you ready for Microsoft Azure Sphere?
Are you ready for Microsoft Azure Sphere?
Mirco Vanini
 
SCADA Cyber Sec | ISACA 2013 | Patricia Watson
SCADA Cyber Sec | ISACA 2013 | Patricia WatsonSCADA Cyber Sec | ISACA 2013 | Patricia Watson
SCADA Cyber Sec | ISACA 2013 | Patricia Watson
Patricia M Watson
 
IoT on azure
IoT on azureIoT on azure
IoT on azure
Joanna Lamch
 
Schneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Schneider-Electric & NextNine – Comparing Remote Connectivity SolutionsSchneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Schneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Honeywell
 
Sfa community of practice a natural way of building
Sfa community of practice a natural way of buildingSfa community of practice a natural way of building
Sfa community of practice a natural way of building
Chuck Speicher
 
Mobile Devices & BYOD Security – Deployment & Best Practices
Mobile Devices & BYOD Security – Deployment & Best PracticesMobile Devices & BYOD Security – Deployment & Best Practices
Mobile Devices & BYOD Security – Deployment & Best Practices
Cisco Canada
 
Standardizing the tee with global platform and RISC-V
Standardizing the tee with global platform and RISC-VStandardizing the tee with global platform and RISC-V
Standardizing the tee with global platform and RISC-V
RISC-V International
 
Nozomi Networks SCADAguardian - Data-Sheet
Nozomi Networks SCADAguardian - Data-SheetNozomi Networks SCADAguardian - Data-Sheet
Nozomi Networks SCADAguardian - Data-Sheet
Nozomi Networks
 
Io t security and azure sphere
Io t security and azure sphereIo t security and azure sphere
Io t security and azure sphere
Pushkar Saraf
 
Azure security and Compliance
Azure security and ComplianceAzure security and Compliance
Azure security and Compliance
Karina Matos
 

Similar to Removing Security Roadblocks to IoT Deployment Success (20)

Secure-by-Design Using Hardware and Software Protection for FDA Compliance
Secure-by-Design Using Hardware and Software Protection for FDA ComplianceSecure-by-Design Using Hardware and Software Protection for FDA Compliance
Secure-by-Design Using Hardware and Software Protection for FDA Compliance
 
ICC Networking Data Security
ICC Networking Data SecurityICC Networking Data Security
ICC Networking Data Security
 
ICC Networking Data Security
ICC Networking Data SecurityICC Networking Data Security
ICC Networking Data Security
 
Safe and secure autonomous systems
Safe and secure autonomous systemsSafe and secure autonomous systems
Safe and secure autonomous systems
 
Proving the Security of Low-Level Software Components & TEEs
Proving the Security of Low-Level Software Components & TEEsProving the Security of Low-Level Software Components & TEEs
Proving the Security of Low-Level Software Components & TEEs
 
Workshop 16 october 2015 paris
Workshop 16 october 2015 parisWorkshop 16 october 2015 paris
Workshop 16 october 2015 paris
 
Kl iot cebit_dg_200317_finalmktg
Kl iot cebit_dg_200317_finalmktgKl iot cebit_dg_200317_finalmktg
Kl iot cebit_dg_200317_finalmktg
 
Next Generation Embedded Systems Security for IOT: Powered by Kaspersky
Next Generation Embedded Systems Security for IOT: Powered by KasperskyNext Generation Embedded Systems Security for IOT: Powered by Kaspersky
Next Generation Embedded Systems Security for IOT: Powered by Kaspersky
 
The 300 Leonidas Solution
The 300 Leonidas SolutionThe 300 Leonidas Solution
The 300 Leonidas Solution
 
Hardwar based Security of Systems
Hardwar based Security of SystemsHardwar based Security of Systems
Hardwar based Security of Systems
 
Are you ready for Microsoft Azure Sphere?
Are you ready for Microsoft Azure Sphere?Are you ready for Microsoft Azure Sphere?
Are you ready for Microsoft Azure Sphere?
 
