Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

OSIS18_IoT : Securisation du reseau des objets connectes, par Nicolas LE SAUZE (Nokia)

29 views

Published on

Le principe est d’appliquer des mécanismes de contrôle dynamiques et fins sur les communications des objets (entre eux ou bien vers le cloud) sous le contrôle des utilisateurs.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

OSIS18_IoT : Securisation du reseau des objets connectes, par Nicolas LE SAUZE (Nokia)

  1. 1. © 2018 Nokia1 Sécurisation du réseau des objets connectés Bell Labs Future-X Future Spaces project (BL Paris-Saclay & Antwerp) Open Source Innovation Spring - OSIS - Track IoT Critique 2018 Nicolas Le Sauze, Nokia Bell Labs France, IoT Control Research Department Head 24-05-2018 Public
  2. 2. © 2018 Nokia2 Public© 2018 Nokia2 Disclaimer This presentation does not represent the Nokia Strategy on IoT, but the vision pursued within an on-going research project in Bell Labs
  3. 3. © 2018 Nokia3 Public Big problem we want to solve INTUITIVELY SECURE & ORGANIZE YOUR CONNECTED LIFE CLOUD Devices Cloud Applications Who connects to my IPv6 devices Where does my data go? How do I make X and Y work ? How to better protect from vulnerabilities
  4. 4. © 2018 Nokia4 Empowering people to seamlessly & safely organize their connected lives Future Spaces Project Easiness of use & auto-configurability • Intuitively and securely manage all your connected assets through simple concepts and UIs • Automation support to limit users burden Fine-grained access control • Dynamic fine-grained grouping of all your assets • Naturally supporting multiple usage contexts and intents Multi-user, multi-party & multi-location • Easily discover and interact with third party assets • Securely and temporarily share your assets with others Automatic security & privacy protection • Strong isolation of assets with automatic policy enforcement • Protecting data privacy (e.g. home vs cloud hosting) Public Work Home Family Health
  5. 5. © 2018 Nokia5 Enabling Fundamental concepts Virtual places, managing all your assets • Devices, public/private cloud services, personal content/data, policies,… • Have secure access to your assets wherever you go Secured vSpaces, contextually organizing multiple assets • Grouping of assets across multiple contexts, spanning multiple vPlaces • Assisting you for various tasks (e.g on-boarding new device, create an isolated visitor spaces) through an automation layer and intuitive interfaces Advanced network & policy controller • Isolating devices and services through a programmable network • Multi-stakeholder policy resolution & enforcement Improve Trust, protecting your assets and interests • Monitoring the behavior of all assets, anomaly detection, etc. Public vPlace vSpace 3: Work vSpace 1: Home vPlace vSpace 2: Visitors
  6. 6. © 2018 Nokia6 Public Building on current technological transformations • Device virtualization: Virtualization of network equipment (virtual gateway) & devices (virtual objects) to group multiple locations/devices under a unique managing entity • Service cloudification: Distributed micro-service deployment and orchestration • Automation: Business specific assistants translating users’ intents into network control inputs via SDN
  7. 7. © 2018 Nokia7 Future Spaces Gateways: OpenWRT-based access points to the FS platform Public IPv6oBLE Physical FSGWs Software FSGWs Mifi-Like Battery powered devices Home/Enterprise Wifi Access Points DSL/Cable/PON Modems PC Software Helping IoT devices in the neighborhood Android App Performing Wifi Tethering FSGW WIFI https/node.js WIFI: ▪ Open Wifi ▪ Hotspots ▪ Private Wifi ▪ Other FSGW Radius Eth SmartDevices
  8. 8. © 2018 Nokia8 Public An OpenStack-based cloud, an SD-LAN overlay network, & a smart assistant • Distributed cloud infrastructure - Dual orchestration (VMs + Containers) - Physical Future Spaces gateways under different form factors - Virtual Place: collection of interconnected domain resources • Automation support - Policy support for safe sharing of devices in multi-tenants contexts - Pluggable framework for automation processes and business logic assistants • Software Defined LAN - Isolation-oriented network slices grouping devices, possibly across domains - LAN-like communication within a slice (supporting unicast & multicast traffic across multiple places) • Security functions - Monitoring/fingerprinting of devices - Whitelisting device communications - Secured guest devices onboarding - Crowd-sourced device trust evaluation
  9. 9. © 2018 Nokia9 Public Simple UIs to safely and intuitively onboard and organize devices SD-LAN end-user programming
  10. 10. © 2018 Nokia10 Public Travelling user connecting to his home & local environment Example of use cases: Smart Homes & Multi-tenant device usage Home sweet home In Antwerpen Wired Wifi Wifi or Wired Future Spaces user Controller Media vSpace Security vSpace CLOUD MyGW
