Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Connect and protect building a trust based internet of things for business critical apps


Published on

The Internet of Things can deliver smart spaces — intelligent meeting areas, location services, and real time monitoring are just a few applications that make the workplace more efficient and productive. When installed with care, the IoT infrastructure offers great business benefits and improved operations. Join us to learn why organizations are taking the next step in enabling smart buildings.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Connect and protect building a trust based internet of things for business critical apps

  1. 1. #ATM16 Connect-and-Protect Building a Trust-Based Internet of Things for Business-Critical Applications Michael Tennefoss Vice President of Strategic Partnerships @ArubaNetworks |
  2. 2. 2#ATM16 • The Internet of Things (IoT) is comprised of stationary and mobile devices used to harness the world around us • Mining device data enriches decision making to a degree no one device could facilitate on its own • Only trusted devices and data with verified integrity should be leveraged to make decisions • Today’s IoT isn’t trustworthy: it’s a riddle of PHYs, wrapped in an enigma of protocols, protected by a hairball of security
  3. 3. 3#ATM16 The Internet of Untrusted Things • Devices built for speed and reliability may have little, no, or outdated security • Many lack access rules, key mgmt, zero day attack prevention, authentication, anti-malware, encryption, firewalls
  4. 4. 4#ATM16 Legacy Trust • Operational efficiency focuses on process and performance • Trust equals physical control of devices and is rarely reassessed • Changes in technology have created security gaps • The fix: establish logical control of data & devices
  5. 5. 5#ATM16 Diversity & Legacy Recapitulate Complexity ©Copyright HarborResearch
  6. 6. 6#ATM16 The Opportunities Are Enormous Installed Base of Things By Vertical 2013-2020* * Source: Gartner,DifferentiateWithinVerticallIndustriesbyLeveraging onInternetofThings,2014 **Source:GoldmanSachs,“Thenextindustrialrevolution: MovingfromB-R-I-C-K-StoB-I-T-S,”2014 Fast Growth In Building & Factory IoT: 2020** IDC IoT Potential Market Estimate: 2020**
  7. 7. 7#ATM16 IoT Potential Value • 2015 McKinsey study* assessed IoT value across nine sectors • Keys to unlocking value include interoperability, data exploitation, and B2B uses • $3.9-11.1 trillion annual estimated value by 2025 • Drivers include business transformation * The Internet of Things: MappingThe Value BeyondThe Hype , McKinsey & Company, June2015
  8. 8. 8#ATM16 Applying Red-Black Trust Paradigm Untrusted Point Of Demarcation Trusted • Red is untrusted, black is trusted, point of demarcation is ideally at the data source • Most IoT devices lack security and it isn’t economically feasible to replace them • Objective is to move the point of demarcation as close as possible to the data
  9. 9. 9#ATM16 Demarcation Varies By Device Type Tools for business intelligence and threat monitoring Smart devices may be demarcation points if they have sufficient processing power and memory Demarcation points for less capable devices lower in pyramid Visualization, reporting, compliance Common demarcation points Stationary Machines & Controllers Mobile Machines & Controllers Smart Sensors & Actuators Microprocessors & Microcontrollers HMIs Analytics
  10. 10. 10#ATM16 Connect-and-Protect • Establishes trustworthy data sources for business intelligence and decision making • Eight steps to trust 1. Make a physical layer (PHY) connection 2. Talk the talk with existing device protocols 3. Establish authenticity of devices and users 4. Encrypt the data 5. Secure communication pathways 6. Establish and enforce device and user roles 7. Implement access and usage policies 8. Monitor for vulnerabilities Device Data