SCADA Cyber Sec | ISACA 2013 | Patricia Watson
SCADA Cyber Sec | ISACA 2013 | Patricia WatsonSCADA Cyber Sec | ISACA 2013 | Patricia Watson
SCADA Cyber Sec | ISACA 2013 | Patricia Watson
 
IoT on azure
IoT on azureIoT on azure
IoT on azure
 
Schneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Schneider-Electric & NextNine – Comparing Remote Connectivity SolutionsSchneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Schneider-Electric & NextNine – Comparing Remote Connectivity Solutions
 
Sfa community of practice a natural way of building
Sfa community of practice a natural way of buildingSfa community of practice a natural way of building
Sfa community of practice a natural way of building
 
Mobile Devices & BYOD Security – Deployment & Best Practices
Mobile Devices & BYOD Security – Deployment & Best PracticesMobile Devices & BYOD Security – Deployment & Best Practices
Mobile Devices & BYOD Security – Deployment & Best Practices
 
Standardizing the tee with global platform and RISC-V
Standardizing the tee with global platform and RISC-VStandardizing the tee with global platform and RISC-V
Standardizing the tee with global platform and RISC-V
 
Nozomi Networks SCADAguardian - Data-Sheet
Nozomi Networks SCADAguardian - Data-SheetNozomi Networks SCADAguardian - Data-Sheet
Nozomi Networks SCADAguardian - Data-Sheet
 
Io t security and azure sphere
Io t security and azure sphereIo t security and azure sphere
Io t security and azure sphere
 
Azure security and Compliance
Azure security and ComplianceAzure security and Compliance
Azure security and Compliance
 

More from Microsoft Tech Community

100 ways to use Yammer
100 ways to use Yammer100 ways to use Yammer
100 ways to use Yammer
Microsoft Tech Community
 
10 Yammer Group Suggestions
10 Yammer Group Suggestions10 Yammer Group Suggestions
10 Yammer Group Suggestions
Microsoft Tech Community
 
Building mobile apps with Visual Studio and Xamarin
Building mobile apps with Visual Studio and XamarinBuilding mobile apps with Visual Studio and Xamarin
Building mobile apps with Visual Studio and Xamarin
Microsoft Tech Community
 
Best practices with Microsoft Graph: Making your applications more performant...
Best practices with Microsoft Graph: Making your applications more performant...Best practices with Microsoft Graph: Making your applications more performant...
Best practices with Microsoft Graph: Making your applications more performant...
Microsoft Tech Community
 
Interactive emails in Outlook with Adaptive Cards
Interactive emails in Outlook with Adaptive CardsInteractive emails in Outlook with Adaptive Cards
Interactive emails in Outlook with Adaptive Cards
Microsoft Tech Community
 
Break through the serverless barriers with Durable Functions
Break through the serverless barriers with Durable FunctionsBreak through the serverless barriers with Durable Functions
Break through the serverless barriers with Durable Functions
Microsoft Tech Community
 
Multiplayer Server Scaling with Azure Container Instances
Multiplayer Server Scaling with Azure Container InstancesMultiplayer Server Scaling with Azure Container Instances
Multiplayer Server Scaling with Azure Container Instances
Microsoft Tech Community
 
Explore Azure Cosmos DB
Explore Azure Cosmos DBExplore Azure Cosmos DB
Explore Azure Cosmos DB
Microsoft Tech Community
 
Media Streaming Apps with Azure and Xamarin
Media Streaming Apps with Azure and XamarinMedia Streaming Apps with Azure and Xamarin
Media Streaming Apps with Azure and Xamarin
Microsoft Tech Community
 
DevOps for Data Science
DevOps for Data ScienceDevOps for Data Science
DevOps for Data Science
Microsoft Tech Community
 
Real-World Solutions with PowerApps: Tips & tricks to manage your app complexity
Real-World Solutions with PowerApps: Tips & tricks to manage your app complexityReal-World Solutions with PowerApps: Tips & tricks to manage your app complexity
Real-World Solutions with PowerApps: Tips & tricks to manage your app complexity
Microsoft Tech Community
 
Azure Functions and Microsoft Graph
Azure Functions and Microsoft GraphAzure Functions and Microsoft Graph
Azure Functions and Microsoft Graph
Microsoft Tech Community
 
Ingestion in data pipelines with Managed Kafka Clusters in Azure HDInsight
Ingestion in data pipelines with Managed Kafka Clusters in Azure HDInsightIngestion in data pipelines with Managed Kafka Clusters in Azure HDInsight
Ingestion in data pipelines with Managed Kafka Clusters in Azure HDInsight
Microsoft Tech Community
 
Getting Started with Visual Studio Tools for AI
Getting Started with Visual Studio Tools for AIGetting Started with Visual Studio Tools for AI
Getting Started with Visual Studio Tools for AI
Microsoft Tech Community
 