  11. 11. © 2018 Nokia11 Collaboration with BL security research Automating risk management for (home) IoT devices (1) – on-going work Network automation for IoT devices implies automated risk management • Network-based traffic blocking must be seen as protective, not as a denial of service • Risk management must be based on individual (non expert) users’ sensitivity • Security settings should be intuitive and continuously connected to the device trust assessment Public user-friendly trust level classification Limitations of local Trust evaluation • Local intelligence can detect local abnormal/suspicious behaviors, but • Need for an observation period and sufficient local analysis capabilities • Potentially limited deviations, non exploitable in the local user context • Rogue activities are not shared among different networks Level Trust Label Scale of the impact Device Instances 1 Suspect Irrelevant Groups of benign devices such as anonymous sensors 2 Average minor annoyance Devices leaking « funny pictures », gaming environment 3 Good major annoyance Device hosting data that may harm one’s career or personal relations 4 Very Good Life-changing Connected door-lock leaving way to burglar, device hosting crucial financial, health or self incriminating data 5 Pristine Life or death level Critical medical equipment like a connected insulin pump or pacemaker firmware flashing device LEVERAGING CROWD OBSERVATION TO EVALUATE DEVICE (CLASS) TRUSTWORTHINESS
  12. 12. © 2018 Nokia12 Public Collaboration with BL security research Automating risk management for (home) IoT devices (2) – on-going work FSGW vPlace Components 1. TERMS of use specify a “normal” network behavior for each device as designed by the manufacturer (and possibly latter on further refined by third parties). Example: IETF MUD 3. The crowd-sourced reputation system easily allows to add/remove automatically devices from vSpaces comparing the trust expectations of vSpaces to the current estimated trust of the device 2. Deviations from the TERMS are monitored locally and reported in a distributed database (e.g. blockchain) and used globally to build devices (or class of devices) reputations Local reports Crowd-based trust evaluation
  13. 13. © 2018 Nokia13 Public Possible use cases in various IoT environments Smart home Securing, accessing & sharing your home devices in a IoT world Smart Office  Integrating Guest/IoT/BYOD networks & streamlining wifi onboarding  Facilitating & securing cross-location collaboration in IoT era Smart Industry Secure & easy (remote) maintenance, etc. Smart Cities Libraries, train stations,...: get easy wifi access to relevant IoT devices & securely link them to you own Smart Business Hotels, AirBnB, restaurants, fitness alleys, etc. How to easily get connected securely & temporarily to foreign devices/services, link them with your owns Smart Health Temporarily give remote/local access to others (e.g., remote patient/doctor, elderly care, etc.)
  14. 14. © 2018 Nokia15 Public Copyright and confidentiality The contents of this document are proprietary and confidential property of Nokia. This document is provided subject to confidentiality obligations of the applicable agreement(s). This document is intended for use of Nokia’s customers and collaborators only for the purpose for which this document is submitted by Nokia. No part of this document may be reproduced or made available to the public or to any third party in any form or means without the prior written permission of Nokia. This document is to be used by properly trained professional personnel. Any use of the contents in this document is limited strictly to the use(s) specifically created in the applicable agreement(s) under which the document is submitted. The user of this document may voluntarily provide suggestions, comments or other feedback to Nokia in respect of the contents of this document ("Feedback"). Such Feedback may be used in Nokia products and related specifications or other documentation. Accordingly, if the user of this document gives Nokia Feedback on the contents of this document, Nokia may freely use, disclose, reproduce, license, distribute and otherwise commercialize the feedback in any Nokia product, technology, service, specification or other documentation. Nokia operates a policy of ongoing development. Nokia reserves the right to make changes and improvements to any of the products and/or services described in this document or withdraw this document at any time without prior notice. The contents of this document are provided "as is". Except as required by applicable law, no warranties of any kind, either express or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose, are made in relation to the accuracy, reliability or contents of this document. NOKIA SHALL NOT BE RESPONSIBLE IN ANY EVENT FOR ERRORS IN THIS DOCUMENT or for any loss of data or income or any special, incidental, consequential, indirect or direct damages howsoever caused, that might arise from the use of this document or any contents of this document. This document and the product(s) it describes are protected by copyright according to the applicable laws. Nokia is a registered trademark of Nokia Corporation. Other product and company names mentioned herein may be trademarks or trade names of their respective owners.

×