SlideShare a Scribd company logo
1 of 47
Connection Security
X.509/TLS-Based Handshake and Encryption
Device Security
X.509 Certificate Based Identity and Attestation
Device Provisioning, Authorization & Management
Support for Diverse Hardware Secure Modules
Securely connect millions of devices… …over a secure internet connection…
…to Microsoft Azure – built with security
from the ground up
Cloud Security
Azure Security Center | Azure Active Directory
Key Vault | Policy-Based Access Control
GLOBA
L
INDUSTR
Y
REGIONA
L
HIPAA /
HITECHAct
FERPAGxP
21 CFR Part11
ISO 27001 SOC 1 Type 2ISO 27018
CSA STAR
Self-Assessment
FISC Japan
CDSA
Shared
Assessments
FACT UK
GLBA
PCI DSS
Level 1
MARS-E FFIEC
SOC 2 Type 2 SOC 3
MPAA
ISO 22301
Japan My ENISA Japan CS Spain Spain India Canada Privacy GermanyIT
Number Act IAF Mark Gold ENS DPA MeitY Privacy Laws Shield Grundschutz
workbook
CSA STAR
Certification
CSA STAR
Attestation
HITRUST IG ToolkitUK
Argentina EU UK China China China Singapore Australia New Zealand
PDPA Model Clauses G-Cloud DJCP GB 18030 TRUCS MTCS IRAP/CCSL GCIO
ISO 27017
>90%
of Fortune 500 use
Microsoft Cloud
Key
Questions
Does the device
have a unique,
unforgeable
identity that is
inseparablefrom
the hardware?
Is most of the
device’s software
outside thedevice’s
trusted computing
base?
Is the devicestill
protected if the
security of one
layer of device
software is
breached?
Does a failure in
one component of
the device requirea
reboot of theentire
device to return to
operation?
Does thedevice
use certificates
instead of
passwords for
authentication?
Is the device’s
softwareupdated
automatically?
Property Hardware-based Small Trusted Defense Compartmentalization Certificate- Renewable Failure
Root of Trust Computing Base in Depth based Authentication Security Reporting
Does the device
report failures toits
manufacturer?
high integrity
software
operations
Choice of Secure Hardware
- Many secure silicon providers
including
- Standards based and custom
secure silicon
- TPM
- DICE
https://aka.ms/RightSecureIoTHardware
Authentication Attestation Access Controls
1 Share Access Secrets (SAS) Tokens Shared Access Key
- Permission based
- Role based
- Action based
- Per device
granularity
2 Certificate Based Mutual Authentication Certificate Thumbprint
3 Certificate Based Mutual Authentication Certificate Authority
IoT Hub
Device
Connection Security
X.509/TLS-Based Handshake and Encryption
IoT Device
Methods
Device Twin
Properties
Desired
Reported
IoT Hub
Device Twin
Tags
Methods
Telemetry
Properties
Desired
Reported
Telemetry
channel
Commands
Cloud owned,
device visible
Device owned,
cloud visible
Cloud only,
device metadata
Cloud initiated C2D
with response
Cloud initiated C2D
message
Device Provisioning Service
Automate device provisioning at scale and eliminate security threats from manual handling
X X X XIoT Solution US IoT Solution Germany IoT Solution China
https://azure.microsoft.com/en-us/blog/securing-the-intelligent-edge/
Threats
Readily
available tools
and experience
Rich
development
environment
Heterogeneous
hardware
Physical
accessibility
Subject to physical analysis like on
power and timing, and attacks
based on micro-probing, fault
injections, and environmental
tampering.
Non-standard
security
protocols
Expands threat surface
across architecture, vendor,
and capabilities unlike a
relatively more uniform
datacenter hardware.
The necessary mixture of scripted and
compiled software using many
technologies to enrich user experience
also increases the probability for
vulnerabilities.
Proprietary hardware procedures
for common security needs like
secure hardware enforcements
for secure boot and firmware
updates precludes public
scrutiny.
The same tools and experience
from other disciplines like failure
analysis and patent research are
easily repurposed for attacks.
Requires assertive defense
Requires uniformity
Cloud
Gateway ActionsIoT Edge
IoT Hub
Insights
Insights
Actions
A Framework for Ecosystem Managed Security
Hardware Root of Trust
Secure Boot/Updates
