Presentation is loading. Please wait.

Presentation is loading. Please wait.

Towards a trustworthy internet of things

Similar presentations


Presentation on theme: "Towards a trustworthy internet of things"— Presentation transcript:

1 Towards a trustworthy internet of things
Arjmand Samuel Security lead, Azure IoT

2 IoT… Is already delivering results Requires organizational changes
Has a set of security challenges that you can navigate Microsoft is leading the way in IoT security

3 IoT Security Leadership …
9/17/2018 6:19 AM IoT Security Leadership … End-to-end IoT infrastructure security Hardware based secure design Making secure IoT a reality Standards and regulations © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

4 Gain defense in depth with Azure IoT Suite security
9/17/2018 6:19 AM Gain defense in depth with Azure IoT Suite security Securely connect millions of devices . . . Over a secure internet connection . . . To Microsoft Azure – built with security from the ground up Device Security Secure Device Management Device Provisioning Service Support for diverse secure HW Cert-based device identity and attestation Connection Security X.509/TLS 1.2 Based mutual authentication Standards based connection encryption Support of secure protocols, i.e. AMQP, MQTT, HTTPS Cloud Security Azure Security Center Azure Active Directory Key Vault Policy-Based Access Control IP based control © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

5 The case for end-to-end security

6 IoT Security Challenges
Is this silicon secure? End-to-end security Is the OS secure? If you answered “no” to any of these questions, you have a security risk to mitigate Can you perform device management via the cloud? Can this device be tampered?

7 IoT Security Challenges
Brownfield Many Industrial IoT deployments are brownfield Size and capital expense involved with building and retrofitting Brownfield industrial deployments Rely on physical security and based on obscure or proprietary protocols and systems Not always possible to rip-and-replace industrial machines to bring them up to modern security standards

8 Industry best practices
A role-based approach Hardware manufacturers or integrators Solution developer Solution operator Solution deployer

9 Security practices for each role
Hardware manufacturers or integrators Scope hardware design to minimum requirements Make hardware tamper-proof Build security into hardware Have a plan to make secure upgrades Solution developer Follow secure development methodology Choose open-source software judiciously Integrate with care Solution deployer Install hardware securely Keep authentication keys safe Solution operator Keep the system up to date Protect against malicious activity Audit frequently Protect the physical IoT infrastructure Protect cloud credentials aka.ms/iotbestpractices

10 Hardware based secure design

11 The Threat Landscape Environmental tampering Analysis Fault injections
Physical Access Heterogenous compute hardware Heterogenous development software Non-standard security procedures Availability of attack skills and tools Experience from failure analysis Experience from patent litigation Vendor diversity Architecture diversity Varying capability Secure boot Secure updates Secure storage Compiled Scripted Mixed © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

12 7 Properties of highly secure devices
9/17/2018 6:19 AM 7 Properties of highly secure devices Well understood security principles and practices Device security rooted in hardware, but guarded with secure, evolving software aka.ms/7properties © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

13 Secure hardware for IoT
9/17/2018 6:19 AM Secure hardware for IoT Class of microchips to protect secrets like keys even when under attack. Also called Hardware Secure Modules or simply HSM Secure hardware does not protect the device by mere presence; application might still expose gaps elsewhere for exploits STANDALONE INTEGRATED Processor and Secure Hardware Processor Secure Hardware Integrated secure hardware Enables Microprocessor evolution across generations of IoT devices Unchanging processor requirements tend to favor the integrated secure hardware architecture © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

14 Designing the right hardware based security
9/17/2018 6:19 AM Designing the right hardware based security Properties of highly secure devices White papers, Best practices Security Program for Azure IoT © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

15 Device Identifier Composition Engine – DICE
Secure By Design Use silicon gates to create hardware-based device identities Security built into the DNA of the device Scalable security framework with minimal hardware requirements for device identification and attestation Trust anchor upon which various security solutions for authentication, secure boot, remote attestation, and more can be built aka.ms/iotdice

16 DICE in action Standardization via Trusted Computing Group (TCG)
9/17/2018 6:19 AM DICE in action Device Identifier Composition Engine (DICE) UDS based on TPM or other secure device ID Measurement of first mutable code and optionally hardware state and config data Combine Unique Device Secret (UDS) and measurement using a one-way function to create Compound Device Identifier Standardization via Trusted Computing Group (TCG) Start/Reset First Mutable Code Prevent access to the UDS (via hardware mechanism) and completely erase any remnants from memory Firmware or Boot sequence Transfer control to an architecturally defined location in mutable code passing the Compound Device Identifier © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

17 Availability of DICE hardware
9/17/2018 6:19 AM Availability of DICE hardware DICE hardware partners announced on Spring 2017 © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

18 Microchip is an Azure+DICE development partner
The CEC1702 family of MCUs from Microchip provide secure boot and a robust HW crypto cypher suite which supports DICE The SecureIoT1702 Demo Board is an Azure Certified for IoT Device with DICE Hardware Support. Both items are available from microchipdirect.com

19 Azure IoT Hub Device Provisioning Service
9/17/2018 6:19 AM Azure IoT Hub Device Provisioning Service Simplify with zero touch provisioning Supports multiple locations Enhanced security through DICE, TPM or other HSMs For any device compatible with IoT Hub Remove human error Minimize manual connection requirements Scale opportunities DPS IoT Hub US IoT Hub Japan IoT Hub India DPS knows exactly which IoT Hub to connect and provision © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

20 Choosing a secure OS for your device

21 Azure IoT Device SDKs supports …
9/17/2018 6:19 AM Azure IoT Device SDKs supports … Open source, cross platform and in many languages (C, C#, Node.js, Java, Python) Rich operating systems All major, including Linux and Windows Realtime OSes Bare metal systems like MBED If a device has a CPU/MCU and network we support it! Even devices that do not have an IP stack (BLE, Zigbee, ZWave, etc), via Azure IoT Edge gateway © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