Using AML Python SDK
Using AML Python SDKUsing AML Python SDK
Using AML Python SDK
Microsoft Tech Community
 
Mobile Workforce Location Tracking with Bing Maps
Mobile Workforce Location Tracking with Bing MapsMobile Workforce Location Tracking with Bing Maps
Mobile Workforce Location Tracking with Bing Maps
Microsoft Tech Community
 
Cognitive Services Labs in action Anomaly detection
Cognitive Services Labs in action Anomaly detectionCognitive Services Labs in action Anomaly detection
Cognitive Services Labs in action Anomaly detection
Microsoft Tech Community
 
Speech Devices SDK
Speech Devices SDKSpeech Devices SDK
Speech Devices SDK
Microsoft Tech Community
 
LinkedIn Learning presents: Securing web applications in ASP.NET Core 2.1
LinkedIn Learning presents: Securing web applications in ASP.NET Core 2.1LinkedIn Learning presents: Securing web applications in ASP.NET Core 2.1
LinkedIn Learning presents: Securing web applications in ASP.NET Core 2.1
Microsoft Tech Community
 
Building document processes using Adobe + Microsoft
Building document processes using Adobe + MicrosoftBuilding document processes using Adobe + Microsoft
Building document processes using Adobe + Microsoft
Microsoft Tech Community
 

More from Microsoft Tech Community (20)

100 ways to use Yammer
100 ways to use Yammer100 ways to use Yammer
100 ways to use Yammer
 
10 Yammer Group Suggestions
10 Yammer Group Suggestions10 Yammer Group Suggestions
10 Yammer Group Suggestions
 
Building mobile apps with Visual Studio and Xamarin
Building mobile apps with Visual Studio and XamarinBuilding mobile apps with Visual Studio and Xamarin
Building mobile apps with Visual Studio and Xamarin
 
Best practices with Microsoft Graph: Making your applications more performant...
Best practices with Microsoft Graph: Making your applications more performant...Best practices with Microsoft Graph: Making your applications more performant...
Best practices with Microsoft Graph: Making your applications more performant...
 
Interactive emails in Outlook with Adaptive Cards
Interactive emails in Outlook with Adaptive CardsInteractive emails in Outlook with Adaptive Cards
Interactive emails in Outlook with Adaptive Cards
 
Break through the serverless barriers with Durable Functions
Break through the serverless barriers with Durable FunctionsBreak through the serverless barriers with Durable Functions
Break through the serverless barriers with Durable Functions
 
Multiplayer Server Scaling with Azure Container Instances
Multiplayer Server Scaling with Azure Container InstancesMultiplayer Server Scaling with Azure Container Instances
Multiplayer Server Scaling with Azure Container Instances
 
Explore Azure Cosmos DB
Explore Azure Cosmos DBExplore Azure Cosmos DB
Explore Azure Cosmos DB
 
Media Streaming Apps with Azure and Xamarin
Media Streaming Apps with Azure and XamarinMedia Streaming Apps with Azure and Xamarin
Media Streaming Apps with Azure and Xamarin
 
DevOps for Data Science
DevOps for Data ScienceDevOps for Data Science
DevOps for Data Science
 
Real-World Solutions with PowerApps: Tips & tricks to manage your app complexity
Real-World Solutions with PowerApps: Tips & tricks to manage your app complexityReal-World Solutions with PowerApps: Tips & tricks to manage your app complexity
Real-World Solutions with PowerApps: Tips & tricks to manage your app complexity
 
Azure Functions and Microsoft Graph
Azure Functions and Microsoft GraphAzure Functions and Microsoft Graph
Azure Functions and Microsoft Graph
 
Ingestion in data pipelines with Managed Kafka Clusters in Azure HDInsight
Ingestion in data pipelines with Managed Kafka Clusters in Azure HDInsightIngestion in data pipelines with Managed Kafka Clusters in Azure HDInsight
Ingestion in data pipelines with Managed Kafka Clusters in Azure HDInsight
 
Getting Started with Visual Studio Tools for AI
Getting Started with Visual Studio Tools for AIGetting Started with Visual Studio Tools for AI
Getting Started with Visual Studio Tools for AI
 
Using AML Python SDK
Using AML Python SDKUsing AML Python SDK
Using AML Python SDK
 
Mobile Workforce Location Tracking with Bing Maps
Mobile Workforce Location Tracking with Bing MapsMobile Workforce Location Tracking with Bing Maps
Mobile Workforce Location Tracking with Bing Maps
 