Secure Execution Environment
Protected General Computing
Application execution
with runtime integrity
checking
Privileged executions
and systems resource
access control
Bootstrapping and
recovery
Trust anchor and
tamper resistance
Azure IoT Edge Device
IoT Hub
Principles Realization
 Communicate diligence in
security
 Administered by 3rd Party
Labs for transparency
(coming soon)
 Open standards procedures
 Certificate based signed
device promise attestations
(coming soon)
Promise Standard Secure Element Secure Enclave
Secure silicon None
Standalone security processor
e.g. TPM
Integrated security processor
Maximum protection to be
expected in malicious custody
None Secrets like cryptographic keys
Secrets and the trusted
computing base
Typical transactions
All with adequate risk
mitigation
Authentication, session key
generation, certificates
processing.
All secure element transactions
plus the trusted computing
base for transactions such as
metering, billing, secure I/O,
secure logging.
Maximum grade possible Level 2 Level 4 Level 4
Grade Level 1 Level 2 Level 3 Level 4
Requirements
Custom
implementations in
lieu of using Azure
IoT Device SDK
Azure IoT Device SDK
- Azure IoT Device SDK
- FIPS 140-2 Level 2
- Common Criteria EAL 3+
(PP coming soon)
- Azure IoT Device SDK
- FIPS 140-2 Level 3
- Common Criteria EAL 4+
(PP coming soon)
IoT Role Example Scenario
OEM
Investment optimal decision. Decide which market to play in.
- Manufacture and certify for secure element devices for solutions with simple needs line authentication
- Manufacture and certify for secure enclave devices for solutions with complex needs like monetization
SI
Cost optimal decisions. Balance device cost with deployments risk assessment
- Secure element devices for endpoint identity
- Secure enclave devices for endpoint identity and execution integrity
Operator
Optimal risk management. Balance between device security and personnel access controls
- Less elaborate personnel access controls with secure element/enclave promise devices
- More elaborate access controls with standard promise devices
IoT Edge
Module Developer
Empowerment. Use signed attestations to programmatically detect and deploy accordingly
- Detect and deploy to secure element devices for node count control
- Detect and deploy to secure enclave devices for IP protection or metered usage
SEQUITUR LABS
LS1012A
SAMA5D2
Demo
Demo
Blog
Blog
Blog
Runtime Attestation via
Hardware RTiC Module
Runtime Attestation via
Hardware ICM Module
IoTHub
“hackers have infiltrated the critical safety systems for industrial control units
used in nuclear, oil and gas plants, halting operations at at least one facility”
“The hackers used sophisticated malware, dubbed ‘Triton’, to take
remote control of a safety control workstation”
“Some controllers entered a failsafe mode as the hackers
attempted to reprogram them”
Properties of TCPS
Separation of critical execution
Help protect critical infrastructure from malware threats by separating non-critical from critical operations and
concentrating on using hardware isolation to protect control of physical systems.
Inspectability of execution process
Ensure that any code that handles critical operations must be auditable by operators through source code review.
Attestability of processing environment
During operation, each component must be able to verify that data is received and sent only from trustworthy sources. A
component also needs to attest its trustworthiness to other components.
Minimizing number of entities that need to be trusted
Reducing the number of trusted entities significantly reduces the attack surface for critical infrastructure. In the ideal TCPS
solution, the operator will maintain the only root of trust for critical code execution.
The device owner/operator is in
complete control of critical systems
SCADA system
Factory Line Automation
Attack to
SCADA System
SCADA System
Attack vectors on factoryline
Attacker
Attack to Factory
Line Automation
Factory Line
ControllerController
SCADA System