22 9/17/2018 6:19 AM Windows 10 IoT Making it easy to build secure, intelligent and connected devices quickly and confidently INTELLIGENT EDGE INTELLIGENT SECURITY FASTER TIME TO MARKET © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

23 IoT protection stack Response Device protection Threat resistance
Data protection in-motion Cloud security Trusted Platform Module (TPM) Windows Device Health Attestation Secure Boot BitLocker Windows as a Service Device Guard Windows Firewall Windows Defender* X.509/TLS-Based Handshake and Encryption Encryption at Rest Azure Active Directory Key Vault Policy-Based Access Control IP- based blocking Secure Device Provisioning Standards-based best practices Device Management Device Recovery Device-specific repudiation *Only available on Windows IoT Enterprise

24 Making secure IoT a reality

25 Evaluate your strategies using the IoT Security Evaluation Framework
Consider threats Review the consequences Select the evaluation strategies Choose a platform and partner to execute your strategy

26 Consider the threats most relevant to your IoT infrastructure
Nefarious activity and abuse Natural disasters Hijacking Failure and malfunctions Outages Physical attack

27 Review the consequences of your identified threats
Company Loss of control Loss of data Damage to brand Financial loss Customers Compromise of privacy Service disruption Infrastructure Environmental damage Loss of life

28 Select your evaluation strategies
Security evaluation strategies by IoT project lifecycle stage. aka.ms/iotsecurityeval

29 Find the right partner to execute
Microsoft’s Security Program for Azure IoT connects customers with partners who are experts at evaluating an IoT infrastructure end-to-end. 10th Magnitude AppSec Labs LTD AUJAS Information Risk Services Casaba Security LLC Crowe Horwath LLP CyberX Microsoft Enterprise Services OccamSec LLC Praetorian SecureGUARD GmbH Tech Mahindra Unisys Corporation Not all partners may be listed; check internetofyourthings.com for latest status

30 Regulations, policy and standards

31 Security standards and regulatory challenges
Innovation velocity is outpacing regulations and standards Typical standards can take 3~5 years from start to ratification Government policy and regulations can take as long; and, can be region and country specific This is hurting a nascent area such as IoT

32 Governments have unique capabilities
Build cross-disciplinary partnerships through public- private collaboration and interagency coordination Serve as catalyst for the development of good IoT security practices Support initiatives that improve IoT security across borders

33 Standards for IoT security
No end-to-end IoT Security standard Existing standards retrofitting IT security to IoT No scope for physical attacks such as tampering

34 Security Maturity Model
Maturity of security implementations Use case specific maturity Actionable guidance for moving from one level to the next Microsoft leading IoT Security Maturity Model at Industrial Internet Consortium (IIC)

35 What is SMM? (an example)
Level 4 Real-time monitoring for device and service properties Auditing and monitoring for service usage Encryption of all data at rest Secure firmware and OS updates Safety monitoring for environmental hazards Healthcare, military and other high value IoT Level 3 Initial version of SMM to be released soon by IIC Secure storage on device Hardware enabled unique device ID Stronger device authentication using PKI Device breakdown monitoring Recommended for auto, smart cities, etc Level 2 Encryption for transport Some form of device ID (share device keys) Authentication of device and service Environmental safety review May be sufficient for individual consumer IoT Level 1 Level 0 Insecure or not audited

36 Azure covers 54 compliance offerings
Azure has the deepest and most comprehensive compliance coverage in the industry

37 In summary Microsoft is leading IoT Security
9/17/2018 6:19 AM In summary Microsoft is leading IoT Security Secure lifecycle management of IoT Devices using Device Provisioning Service, Device Management and a host of security features Cutting edge of device identity and attestation with DICE, available today through our silicon partners Empowering you to design, deploy and operate secure IoT through best practices, Security Program Leading in standards and regulations © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

38 Azure IoT Security resources
azure.microsoft.com Learn how to build in security from the ground up Gartner Predicts 2016: Security and the Internet of Things us/documentation/articles/iot-hub-security-ground-up/

39 IoT Sessions @ Ignite Introduction to Windows IoT
9/17/2018 6:19 AM Day Session Speaker Time Location Mon 25th Introduction to Windows IoT Adi Hariharan 2:15 – 3:30 PM Hyatt Windermere Y Overview of how Azure can help with your IoT solution Sam George 4 - 5:15 PM Hyatt Windermere X Tues 26th Microsoft IoT: When you connect your business with IoT, the opportunities are endless 9:- 10:15 AM OCCC Chapin Theater W320 Cool Devices in Windows IoT 10: :10 AM OCCC S – Expo Theater #10 Zero touch device registration with Azure IoT Nicole Berdy Olivier Bloch 11:30- 12:15 PM Hyatt Windermere W Building Reliable IoT Solutions in the Cloud, Fast Cory Newton-Smith 12:30 - 1:45 PM The future of IoT analytics: The Edge complementing the cloud Santosh Balasubramanian Hyatt Plaza International I-K Weds 27th Enable Edge Computing with Azure IoT Edge Olivier Bloch  9- 10:15 AM Towards a trustworthy internet of things Arjmand Samuel Put your time series data to work for your business OP Ravi Jason Killeleagh 3:15 - 4:00 PM Thurs 28th Enable IoT Scenarios with Edge Computing OCCC South – Expo Theater #10 Get started developing with Azure IoT Tips and tricks to help your IoT solution scale 2 - 2:45 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.


Download ppt "Towards a trustworthy internet of things"

Similar presentations


Ads by Google