Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
SlideShare a Scribd company logo

Blueprint for creating a Secure IoT Product

Download as PPTX, PDF
Guy Vinograd ☁
Guy Vinograd ☁

What is the right way to authenticate IoT devices? What is Security-First software design? What design patterns can comply as HIPAA? Those questions and more will be answered in my presentation.

Related slideshows

Webinar IoT Cloud Platforms and Middleware for Rapid Application Development
Webinar IoT Cloud Platforms and Middleware for Rapid Application DevelopmentWebinar IoT Cloud Platforms and Middleware for Rapid Application Development
Webinar IoT Cloud Platforms and Middleware for Rapid Application Development
 
IBM Bluemix Paris Meetup #21-20170131 Meetup @Ingima - MangOH to AirVantage t...
IBM Bluemix Paris Meetup #21-20170131 Meetup @Ingima - MangOH to AirVantage t...IBM Bluemix Paris Meetup #21-20170131 Meetup @Ingima - MangOH to AirVantage t...
IBM Bluemix Paris Meetup #21-20170131 Meetup @Ingima - MangOH to AirVantage t...
 
Using FIWARE and Microsoft Azure for the development of IoT solutions
Using FIWARE and Microsoft Azure for the development of IoT solutionsUsing FIWARE and Microsoft Azure for the development of IoT solutions
Using FIWARE and Microsoft Azure for the development of IoT solutions
 
1 of 18
Guy Vinograd, CEO A Blueprint for Creating a Secure IoT Product
 Million-user scale, 10000s devices ◦ AWS & Google GCP partner  Secure IoT clouds for device vendors ◦ Device vendors - focus on your core ◦ Customers - global $Bn companies to start-ups  Your trusted advisor - IoT, security, and clouds About Me and Softimize
 ICS-Cert 2014 report ◦ 245 incidents involving IoT platforms ◦ 55% Advanced Persistent Threats (APT) ◦ 42% targeted communication, water, transport  <40% IoT vendors implemented measures Security - The #1 concern for IoT
What is IoT Security?
 Breach prevention ◦ Software - cloud & apps ◦ Environment – cloud, physical, network ◦ Devices  Privacy ◦ Let your users control their data  Trust ◦ Create customer confidence The 3 Goals of IoT Security
Create Trust with Security Standards
 Company-level standards  ISO 27001 - Information security ◦ ISO 27799 – Health guidelines  ISO 9001 – Quality management ◦ ISO 13485 – Health guidelines  Certification ◦ ~4 months (SMB), ~40 hours overhead ◦ Post overhead - ~10 hours/month ◦ Yearly audit ◦ Consulting companies. ~ILS 30K The ISOs
 Health care ◦ Medical devices and much more  American ◦ EU: Data Protection Directive 1995/46/EC  PHI – Protected Health Information  BAA - Business associate agreement  Self declaratory ◦ Audit comes later HIPAA – a Product-level Standard
◦ DB - RDS (MySQL), DynamoDB, Redshift ◦ Files - EBS, S3, Glacier ◦ Process – EC2, ELB, EMR ◦ Utils – KMS, CloudWatch ◦ DB – CloudSQL, BigQuery, Genomics ◦ Files – Cloud Storage ◦ Process – Compute Engine ◦ Utils – Logging (Beta) ◦ Active Directory, API Management, Automation, Backup, Batch, BizTalk Services, Cloud Services, DocumentDB, Express Route, HDInsight, Key Vault, Machine Learning, Management Portal, Media Services, Mobile Services, Multi-Factor Authentication, Notification Hub, Operational Insights, Redis Cache, RemoteApp, Rights Management Service, Scheduler, Service Bus, Site Recovery, SQL Database, Storage, StorSimple, Stream Analytics, Traffic Manager, Virtual Machines, Virtual Network, Visual Studio Team Services, Web Sites, and Workflow Manager. ◦ Compute - SoftLayer HIPAA & Clouds Architecture
REST Zoom on IoT - What to Secure? HTTP | MQTT | CoAP | XMPP IoT Backend Service GW
 Cloud – the ideal ◦ Protects IP ◦ Data Privacy  GW knows only raw signal  No processed info = less risk  Caching on GW is a risk  GW ("fog") – the reality ◦ Offline – Get security policy from cloud and execute Zoom on IoT – Where to put Data/Logic
The Softimize Way for Designing a Secure IoT Product
Security Users/Devices Data Streaming Vendor Services Management Things Building Blocks (TBBTM) Push notificationsDevice Interaction Access Control – laas, SaaS Vendor and cloud provider protection Encryption, Tenant isolation Site management – Multi device Licensing – per Tenant. Trial license Bulk versioned FW updates Complex event processing Real-time, sub second latency Users | Devices and hierarchies Back-office, Audit Analytics – Failures, Usage patterns Prediction – Churn, Upsell Discover & Config – w/o wifi | Real time streaming | FW update Security – Encrypt, Auth | Reduce energy & bandwidth On Premise MQTT, HTTP Cloud Abstraction Multi Cloud Abstraction Layers for managed services NO DevOps-hungry open sources
 Cloud ◦ Physical ◦ Access control - Policy / role based  System – Cloud & GW ◦ Dedicated servers ◦ Micro services separation based on purpose ◦ App/Data access - User / group / role based  User interface ◦ “Need to know” basis ◦ Re-require password for export/sensitive Security-First Design
 Authentication and authenticity ◦ Temporary tokens when possible  Encryption  Validation Security-First Design - Data in Transit
 “Need to know” basis ◦ Microservices ◦ DB access Policy ◦ Fully identifiable, pseudonymized anonymized, fully anonymized  Per-tenant encryption ◦ Key management ◦ DB query of indexed data  Purge when expires (7 years / user request)  Routine integrity checks Security-First Design - Data at Rest
 Traceability ◦ Everything - access, input, data & operations ◦ Centralized logging/auditing - Cloud & GW  Availability ◦ Redundancy ◦ Backup  Plausibility checks ◦ Failure ◦ Penetration Security-First Design
Guy Vinograd guy@softimize.co Need an IoT Cloud? Use