Cognitive Services Labs in action Anomaly detection
Cognitive Services Labs in action Anomaly detectionCognitive Services Labs in action Anomaly detection
Cognitive Services Labs in action Anomaly detection
 
Speech Devices SDK
Speech Devices SDKSpeech Devices SDK
Speech Devices SDK
 
LinkedIn Learning presents: Securing web applications in ASP.NET Core 2.1
LinkedIn Learning presents: Securing web applications in ASP.NET Core 2.1LinkedIn Learning presents: Securing web applications in ASP.NET Core 2.1
LinkedIn Learning presents: Securing web applications in ASP.NET Core 2.1
 
Building document processes using Adobe + Microsoft
Building document processes using Adobe + MicrosoftBuilding document processes using Adobe + Microsoft
Building document processes using Adobe + Microsoft
 

Recently uploaded

Knowledge and Prompt Engineering Part 2 Focus on Prompt Design Approaches
Knowledge and Prompt Engineering Part 2 Focus on Prompt Design ApproachesKnowledge and Prompt Engineering Part 2 Focus on Prompt Design Approaches
Knowledge and Prompt Engineering Part 2 Focus on Prompt Design Approaches
Earley Information Science
 
Why do You Have to Redesign?_Redesign Challenge Day 1
Why do You Have to Redesign?_Redesign Challenge Day 1Why do You Have to Redesign?_Redesign Challenge Day 1
Why do You Have to Redesign?_Redesign Challenge Day 1
FellyciaHikmahwarani
 
MYIR Product Brochure - A Global Provider of Embedded SOMs & Solutions
MYIR Product Brochure - A Global Provider of Embedded SOMs & SolutionsMYIR Product Brochure - A Global Provider of Embedded SOMs & Solutions
MYIR Product Brochure - A Global Provider of Embedded SOMs & Solutions
Linda Zhang
 
Running a Go App in Kubernetes: CPU Impacts
Running a Go App in Kubernetes: CPU ImpactsRunning a Go App in Kubernetes: CPU Impacts
Running a Go App in Kubernetes: CPU Impacts
ScyllaDB
 
Fluttercon 2024: Showing that you care about security - OpenSSF Scorecards fo...
Fluttercon 2024: Showing that you care about security - OpenSSF Scorecards fo...Fluttercon 2024: Showing that you care about security - OpenSSF Scorecards fo...
Fluttercon 2024: Showing that you care about security - OpenSSF Scorecards fo...
Chris Swan
 
5G bootcamp Sep 2020 (NPI initiative).pptx
5G bootcamp Sep 2020 (NPI initiative).pptx5G bootcamp Sep 2020 (NPI initiative).pptx
5G bootcamp Sep 2020 (NPI initiative).pptx
SATYENDRA100
 
WhatsApp Image 2024-03-27 at 08.19.52_bfd93109.pdf
WhatsApp Image 2024-03-27 at 08.19.52_bfd93109.pdfWhatsApp Image 2024-03-27 at 08.19.52_bfd93109.pdf
WhatsApp Image 2024-03-27 at 08.19.52_bfd93109.pdf
ArgaBisma
 
AI_dev Europe 2024 - From OpenAI to Opensource AI
AI_dev Europe 2024 - From OpenAI to Opensource AIAI_dev Europe 2024 - From OpenAI to Opensource AI
AI_dev Europe 2024 - From OpenAI to Opensource AI
Raphaël Semeteys
 
What Not to Document and Why_ (North Bay Python 2024)
What Not to Document and Why_ (North Bay Python 2024)What Not to Document and Why_ (North Bay Python 2024)
What Not to Document and Why_ (North Bay Python 2024)
Margaret Fero
 
Pigging Solutions Sustainability brochure.pdf
Pigging Solutions Sustainability brochure.pdfPigging Solutions Sustainability brochure.pdf
Pigging Solutions Sustainability brochure.pdf
Pigging Solutions
 
HTTP Adaptive Streaming – Quo Vadis (2024)
HTTP Adaptive Streaming – Quo Vadis (2024)HTTP Adaptive Streaming – Quo Vadis (2024)
HTTP Adaptive Streaming – Quo Vadis (2024)
Alpen-Adria-Universität
 
Performance Budgets for the Real World by Tammy Everts
Performance Budgets for the Real World by Tammy EvertsPerformance Budgets for the Real World by Tammy Everts
Performance Budgets for the Real World by Tammy Everts
ScyllaDB
 
