Upload
leonard-moustacchis
View
98
Download
0
Embed Size (px)
Citation preview
© 2016 ForgeRock. All rights reserved.
Pas d’IoT sans identité!Leonard Moustacchis – 06 Octobre 2016
© 2016 ForgeRock. All rights reserved.
ForgeRock is the leading provider of an Identity Platform helping customers during
their journey into digital transformation
© 2016 ForgeRock. All rights reserved.
Top Barriers to IoT Adoption
© 2016 ForgeRock. All rights reserved.
…andyoucan’tsecureconnectedThingswithoutIdentity
© 2016 ForgeRock. All rights reserved.
Connected Things Require Security
Cargo ContainerEnergy Substation Smartphone Wearables Animals Shopping CartVehicles Bike Computer
Smart Meter
Stoplight
Parking MeterSensorCameraOil BarrelForkliftBuildings
Wind Turbine
Gas Pump
© 2016 ForgeRock. All rights reserved.
ForgeRockSecuresPeople,DevicesandServicesacrossnumerousIoTPlatformsandindustryverticals
• Applications• Services• Data
Azure, Cloud Foundry, AWS, Rackspace Customers, Partners, Employees
© 2016 ForgeRock. All rights reserved.
4 Pillards of WoT
Things
People
Data
Process
© 2016 ForgeRock. All rights reserved.
Use cases
© 2016 ForgeRock. All rights reserved.
Health&Fitness
© 2016 ForgeRock. All rights reserved.
ConnectedHome
© 2016 ForgeRock. All rights reserved.
SmartCities
© 2016 ForgeRock. All rights reserved.
Utilities&Industrial
© 2016 ForgeRock. All rights reserved.
Demo
© 2016 ForgeRock. All rights reserved.
Secure Device onboarding
Consumer
© 2016 ForgeRock. All rights reserved.
Secure Device onboarding
Consumer
mbed Connect
© 2016 ForgeRock. All rights reserved.
Located at
Identity Relationships Efficiently and Conveniently Driving Access
RELATIONSHIPS convey authorization
information
Can be used to FEED A POLICY ENGINE
TOGETHER WITH ATTRIBUTES
© 2016 ForgeRock. All rights reserved.
IoT 3.0 (Realtime)
IoT 2.0 (Share)
IoT 1.0 (Presence)
•Root of trust at the edge, onboard trusted identities, secure and trusted automation,dataprivacy.
•Cross IoT ecosystems trust and sharing with a single security domain across IoT, consumer, customers and enterprise
•Single device identities, secure connect and onboard, connect or pair consumer devices and users, enterprise collect and share data across consumers, customers and enterprise.
•Closed ecosystems, disconnected security across users and IoT
• Internet connected, retrieve data, multi-protocol, multi-vendor solutions
The IoT Evolution
© 2016 ForgeRock. All rights reserved.
IoT 3.0 data sharing, Privacy& consent
© 2016 ForgeRock. All rights reserved.
User-ManagedAccess
© 2016 ForgeRock. All rights reserved.
© 2016 ForgeRock. All rights reserved.
© 2016 ForgeRock. All rights reserved.
© 2016 ForgeRock. All rights reserved.
© 2016 ForgeRock. All rights reserved.
© 2016 ForgeRock. All rights reserved.
© 2016 ForgeRock. All rights reserved.
Regard for one's wishes and preferences
The true ability to say noand change one's mind
The ability to sharejust the right amount
The right moment to make the decision to share CONTEXT CONTROL
RESPECTCHOICE
User-Managed Access (UMA)
An emerging standard for privacy and consent
© 2016 ForgeRock. All rights reserved.
Facebook report
© 2016 ForgeRock. All rights reserved.
IoT 3.0 End to end security
© 2016 ForgeRock. All rights reserved.
Only one security breach is enough !
Everyone makes their own GW, WHY ?They all face the same basic challenges- Access security- Authenticity- Secure communication- Application lifecycle management
© 2016 ForgeRock. All rights reserved.
Device – 2 world – 2 securityInternetIoT
Gateway
StoplightParking Meter
Sensor
Camera
CoAPMQTT
© 2016 ForgeRock. All rights reserved.
PoP (OAuth Proof of Possession) simple description
Brian
Alice Bob
4. Check Alice can contact Bob (opt)Generates random shared secret
6. Alice decrypt shared secretAnd generates message to Bob. Message contains shared secret encrypted for Bob By Brian.
8. Bob decrypt shared secret sent by Brian and check signature. If signature is correct, Alice is aTrusted partner.9. Bob sends response to AliceSigned with shared secret
1. Alice sends a messageWithout authenticator7. Alice signs message with shared secret
2. Bob asks Alice to getShared secret from Brian
3. Alice asks to Brian a shared Secret to initiate a session with Bob5. Send random secret Encrypted for Aliceand Bob To Alice
© 2016 ForgeRock. All rights reserved.
High Level Architecture
Authorization Manager(validates access/refresh tokens, manages
local blacklist, asks new access/refreshtokens to AS)
Client
AuthorizationServer
(Generates/validatesaccess/refresh tokens)
Client
Resource Server
Requesting PartyDomain
(lots of them)
Resource Owner Domain
COAP
COAP
HTTPS
HTTPS
HTTPS HTTPSInternet
IoT
© 2016 ForgeRock. All rights reserved.
© 2016 ForgeRock. All rights reserved.34
© 2016 ForgeRock. All rights reserved.35
© 2016 ForgeRock. All rights reserved.
Thank you
36