Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Protecting Our Cyber-Identity in a Physical and Virtual World for IoT Ecosystem

1,516 views

Published on

We live and work in a cyber-world where our physical entity and logical identities are disjointed and vulnerable. We don’t know how our logical identity and data is being accessed and by who. With the advent of IoT and “Digitization of All Things” business and the proliferation of data, there is even more exposure of this logical persona and potential for a breach.  
In this presentation we discuss with consideration to IoT:

-What really is at stake in terms of enterprise risk, security and privacy
-What challenges are experienced and what Security Controls can be put in
-What tangible security solutions exist and can be used in an IoT world

For more information, please visit http://cainc.to/Nv2VOe

Published in: Technology
  • Be the first to comment

Protecting Our Cyber-Identity in a Physical and Virtual World for IoT Ecosystem

  1. 1. Protecting Our Cyber-Identity in a Physical and Virtual World for IoT Ecosystem Valmiki Mukherjee Security Cognizant Chief Security Architect SCX09S @valmikim #CAWorld Gautam Dev Cognizant Venture Leader
  2. 2. 2 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Abstract We live and work in a cyber-world where our physical entity and logical identities are disjointed and vulnerable. We don’t know how our logical identity and data is being accessed and by who. With the advent of IoT and “Digitization of All Things” business and the proliferation of data, there is even more exposure of this logical persona and potential for a breach. In this presentation we discuss with consideration to IoT: • What really is at stake in terms of enterprise risk, security and privacy • What challenges are experienced and what Security Controls can be put in • What tangible security solutions exist and can be used in an IoT world Gautam Dev Cognizant Venture Leader Valmiki Mukherjee Cognizant Chief Security Architect
  3. 3. 3 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Agenda INTERNET OF (SECURE/INSECURE) THINGS WHY IS IOT IMPORTANT AND WHY ACT NOW OPPORTUNITIES FOR IMPROVING IOT SECURITY IOT AND SECURITY AT CROSSROADS BUILDING SECURITY CONTROLS INTO IOT ECOSYSTEM COMPREHENSIVE AND CONVERGED SECURITY - SMAAS 1 2 3 4 5 6
  4. 4. 4 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD © 2015 CA. All rights reserved. All trademarks referenced herein belong to their respective companies. The content provided in this CA World 2015 presentation is intended for informational purposes only and does not form any type of warranty. The information provided by a CA partner and/or CA customer has not been reviewed for accuracy by CA. For Informational Purposes Only Terms of this Presentation
  5. 5. 5 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD What is Internet of Things Credit: engineering.com The Internet of Things (IoT) is the network of physical objects or "things" embedded with electronics, software, sensors, and network connectivity, which enables these objects to collect and exchange data.
  6. 6. 6 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD IoT Technical Definition  Let’s look at how ITU-T Y.2060 defines the IoT – IoT: a “global infrastructure for the information society, enabling advanced services by interconnecting (physical and virtual) things based on existing and evolving interoperable information and communication technologies.” – Device: ...“a piece of equipment with the mandatory capabilities of communication and the optional capabilities of sensing, actuation, data capture, data storage and data processing.” – Thing: …“an object of the physical world (physical things) or the information world (virtual things), which is capable of being identified and integrated into communication networks.” Source: ITU-T Y.2060
  7. 7. 7 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Why do we Care About IoT? Credit: IDC/McKinsey Analysis, Information Week If you think you are already living in a connected world, think harder… Chances are that we have underestimated the size and scale of the things to come – with IoT! We are heading towards a hyperconnected world that we have never lived in or seen before
  8. 8. 8 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD IoT was not Made for Security So we have - Internet of (Insecure) Things? Constituents of IoT Universe are wildly diverse ranging from simple to very complex These devices were not made with security in mind, or not today’s security in mind Fixed function devices to perform a specific task Despite connectivity reaching IoT devices for anything such as security update is tough Security was not Made for IoT Enterprise Security is typically multilayer/multicomponent Enterprise security is also oriented towards PCs and Servers which won’t even run on IoT devices Basic protective components such as Firewalls are absolutely absent from Embedded devices IoT Devices rely on basic authentication mechanisms & security protocols
  9. 9. 9 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Internet of Things – Risks and Rewards  Major concerns with IoT – Does not implement sufficient security – IT Department is not aware of IoT at Workplace – IoT has reduced Privacy – Cyberattack through hyper connected IoT devices Credit: ISACA Survey on Security in IoT Organizations feel thoroughly underprepared for IoT Security