How to Avoid Learning the Linux-Kernel Memory Model
How to Avoid Learning the Linux-Kernel Memory ModelHow to Avoid Learning the Linux-Kernel Memory Model
How to Avoid Learning the Linux-Kernel Memory Model
ScyllaDB
 
Observability For You and Me with OpenTelemetry
Observability For You and Me with OpenTelemetryObservability For You and Me with OpenTelemetry
Observability For You and Me with OpenTelemetry
Eric D. Schabell
 
一比一原版(msvu毕业证书)圣文森山大学毕业证如何办理
一比一原版(msvu毕业证书)圣文森山大学毕业证如何办理一比一原版(msvu毕业证书)圣文森山大学毕业证如何办理
一比一原版(msvu毕业证书)圣文森山大学毕业证如何办理
uuuot
 
STKI Israeli Market Study 2024 final v1
STKI Israeli Market Study 2024 final v1STKI Israeli Market Study 2024 final v1
STKI Israeli Market Study 2024 final v1
Dr. Jimmy Schwarzkopf
 
Interaction Latency: Square's User-Centric Mobile Performance Metric
Interaction Latency: Square's User-Centric Mobile Performance MetricInteraction Latency: Square's User-Centric Mobile Performance Metric
Interaction Latency: Square's User-Centric Mobile Performance Metric
ScyllaDB
 
How Netflix Builds High Performance Applications at Global Scale
How Netflix Builds High Performance Applications at Global ScaleHow Netflix Builds High Performance Applications at Global Scale
How Netflix Builds High Performance Applications at Global Scale
ScyllaDB
 
Scaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - Mydbops
Scaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - MydbopsScaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - Mydbops
Scaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - Mydbops
Mydbops
 
How RPA Help in the Transportation and Logistics Industry.pptx
How RPA Help in the Transportation and Logistics Industry.pptxHow RPA Help in the Transportation and Logistics Industry.pptx
How RPA Help in the Transportation and Logistics Industry.pptx
SynapseIndia
 

Recently uploaded (20)

Knowledge and Prompt Engineering Part 2 Focus on Prompt Design Approaches
Knowledge and Prompt Engineering Part 2 Focus on Prompt Design ApproachesKnowledge and Prompt Engineering Part 2 Focus on Prompt Design Approaches
Knowledge and Prompt Engineering Part 2 Focus on Prompt Design Approaches
 
Why do You Have to Redesign?_Redesign Challenge Day 1
Why do You Have to Redesign?_Redesign Challenge Day 1Why do You Have to Redesign?_Redesign Challenge Day 1
Why do You Have to Redesign?_Redesign Challenge Day 1
 
MYIR Product Brochure - A Global Provider of Embedded SOMs & Solutions
MYIR Product Brochure - A Global Provider of Embedded SOMs & SolutionsMYIR Product Brochure - A Global Provider of Embedded SOMs & Solutions
MYIR Product Brochure - A Global Provider of Embedded SOMs & Solutions
 
Running a Go App in Kubernetes: CPU Impacts
Running a Go App in Kubernetes: CPU ImpactsRunning a Go App in Kubernetes: CPU Impacts
Running a Go App in Kubernetes: CPU Impacts
 
Fluttercon 2024: Showing that you care about security - OpenSSF Scorecards fo...
Fluttercon 2024: Showing that you care about security - OpenSSF Scorecards fo...Fluttercon 2024: Showing that you care about security - OpenSSF Scorecards fo...
Fluttercon 2024: Showing that you care about security - OpenSSF Scorecards fo...
 
5G bootcamp Sep 2020 (NPI initiative).pptx
5G bootcamp Sep 2020 (NPI initiative).pptx5G bootcamp Sep 2020 (NPI initiative).pptx
5G bootcamp Sep 2020 (NPI initiative).pptx
 
WhatsApp Image 2024-03-27 at 08.19.52_bfd93109.pdf
WhatsApp Image 2024-03-27 at 08.19.52_bfd93109.pdfWhatsApp Image 2024-03-27 at 08.19.52_bfd93109.pdf
WhatsApp Image 2024-03-27 at 08.19.52_bfd93109.pdf
 
AI_dev Europe 2024 - From OpenAI to Opensource AI
AI_dev Europe 2024 - From OpenAI to Opensource AIAI_dev Europe 2024 - From OpenAI to Opensource AI
AI_dev Europe 2024 - From OpenAI to Opensource AI
 