More Related Content

Blueprint for creating a Secure IoT Product

  • 1. Guy Vinograd, CEO A Blueprint for Creating a Secure IoT Product
  • 2.  Million-user scale, 10000s devices ◦ AWS & Google GCP partner  Secure IoT clouds for device vendors ◦ Device vendors - focus on your core ◦ Customers - global $Bn companies to start-ups  Your trusted advisor - IoT, security, and clouds About Me and Softimize
  • 3.  ICS-Cert 2014 report ◦ 245 incidents involving IoT platforms ◦ 55% Advanced Persistent Threats (APT) ◦ 42% targeted communication, water, transport  <40% IoT vendors implemented measures Security - The #1 concern for IoT
  • 4. What is IoT Security?
  • 5.  Breach prevention ◦ Software - cloud & apps ◦ Environment – cloud, physical, network ◦ Devices  Privacy ◦ Let your users control their data  Trust ◦ Create customer confidence The 3 Goals of IoT Security
  • 7.  Company-level standards  ISO 27001 - Information security ◦ ISO 27799 – Health guidelines  ISO 9001 – Quality management ◦ ISO 13485 – Health guidelines  Certification ◦ ~4 months (SMB), ~40 hours overhead ◦ Post overhead - ~10 hours/month ◦ Yearly audit ◦ Consulting companies. ~ILS 30K The ISOs
  • 8.  Health care ◦ Medical devices and much more  American ◦ EU: Data Protection Directive 1995/46/EC  PHI – Protected Health Information  BAA - Business associate agreement  Self declaratory ◦ Audit comes later HIPAA – a Product-level Standard
  • 9. ◦ DB - RDS (MySQL), DynamoDB, Redshift ◦ Files - EBS, S3, Glacier ◦ Process – EC2, ELB, EMR ◦ Utils – KMS, CloudWatch ◦ DB – CloudSQL, BigQuery, Genomics ◦ Files – Cloud Storage ◦ Process – Compute Engine ◦ Utils – Logging (Beta) ◦ Active Directory, API Management, Automation, Backup, Batch, BizTalk Services, Cloud Services, DocumentDB, Express Route, HDInsight, Key Vault, Machine Learning, Management Portal, Media Services, Mobile Services, Multi-Factor Authentication, Notification Hub, Operational Insights, Redis Cache, RemoteApp, Rights Management Service, Scheduler, Service Bus, Site Recovery, SQL Database, Storage, StorSimple, Stream Analytics, Traffic Manager, Virtual Machines, Virtual Network, Visual Studio Team Services, Web Sites, and Workflow Manager. ◦ Compute - SoftLayer HIPAA & Clouds Architecture
  • 10. REST Zoom on IoT - What to Secure? HTTP | MQTT | CoAP | XMPP IoT Backend Service GW
  • 11.  Cloud – the ideal ◦ Protects IP ◦ Data Privacy  GW knows only raw signal  No processed info = less risk  Caching on GW is a risk  GW ("fog") – the reality ◦ Offline – Get security policy from cloud and execute Zoom on IoT – Where to put Data/Logic
  • 12. The Softimize Way for Designing a Secure IoT Product
  • 13. Security Users/Devices Data Streaming Vendor Services Management Things Building Blocks (TBBTM) Push notificationsDevice Interaction Access Control – laas, SaaS Vendor and cloud provider protection Encryption, Tenant isolation Site management – Multi device Licensing – per Tenant. Trial license Bulk versioned FW updates Complex event processing Real-time, sub second latency Users | Devices and hierarchies Back-office, Audit Analytics – Failures, Usage patterns Prediction – Churn, Upsell Discover & Config – w/o wifi | Real time streaming | FW update Security – Encrypt, Auth | Reduce energy & bandwidth On Premise MQTT, HTTP Cloud Abstraction Multi Cloud Abstraction Layers for managed services NO DevOps-hungry open sources
  • 14.  Cloud ◦ Physical ◦ Access control - Policy / role based  System – Cloud & GW ◦ Dedicated servers ◦ Micro services separation based on purpose ◦ App/Data access - User / group / role based  User interface ◦ “Need to know” basis ◦ Re-require password for export/sensitive Security-First Design
  • 15.  Authentication and authenticity ◦ Temporary tokens when possible  Encryption  Validation Security-First Design - Data in Transit
  • 16.  “Need to know” basis ◦ Microservices ◦ DB access Policy ◦ Fully identifiable, pseudonymized anonymized, fully anonymized  Per-tenant encryption ◦ Key management ◦ DB query of indexed data  Purge when expires (7 years / user request)  Routine integrity checks Security-First Design - Data at Rest
  • 17.  Traceability ◦ Everything - access, input, data & operations ◦ Centralized logging/auditing - Cloud & GW  Availability ◦ Redundancy ◦ Backup  Plausibility checks ◦ Failure ◦ Penetration Security-First Design