  10. 10. 10 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD What is the Risk with IoT Devices? •Embedded Devices in IoT are not only about the Smart Watches and fitness devices, they manage and monitor critical infrastructure in the industry and public lifeCritical functionality •Embedded devices are mass produced and typically similarly configured, hence if a vulnerability is exploited, it is easy to carry out large scale attacksReplication •Embedded Device engineers rarely have security background and no one historically has assumed that they would be targets of a cyberattack - not cool!Security Assumptions •They are neither easily patched or upgraded, they have in fact very minimal computing and storage footprint which is designed for efficiency and longevityNot easily patched •Embedded devices in IoT ecosystem are designed to last, while vulnerabilities associated in the cyberspace changes everydayLong lifecycle •Embedded devices often use specialized protocols that are not recognized and protected by enterprise security tools. Traditional security components are not designed for such.Proprietary/industry specific protocols •Many embedded devices are mobile or are deployed in the field. As a result, these devices may be directly connected to the Internet with none of the protections found in a corporate environment. Deployed outside of enterprise security perimeter Understanding the underlying problem with IoT ecosystem
  11. 11. 11 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Device Registration Pub/SubDevice Bootstrapping Understanding the IoT Ecosystem Security Protocols Mapping Enterprise Security Components to IoT – Device Identity Interaction Device Registration Device Access Owner Device AuthN/AuthZ Device Management Data/Policy Check LWM2M / COAP / CREDENTIALS / ATTRIBUTES / CERTS / JWTs OAUTH2 / JWT / CERT AUTHN / SCOPE / TOKEN VALIDITY Data Application and Management USER REGISTRATION REST / JSON 3RD PARTY REGISTRATION OAUTH2 / OIDC 3RD PARTY DATA SHARING OAUTH2 / OIDC APIs/OAUTH2 APIs REST / JSON
  12. 12. 12 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Risks Associated with IoT Enterprise Users as Consumers Enterprise Users as Employees Enterprise Users as Admins/Privileged Users Consumer IoT User Privacy Risk Enterprise/Industrial IoT Enterprise Risk IoT Administration Infrastructure Risk Identity Activity Access Activity Access Activity Access PII Exposure Malicious Access to personal data Malicious usage of sensor and information Unintended Malicious use of Admin Access How identity could be the key thread
  13. 13. 13 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Integrated View of IoT Security Controls IoT security controls need to span the device itself as well as the environment that the device operates within Also this should be included in the overall cybersecurity program with a converged view of all domains interacting with the IoT Devices CSA Proposed IoT Controls Guidance Credit: CSA IoT Workgroup
  14. 14. 14 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Top Recommendations for IoT Security Controls 1. Analyze privacy impacts to stakeholders and adopt a Privacy-by-Design approach to IoT development and deployment 2. Apply a Secure Systems Engineering approach to architecting and deploying a new IoT System 3. Implement layered security protections to defend IoT assets 4. Implement data protection best-practices to protect sensitive information 5. Define lifecycle controls for IoT devices 6. Define and implement an authentication/authorization framework for the organization’s IoT Deployments 7. Define and implement a logging/audit framework for the organization’s IoT ecosystem
  15. 15. 15 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Security Solution Framework for Recommended Controls Control Solution Infrastructure ProtectionIdentity and Access Control From Controls to a Practical Solution Integrate IoT into existing IAM and GRC platforms Change Default passwords for administrative access AAA schemes based on system-level threat models Utilize Smart Phones for Multifactor Authentication Reference Architecture with ITU-T Y.2060 PKI Updates with rollout of Device Certificates Provide Consumer preference and Consent Management Integrate Physical Access Control Systems with IAM Restrictive Controls for devices transactions Implement Privileged Access Mgmt. for administrators Develop a well articulated Incident Response Plan Establish People and Device Relationships Monitor devices and their usage behavior Develop context based AAA for sensor nodes Leverage IoT Std/protocols for security controls Use entity analytics to fine tune control measures build secure default configuration Enable kill switches to take rogue devices off n/w A comprehensive and converged view of security solution for the IoT ecosystem Common Data Exchange Interface
  16. 16. 16 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD IAM Data Protection Application Security Audit & Logging Management Integrated Threat & Vulnerability Management Cognizant’s Answer to Today’s Risk Landscape Help Current Technologies Run Better Entity, Access and Activity Warehouse User & Resource Behavior Profiling Anomaly Detection And Self Learning Integrated Threat Engine Identity Centric Access Analytics Enterprise Policy Enforcement Governance Risk and Compliance Actionable Risk Prevention and Remediation Real time Activity Monitoring Risk Based Decision Support and 360o Validation