What Not to Document and Why_ (North Bay Python 2024)
What Not to Document and Why_ (North Bay Python 2024)What Not to Document and Why_ (North Bay Python 2024)
What Not to Document and Why_ (North Bay Python 2024)
 
Pigging Solutions Sustainability brochure.pdf
Pigging Solutions Sustainability brochure.pdfPigging Solutions Sustainability brochure.pdf
Pigging Solutions Sustainability brochure.pdf
 
HTTP Adaptive Streaming – Quo Vadis (2024)
HTTP Adaptive Streaming – Quo Vadis (2024)HTTP Adaptive Streaming – Quo Vadis (2024)
HTTP Adaptive Streaming – Quo Vadis (2024)
 
Performance Budgets for the Real World by Tammy Everts
Performance Budgets for the Real World by Tammy EvertsPerformance Budgets for the Real World by Tammy Everts
Performance Budgets for the Real World by Tammy Everts
 
How to Avoid Learning the Linux-Kernel Memory Model
How to Avoid Learning the Linux-Kernel Memory ModelHow to Avoid Learning the Linux-Kernel Memory Model
How to Avoid Learning the Linux-Kernel Memory Model
 
Observability For You and Me with OpenTelemetry
Observability For You and Me with OpenTelemetryObservability For You and Me with OpenTelemetry
Observability For You and Me with OpenTelemetry
 
一比一原版(msvu毕业证书)圣文森山大学毕业证如何办理
一比一原版(msvu毕业证书)圣文森山大学毕业证如何办理一比一原版(msvu毕业证书)圣文森山大学毕业证如何办理
一比一原版(msvu毕业证书)圣文森山大学毕业证如何办理
 
STKI Israeli Market Study 2024 final v1
STKI Israeli Market Study 2024 final v1STKI Israeli Market Study 2024 final v1
STKI Israeli Market Study 2024 final v1
 
Interaction Latency: Square's User-Centric Mobile Performance Metric
Interaction Latency: Square's User-Centric Mobile Performance MetricInteraction Latency: Square's User-Centric Mobile Performance Metric
Interaction Latency: Square's User-Centric Mobile Performance Metric
 
How Netflix Builds High Performance Applications at Global Scale
How Netflix Builds High Performance Applications at Global ScaleHow Netflix Builds High Performance Applications at Global Scale
How Netflix Builds High Performance Applications at Global Scale
 
Scaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - Mydbops
Scaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - MydbopsScaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - Mydbops
Scaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - Mydbops
 
How RPA Help in the Transportation and Logistics Industry.pptx
How RPA Help in the Transportation and Logistics Industry.pptxHow RPA Help in the Transportation and Logistics Industry.pptx
How RPA Help in the Transportation and Logistics Industry.pptx
 