  11. 11. 11#ATM16 PHY Conversion Standard Medium IEEE 802.15.1 Bluetooth radio frequency IMT-2000, ETSI LTE Cellular radio frequency IEC 61754 Fiber optics IEEE 11073-30300 Infrared IEEE 488 Short-haul cable ISO/IEC 14543-3-6 Twisted pair IEC 61158-2 Twisted pair IEEE 11073-30200a Twisted pair IEEE 802.3 Twisted pair - Ethernet ISO/IEC 14908-2 Twisted pair - free topology ISO 11898-2 Twisted pair - high speed ISO 11898-3 Twisted pair – low speed ISO/IEC 14908-3 Power line carrier - narrow band ISO/IEC 14543-3-5 Power line carrier - narrow band IEEE 1901 Power line carrier - wide band ISO/IEC 14543-3-7 Radio frequency IEEE 802.15.4 Radio frequency ISO/IEC 14543-3-10 Radio frequency - Energy harvesting Device Data • The breadth of PHYs includes all media types • Requires a toolbox of PHY support • There is no universal standard in the IoT
  12. 12. 12#ATM16 Protocol Conversion Device Data • IoT is a babble of Babel of communication protocols • Protocol converters are essential AS-i BSAP Control Area Network (CAN) CC-Link Industrial Networks CIP ControlNet DeviceNet DF-1 DirectNET EtherCAT Ethernet Global Data (EGD) Ethernet/IP Ethernet Powerlink FINS FOUNDATION Fieldbus GE SRTP HART Protocol Honeywell SDS HostLink InterbusS Mechatrolink MelsecNet Modbus Optomux Profibus Profinet IO SERCOS Sinec H1 SynqNet TTEthernet RAPIEnet MTConnect OPC DA OPC HDA OPC UA BACnet C-Bus DALI DSI Insteon ISO/IEC 14543-3-1 (KNX) ISO/IEC 14908.1 (LonTalk) oBIX VSCP X10 xAP xPL ZigBee DNP3 IEC 60870 IEC 60870-5 IEC 60870-6 IEC 61850 IEC 62351 ANSI C12.18 DLMS/IEC 62056 IEC 61107 ISO/IEC 14908.1 M-Bus AFDX ARINC 429 ARINC 825 FlexRay FMS IEBus ISO/IEC 14908.1 J1587 J1708 Keyword Protocol 2000 LIN MOST NMEA 2000 SAE J1939 Unified Diagnostic Services VA
  13. 13. 13#ATM16 On-Ramps To IoT Networks Power Line Twisted Pair RF BLE Small Site Native Ethernet Native Wi-Fi PHYAnd/Or Protocol Converters Cellular BackhaulMedium/Large Site Ruggedized Indoor Class 1 Division 1
  14. 14. 14#ATM16 Authentication • 802.1X RADIUS authentication • MAC authentication • MAC auth followed by 802.1X • Captive portal for clients • Validates authenticity of endpoints accessing and using the network • MAC authentication protects headless devices • Single and two-factor challenges • Managed by Aruba controllers, virtual controllers, and ClearPass Access Management alone or with existing AAA resources Device Data
  15. 15. 15#ATM16 Encryption • Protects packet contents and traffic patterns • Prevents undetected data substitution • Suite B encryption certified for government, foreign releasable information, US-Only information, and Sensitive Compartmented Information • Managed by Aruba controllers and virtual controllers • AES CTR • AES CCMP • AES GCM • ECDSA • ECDH • SHA Algorithm 2 Device Data
  16. 16. 16#ATM16 Secure Tunnels • Ensures that device data are delivered to a known safe destination over a secure transport • Controls where and with which other devices communications are permitted • Limits collateral damage from a compromised device • Blocks malicious control nodes from compromising other devices • Devices with native IPsec support can tunnel directly to Aruba controllers • Windows/iOS/Android mobile devices can tunnel using Aruba VIA or Suite B client • IPsec ESP • IPsec GRE • xSec • VPN • VIA client Device Data
  17. 17. 17#ATM16 Roles • Role-based enforcement controls devices and users based on identity • Role is applied during the authentication process, before network access is allowed • Works with headless, intelligent, stationary and mobile devices • Manages network privileges, automatic blacklisting on violation • Blocks malicious control nodes from compromising other devices • Plugs gaps created by outdated port-based enforcement • Identity and location • Applications in use • Source and destination of traffic • Service type • Time of day • Device state • Permit, deny, redirect, log, QoS actions Device Data
