View
213
Download
0
Category
Preview:
Citation preview
IoT Security Considerations in the Enterprise
Lee Hickin | IoT Product Manager | @leehickinDave Glover | Developer Evangelist | @dglover
• Who are we & what do we do• Microsoft, IOT, Open Source &
Security• IOT Security – layers of
consideration• STRIDE – Understanding the
Threats
Agenda
• Threat Modelling and Determine Risks• Hardware and Device Capabilities • Price Point Considerations
• Updates• You can’t secure what you can’t update
• Secure Communications• Cloud Security
IoT Security Considerations
Device
Device Environment
Field Gateway
Cloud Gateway
Services
Four zones of IoT securityTr
ansp
ort P
roto
cols
1
2
34
Devices
• UEFI Secure Boot and Measured Boot (Boot Attack)• Bitlocker and TPM Support (Offline Attack)• Windows Update• Trusted Cryptographic Services• Storage and Communications
• Universal Windows Platform• Capability and Permission• Managed Memory• Signed executables
Enterprise Grade Security for IoT Assets
Windows 10 IoT Enterprise1 GB RAM, 16 GB StorageX86
Enterprise Manageability and Security
Rich user experienceWin32 & UWP
Windows 10 IoT Editions
Handheld devicesModern Shell & UWP
lockdown and multi-user support
Windows 10 IoT Mobile512 MB RAM, 4 GB storageARM
Optimized for small & low cost IoT devices
Single UWP App experienceLow cost silicon
Windows 10 IoT Core (OEM Pro Edition)256MB RAM, 2GB storageX86 or ARM
Windows 10 Enterprise for IoT devices
Windows 10 Mobile Enterprise for IoT devices
New Windows 10 version for IoT devices
Windows 10 IoT Core Platforms
DISCOVERnearby friendly devices
IDENTIFYservices runningon those devices
ADAPTto devices comingand going
MANAGEdiversetransports
INTEROPERATEacross different OSes
EXCHANGEinformation and services
SECUREagainst nearby bad actors
IoT Interoperability and AllJoyn
TransportGatewaysServices
HTTPSAMQPS
Azure IoT Hub IoT Hub
Up to 10M Devices per Hub
Identity Registry
Device Management Provisioning
IoT Hub Gateway
HTTPS,AMQPS,MQTT
Data and Command Flow
Per-device command
queues
Event HubSelf
Hosted Gateway
MQTT,Custom
Field Gateway
OPC UA,MQTTCoAP,
AllJoyn, ...
CloudFieldM
MM
APIs
OSS Device Agents
Management
Communication
Provisioning
Azure IoT Hub OSS Device Agents
Harness
Microsoft Azure IOT SuiteConnect technology assets to other devices, cloud-based services and infrastructure
Address variable demand with scalable, efficient data collection and storage in the cloud
Configure rules and executable scripts that define actions on devices
Connect
Configure
Extend
Administer Apply business rules to remotely manage and govern devices
Intelligent Systems ServiceAzure IOT Suite
Efficiently capture, store, visualize and analyze data to drive meaningful business insights
1. Draw an application diagram and then decompose the architecture2 Assign the STRIDE mnemonic to each element in the diagram
3 Determine the risk
4 Chose mitigations (or not!)
IoTThreat
Modeling STRIDES –> Spoofing IdentityT –> Tampering R –> RepudiationI –> Information DisclosureD –> Denial of ServiceE –> Elevation of Privilege
© 2015 Microsoft Corporation. All rights reserved.