  17. 17. 17 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD SMaaS Suite Technology Components Critical Packs Powered by CA Security Solutions Id Intelligence Pack Access Pack Federation Pack Control Pack Actionable Risk Intelligence Risk Based Fine-grained Access Mgmt. Industry Wide Trusted IdP & SP Services Bottom Up GRC Policy Enforcement Anomaly Detection Behavioral Patterns Predictive Self Learning Threat Intelligence Enterprise Policies Certified User Access Dynamic Access Policies Finegrained Authorization Policy SMaaRT Role Based Access Control Risk Based Access Control Identity Proofed Users SP and IdP Services Standards based Federated SSO Cloud and on Premise integration Multifactor and Risk based AuthN/AuthZ Pre-packaged Compliance Standards Integrated Policy Management Framework Bottom up Policy mapping and enforcement Actionable GRC Index Identity Activity and Access Warehouse Certified and Trusted Users and Entitlements Certified and Trusted Users and Entitlements Controls and Policy Repository Data Pack Risk based Data Protection Data at rest Protection (obfuscation & encryption) Realtime and Runtime data protection Data desensitization and redaction Application based data solutions Data Controls and Access Policy Repository End Point Pack Risk based End Point Protection Cyber Threat Intelligence Asset Inventory and Policy Repository Endpoint System Management Advanced Threat Prevention Endpoint Remediation Endpoint Incident Response
  18. 18. 18 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Next Generation MSSP Follows Assurance Traditional MSSP Model Follow Operations Supported by Cognizant Security Assurance Center Model Security Operations Center Security Assurance Center Focus on Assurance based on Prevention and Remediation IT Security Assurance Services Data Assurance Service NextGen SOC Services GRC Assurance Services Application Security Maturity Center Risk Prevention and Information Security Platforms SMaaS Data Obscure Realtime Assurance Dashboards C-Level Dashboard Operational Dashboard Investigative Dashboard Analyst Dashboard Customer IT and Security Operations Data Authoritative Sources Application Data Security Data IT Infra Data
  19. 19. 19 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD IoT Security needs comprehensive support IoT is an ecosystem and there needs to be a conscious and concerted support towards convergence of security protocols and approaches Cognizant and CA combined have a comprehensive solution IoT Security is Key Issue and real Challenge IoT devices and ecosystem was not build with Security in mind Enterprise security needs to be adapted to embrace IoT IoT Security can be Improved significantly IoT Security can be significantly improved by partnering with device engineers and supporting the ecosystem with adopting converged security view with identity at center Summary A Few Words to Review
  20. 20. 20 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD About Cognizant
  21. 21. 21 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Who we are Founded in 1994 (CTSH, Nasdaq) ……………………….. Headquarters Teaneck, NJ ……………….……. ………………….…………..….….. 75+ Global Delivery Centers 20,000+ Projects in 40 countries ……………….…....…………………… Revenue $10.26b in 2014 (up 20.4% YOY) Q2 2014 – $2.52b 25+ Regional sales offices …………….…... Revenue Mix (H1 2014) NA: 76.2%, Europe:19%, RoW: 4.8% . . . .………………….. ……………………….220,000+ employees (Sep 2015) .……………………….. 1,242 active customers .
  22. 22. 22 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Security Service Lines 10+ 1300+ 300+ Avg. Years Experience Security Consultants Project Executed SMaaS ASMC Data Obscure 300+ CISA, CISM, CISSP, CEH and vendor certified associates 250+ Network Security trained associates 80+ Data Security Analysis, Architects and Consultants 100+ GRC Vendor Certified Security Analysts, Architects and Consultants Enterprise Partnerships Service Partnerships Enterprise Risk and Security Solutions (ERSS) Venture is the EBA Business Unit focused on delivering Security and Risk Management solutions at Cognizant Data SecuritySecurity Assessment Integrated Threat Management Identity and Access Management GRC UMaaS ACCERT
  23. 23. 23 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD SMaaS Accreditation Event PresenceAnalyst Briefing Endorsements Credentials in the Market
  24. 24. 24 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Recommended Sessions SESSION # TITLE DATE/TIME SCT31T Tech Talk: Knock, Knock – the IoT wants to come in? 11/18/2015 at 03:45 pm SCT05S Roadmap: CA Advanced Authentication and CA Single Sign- On 11/18/2015 at 04:30pm SCT02S Keynote: Looking Beyond the Threat 11/19/2015 at 10:30 am
  25. 25. 25 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Must See Demos Security Innovations Security Theater Enable a Secure Digital Workspace CA SSO, APIM Security Theater Engage Customers CA SSO Security Theater Protect Against Fraud & Breaches CA Advanced Auth Security Theater
  26. 26. 26 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Q & A
  27. 27. 27 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD For More Information To learn more, please visit: http://cainc.to/Nv2VOe CA World ’15

×