  18. 18. 18#ATM16 Policies • Device or user profile • Identity store attributes • Device health • MDM posture • Application firewall status • SIEM analysis • Policy enforcement governs how, when, where networks can be accessed • Holistic approach to threat prevention operates at the device, network edge, application, northbound Internet levels • ClearPass discovers and classifies all endpoints, regardless of type • Shares policies and threat notifications with MDM, MAM and firewall platforms • ClearPass + partner solutions establish multiple points of enforcement, addressing threat scenarios at every network level Device Data
  19. 19. 19#ATM16 On-Boarding Mobile Devices Profiler EMM / MDM NAC TACACS RADIUS Guest Device Registration AD/ LDAP SQL Token PKI UNIFIED POLICY ClearPass WIRELESS and WIRED SECURITY
  20. 20. 20#ATM16 Enforcing Policies On Mobile Devices ClearPassMobileIron MDM & MAM Endpoint data replicated to ClearPass cluster CoA triggers network enforcement ClearPass Device type & posture polled for policy decisions & reporting
  21. 21. 21#ATM16 Enforcing Application & Internet Policies Devices Aruba ClearPass, Controllers, Switches Users Palo Alto Networks Next-Generation Firewall Application User Identity Device Type Identity & Context Applications & Threats
  22. 22. 22#ATM16 Analytics: The New Bacon • Analytics uses mathematics, statistics, machine learning, and predictive modeling to discover patterns • Predictive attack, risk, and network analytics provides integrated threat defense and data-driven intelligence about abnormal behavior, potential attack vectors, and coverage gaps • Business analytics improves processes and decision-making using trusted data extracted from connected devices • Analytics partners offer low-latency transaction rates, streaming data collection, and real-time visualization • Trust enhancement • Predictive threat modeling • Gap and risk analyses • Descriptive analytics • Inferential analytics • Business intelligence Device Data
  23. 23. 23#ATM16 Derived Data • The very process of securing, connecting, and monitoring devices, applications, users, and location generates unique contextual information that can be mined • Example: Location • Intended: IoT Beacons guide maintenance engineer to a machine for service • Extended: time on site informs billing system to validate hourly charges • Observed: travel path informs time-and- motion analytics for improved efficiency • Inferred: extended duration triggers man- down safety alert Device Data
  24. 24. 24#ATM16 Example: Legacy Device Security Security Analytics Engine • Builds tops-down model of IoT network using Layer 2 data • Network paths • Security gaps • Scope/impact of potential breaches are identified • Generates prioritized set of actions for newly exposed gaps • Process repeated for adds, moves, changes
  25. 25. 25#ATM16 Example: Predictive Failure Monitoring Data hub monitors device performance and flags anomalies and proactive service notifications • Real-time advanced streaming analytics • Universal low latency messaging • In-memory processing
  26. 26. 26#ATM16 Pulling It All Together Into A Trusted IoT Vision Meters Contractors Captive Portal Role-Based Access Access Rights Access Control Sensors PLCs Virtual AP 2 Guest Meters Vision Sensors PLCs Contractors Secure Tunnel To DMZ RADIUS LDAP AD Palo Alto Networks Firewall MobileIron MDM ClearPass Analytics Ecosystem DMZ ArcSight SIEM Virtual AP 1 Control
  27. 27. 27#ATM16 Summary • Aruba and its IoT partners deliver a trust-based Internet of Things • Open architecture secures devices, data sources, and transport mechanisms • Enables decision making and business intelligence based on trusted data • Real-time analytics continuously verifies compliance • Field-proven products for commercial, industrial, governmental applications • Works with stationary and mobile, new and legacy devices
  28. 28. 28#ATM16 Resources Aruba IoT Web Page Connect-and-Protect White Paper ArubaEdge IoT Partner Web Page HPE IoT Web Page
  29. 29. 29#ATM16 Join Aruba’s Titans of Tomorrow force in the fight against network mayhem. Find out what your IT superpower is. Share your results with friends and receive a free superpower t-shirt.
  30. 30. Thank you