Backup Slides
Source HP Fortify: Defence for the Internet of Thingshttp://www8.hp.com/hpnext/posts/hp-fortify-defense-internet-things-iot
Top Devices Have Major Security Weaknesses
Microsoft Azure IoT Services
Devices Device Connectivity Storage Analytics Presentation & Action
Event Hub SQL Database Machine Learning App Service
IoT Hub Table/Blob Storage
Stream Analytics Power BI
Service Bus DocumentDB HDInsight Notification Hubs
External Data Sources 3rd party
Databases Data Factory Mobile Services
Data Lake BizTalk Services
{ }
Threats in the IoT platformSTRIDE Threat ImplementationSpoofing How do we know we are talking to the right
deviceAuthentication Secure Channels
Tampering How do we make sure that the device was not tampered with (physically or environmentally)
AuthorizationSecure Channels
Repudiation Modifying audit logs AuthenticationSecure logging and auditingDigital Signatures
Information Disclosure
Eavesdropping on the communication EncryptionAuthorization
Denial of Service DoS against service/device (resource exhaustion, power drain,…)
ThrottlingHigh Available designAuthorizationControlling inbound connections
Elevation of Privilege Forcing the device/service to do something it was not supposed to do
AuthorizationLeast privilege
Policies, Procedures, Guidance
Defense in DepthCloud Field Gateways Devices
Physical
Global NetworkIdentity and Access Control
ApplicationData
Physical Physical
Local Network Local Network
EdgeApplicationData Data
HostHostHost
Data Privacy Protection and Controls
People and Device Identity Federation, Data Attestation
Trustworthy Platform Hardware, Signed Firmware, Secure
Boot/Load
Secure Networks, Transport and Application Protocols,
Segmentation
Tamper/Intrusion Detection Physical Access Security
IoT Sweet Spot $1000 PCs$400
Phones
• IoT capabilities are primarily value-add to other primary capabilities
• How much computer, storage, and networking circuitry can you add to the BOM for a $40-range retail product for that value-add?
• Tiny devices make awfully vulnerable network servers
Capability constrained devicesCost
Computational CapabilitiesMemory/Storage Capacity
Energy Consumption/Source
$1 Senso
r
$10000
Server
Component Quality
• IoT Security is a shared responsibility• Security concepts to the edge • Device code, provisioning, certificates, data management
• Implement a Secure Development Lifecycle• http://microsoft.com/sdl• Keep track of the cyber supply chain• Work out an incident response plan that includes updates
• Leverage industry best practices for defense-in-depth• Select device platforms by best balance between feature and security
capabilities for your scenario and budget.• Leverage best practice network design, but don’t just trust the
network. • Establish security boundaries at the application layer
Call to Action!
• Build on the Azure IoT Suite and IoT Hub• Secure, Service Assisted, Bi-Directional Communication• Hyper-Scale Device Identity Management• Device Management Foundation
• Review our platform principles and certifications• Azure Trust Center
http://azure.microsoft.com/en-us/support/trust-center/
Call to Action!
ISO 27001/27002SOC 1/SSAE 16/ISAE 3402 and SOC 2Cloud Security Alliance CCMFedRAMPFISMAFBI CJIS (Azure Government)
PCI DSS Level 1United Kingdom G-CloudAustralian Government IRAPSingapore MTCS StandardHIPAACDSAEU Model Clauses
Food and Drug Administration 21 CFR Part 11FERPAFIPS 140-2CCCPPFMLPS
Improve your skills by enrolling in our free cloud development courses at the Microsoft Virtual Academy.Try Microsoft Azure for free and deploy your first cloud solution in under 5 minutes!Easily build web and mobile apps for any platform with AzureAppService for free.
Resources
Internet
ISP
(Mobile) Network Operators
Personal Environment and Networks
Complex Connected Things
Device
Device
Device
Device
Field Gateway
Cloud Systems
Device
Cloud Gateway
Device
LocalInteraction
MNOGatewa
y
Cloud Portals and APIs
Mobile & WebInteraction
Control System
Analytics
Data Management
Watches, Glasses, Work Tools, Hearing Aids,
Robotic Assistance, …
Homes, Vehicles, Vessels, Factories, Farms,
Oil Platforms, …
Vehicle Fleets, Sea Vessels, LV Smart Grids,
Cattle, …
Local Gateway
Local Portals and APIs
Control System
Analytics
Data Management
Recommended