Removing Security Roadblocks to IoT Deployment Success

  • 3. Connection Security X.509/TLS-Based Handshake and Encryption Device Security X.509 Certificate Based Identity and Attestation Device Provisioning, Authorization & Management Support for Diverse Hardware Secure Modules Securely connect millions of devices… …over a secure internet connection… …to Microsoft Azure – built with security from the ground up Cloud Security Azure Security Center | Azure Active Directory Key Vault | Policy-Based Access Control
  • 4. GLOBA L INDUSTR Y REGIONA L HIPAA / HITECHAct FERPAGxP 21 CFR Part11 ISO 27001 SOC 1 Type 2ISO 27018 CSA STAR Self-Assessment FISC Japan CDSA Shared Assessments FACT UK GLBA PCI DSS Level 1 MARS-E FFIEC SOC 2 Type 2 SOC 3 MPAA ISO 22301 Japan My ENISA Japan CS Spain Spain India Canada Privacy GermanyIT Number Act IAF Mark Gold ENS DPA MeitY Privacy Laws Shield Grundschutz workbook CSA STAR Certification CSA STAR Attestation HITRUST IG ToolkitUK Argentina EU UK China China China Singapore Australia New Zealand PDPA Model Clauses G-Cloud DJCP GB 18030 TRUCS MTCS IRAP/CCSL GCIO ISO 27017
  • 5. >90% of Fortune 500 use Microsoft Cloud
  • 6. Key Questions Does the device have a unique, unforgeable identity that is inseparablefrom the hardware? Is most of the device’s software outside thedevice’s trusted computing base? Is the devicestill protected if the security of one layer of device software is breached? Does a failure in one component of the device requirea reboot of theentire device to return to operation? Does thedevice use certificates instead of passwords for authentication? Is the device’s softwareupdated automatically? Property Hardware-based Small Trusted Defense Compartmentalization Certificate- Renewable Failure Root of Trust Computing Base in Depth based Authentication Security Reporting Does the device report failures toits manufacturer?
  • 7. high integrity software operations Choice of Secure Hardware - Many secure silicon providers including - Standards based and custom secure silicon - TPM - DICE https://aka.ms/RightSecureIoTHardware
  • 8. Authentication Attestation Access Controls 1 Share Access Secrets (SAS) Tokens Shared Access Key - Permission based - Role based - Action based - Per device granularity 2 Certificate Based Mutual Authentication Certificate Thumbprint 3 Certificate Based Mutual Authentication Certificate Authority IoT Hub Device Connection Security X.509/TLS-Based Handshake and Encryption
  • 9. IoT Device Methods Device Twin Properties Desired Reported IoT Hub Device Twin Tags Methods Telemetry Properties Desired Reported Telemetry channel Commands Cloud owned, device visible Device owned, cloud visible Cloud only, device metadata Cloud initiated C2D with response Cloud initiated C2D message
  • 10. Device Provisioning Service Automate device provisioning at scale and eliminate security threats from manual handling X X X XIoT Solution US IoT Solution Germany IoT Solution China
  • 14. https://azure.microsoft.com/en-us/blog/securing-the-intelligent-edge/ Threats Readily available tools and experience Rich development environment Heterogeneous hardware Physical accessibility Subject to physical analysis like on power and timing, and attacks based on micro-probing, fault injections, and environmental tampering. Non-standard security protocols Expands threat surface across architecture, vendor, and capabilities unlike a relatively more uniform datacenter hardware. The necessary mixture of scripted and compiled software using many technologies to enrich user experience also increases the probability for vulnerabilities. Proprietary hardware procedures for common security needs like secure hardware enforcements for secure boot and firmware updates precludes public scrutiny. The same tools and experience from other disciplines like failure analysis and patent research are easily repurposed for attacks. Requires assertive defense Requires uniformity
  • 15. Cloud Gateway ActionsIoT Edge IoT Hub Insights Insights Actions
  • 16. A Framework for Ecosystem Managed Security Hardware Root of Trust Secure Boot/Updates Secure Execution Environment Protected General Computing Application execution with runtime integrity checking Privileged executions and systems resource access control Bootstrapping and recovery Trust anchor and tamper resistance Azure IoT Edge Device IoT Hub Principles Realization
  • 18.  Communicate diligence in security  Administered by 3rd Party Labs for transparency (coming soon)  Open standards procedures  Certificate based signed device promise attestations (coming soon) Promise Standard Secure Element Secure Enclave Secure silicon None Standalone security processor e.g. TPM Integrated security processor Maximum protection to be expected in malicious custody None Secrets like cryptographic keys Secrets and the trusted computing base Typical transactions All with adequate risk mitigation Authentication, session key generation, certificates processing. All secure element transactions plus the trusted computing base for transactions such as metering, billing, secure I/O, secure logging. Maximum grade possible Level 2 Level 4 Level 4 Grade Level 1 Level 2 Level 3 Level 4 Requirements Custom implementations in lieu of using Azure IoT Device SDK Azure IoT Device SDK - Azure IoT Device SDK - FIPS 140-2 Level 2 - Common Criteria EAL 3+ (PP coming soon) - Azure IoT Device SDK - FIPS 140-2 Level 3 - Common Criteria EAL 4+ (PP coming soon)
  • 19. IoT Role Example Scenario OEM Investment optimal decision. Decide which market to play in. - Manufacture and certify for secure element devices for solutions with simple needs line authentication - Manufacture and certify for secure enclave devices for solutions with complex needs like monetization SI Cost optimal decisions. Balance device cost with deployments risk assessment - Secure element devices for endpoint identity - Secure enclave devices for endpoint identity and execution integrity Operator Optimal risk management. Balance between device security and personnel access controls - Less elaborate personnel access controls with secure element/enclave promise devices - More elaborate access controls with standard promise devices IoT Edge Module Developer Empowerment. Use signed attestations to programmatically detect and deploy accordingly - Detect and deploy to secure element devices for node count control - Detect and deploy to secure enclave devices for IP protection or metered usage
  • 20. SEQUITUR LABS LS1012A SAMA5D2 Demo Demo Blog Blog Blog Runtime Attestation via Hardware RTiC Module Runtime Attestation via Hardware ICM Module IoTHub
  • 22. “hackers have infiltrated the critical safety systems for industrial control units used in nuclear, oil and gas plants, halting operations at at least one facility” “The hackers used sophisticated malware, dubbed ‘Triton’, to take remote control of a safety control workstation” “Some controllers entered a failsafe mode as the hackers attempted to reprogram them”
  • 23. Properties of TCPS Separation of critical execution Help protect critical infrastructure from malware threats by separating non-critical from critical operations and concentrating on using hardware isolation to protect control of physical systems. Inspectability of execution process Ensure that any code that handles critical operations must be auditable by operators through source code review. Attestability of processing environment During operation, each component must be able to verify that data is received and sent only from trustworthy sources. A component also needs to attest its trustworthiness to other components. Minimizing number of entities that need to be trusted Reducing the number of trusted entities significantly reduces the attack surface for critical infrastructure. In the ideal TCPS solution, the operator will maintain the only root of trust for critical code execution. The device owner/operator is in complete control of critical systems
  • 24. SCADA system Factory Line Automation Attack to SCADA System SCADA System Attack vectors on factoryline Attacker Attack to Factory Line Automation Factory Line ControllerController
  • 25. SCADA System OPC UA message SCADA application SCADA/HMI System OPC UA message SCADA Application TEE Message Authorization Policy Decision Engine Attacker will simulate user input or directly issue control messages (e.g. OPC UA) using the SCADA system’s message authentication Attacker OPC UA message authenticated by TEE TEE Trusted UI terminal to approve messages Trusted UI (TEE) Protecting the SCADA/HMI system Policy Decision Engine
  • 26. i.MX6 + Windows IoT Core Transport stack (TCP/IP) i.MX6 + Windows IoT Core Transport Stack (TCP/IP) TrustZone (OP-TEE) OPC UA L AN Port i.MX6 Security Layer SPI Port i.MX6 SPI-LAN Adapter with TCP/IP Legacy OPC UA Device Attacker OPC UA Protecting factory line automation OPC UA Gateway Controller Factory Line Policy Decision Engine
  • 27. Host Operating System Edge Client Transport stack Trusted Execution Environment Security Layer Trusted I/O Cloud services Message Gateway Controller Factory Line Azure Policy Decision Engine Azure Confidential Computing Tamper- resistant logging Configuration and Provisioning Service Factory Line Control
  • 28. Additional information about TCPS TCPS Overview http://aka.ms/TCPS_TwoPager_HMI2018 Blog post http://aka.ms/TCPS_HMI2018 Whitepaper http://aka.ms/TCPS_Whitepaper Preview coming soon
  • 30. Windows IoT securitypromise Windows IoT provides the best endpoint security to protect your data at rest, in motion and during execution. Windows IoT devices are build with security in mind. Security is not in the way of your development, deployment and operation.
  • 34. Is my IoT infrastructure developed, deployed and operated securely? By deploying IoT what security risks am I taking for the rest of my business? Who can evaluate my IoT infrastructure and give me a threat assessment?
  • 35. Consider the threats most relevant to your IoT infrastructure Identify the consequences that are most important to your business Select evaluation strategies that provide the most value http://aka.ms/IoTSecurityEval
  • 38. Microsoft’s Security Program for Azure IoT connects customers with partners who are experts at evaluating an IoT infrastructure end-to-end. Not all partners may be listed; check internetofyourthings.com for latest status
  • 40. Standards for IoT Security None holistic in existence No end-to-end IoT Security standard Existing standards retrofitting IT security to IoT No scope for physical attacks such as tampering Microsoft actively engaged in 25+ standards organizations and consortia to help address IoT security challenges
  • 41.  Microsoft champions and chairs the IoT Security Maturity Model development at the Industrial Internet Consortium (IIC)  SMM assists with: • Security target definition • Current security maturity assessment • Security gap analysis • Security maturity enhancement planning
  • 44. Solution operator Hardware manufacturers or integrators Solution developer Solution deployer http://aka.ms/iotbestpractices
  • 45. Secure and power the intelligent edge with Azure Sphere 1:00pm-2:15pm, WSCC: Rooms 612 Azure IoT Solutions - Get your IoTproject started in minutes with SaaS and preconfigured solutions