OPC UA
message
SCADA application
SCADA/HMI System
OPC UA
message
SCADA Application
TEE
Message
Authorization
Policy Decision
Engine
Attacker will simulate user input or directly
issue control messages (e.g. OPC UA) using
the SCADA system’s message authentication
Attacker
OPC UA message
authenticated
by TEE
TEE
Trusted UI terminal to
approve messages
Trusted UI (TEE)
Protecting the SCADA/HMI system
Policy Decision
Engine
i.MX6 + Windows IoT Core
Transport stack
(TCP/IP)
i.MX6 + Windows IoT Core
Transport Stack
(TCP/IP)
TrustZone
(OP-TEE)
OPC UA
L AN Port
i.MX6
Security
Layer
SPI Port
i.MX6
SPI-LAN
Adapter with
TCP/IP
Legacy OPC UA
Device
Attacker
OPC UA
Protecting factory line automation
OPC UA Gateway
Controller
Factory Line
Policy Decision Engine
Host Operating System
Edge Client
Transport stack
Trusted
Execution
Environment
Security
Layer
Trusted I/O
Cloud services
Message Gateway
Controller
Factory Line
Azure
Policy Decision Engine
Azure
Confidential
Computing
Tamper-
resistant
logging
Configuration
and Provisioning
Service
Factory Line
Control
Additional information about TCPS
TCPS Overview http://aka.ms/TCPS_TwoPager_HMI2018
Blog post http://aka.ms/TCPS_HMI2018
Whitepaper http://aka.ms/TCPS_Whitepaper
Preview coming soon
Windows IoT securitypromise
Windows IoT provides the best endpoint security to protect your
data at rest, in motion and during execution.
Windows IoT devices are build with security in mind.
Security is not in the way of your development, deployment and
operation.
Is my IoT infrastructure developed, deployed
and operated securely?
By deploying IoT what security risks am I
taking for the rest of my business?
Who can evaluate my IoT infrastructure and give
me a threat assessment?
Consider the threats
most relevant to your
IoT infrastructure
Identify the
consequences that are
most important to your
business
Select evaluation
strategies that provide
the most value
http://aka.ms/IoTSecurityEval
Microsoft’s Security Program for
Azure IoT connects customers with
partners who are experts at evaluating
an IoT infrastructure end-to-end.
Not all partners may be listed; check internetofyourthings.com for latest status
Standards for IoT Security
None holistic in existence
No end-to-end IoT Security standard
Existing standards retrofitting IT security to IoT
No scope for physical attacks such as tampering
Microsoft actively engaged in 25+ standards
organizations and consortia to help address IoT
security challenges
 Microsoft champions and
chairs the IoT Security
Maturity Model development
at the Industrial Internet
Consortium (IIC)
 SMM assists with:
• Security target definition
• Current security maturity assessment
• Security gap analysis
• Security maturity enhancement planning
https://www.microsoft.com/en-us/internet-of-things/security
Solution operator
Hardware manufacturers
or integrators
Solution developer
Solution deployer
http://aka.ms/iotbestpractices
Secure and power the intelligent edge with
Azure Sphere
1:00pm-2:15pm, WSCC: Rooms 612
Azure IoT Solutions - Get your IoTproject
started in minutes with SaaS and
preconfigured solutions
Removing Security Roadblocks to IoT Deployment Success
Removing Security Roadblocks to IoT Deployment Success

More Related Content

What's hot

Build end-to-end solutions with BlueMix, Avi Vizel & Ziv Dai, IBM
Build end-to-end solutions with BlueMix, Avi Vizel & Ziv Dai, IBMBuild end-to-end solutions with BlueMix, Avi Vizel & Ziv Dai, IBM
Build end-to-end solutions with BlueMix, Avi Vizel & Ziv Dai, IBMCodemotion Tel Aviv
 
Legacy application modernization with microsoft azure
Legacy application modernization with microsoft azureLegacy application modernization with microsoft azure
Legacy application modernization with microsoft azureOptiSol Business Solutions
 
2016-09-eclipse-iot-cf-summit
2016-09-eclipse-iot-cf-summit2016-09-eclipse-iot-cf-summit
2016-09-eclipse-iot-cf-summitMike Milinkovich
 
Gab2016 - Découverte d'Azure IoT Hub
Gab2016 - Découverte d'Azure IoT Hub Gab2016 - Découverte d'Azure IoT Hub
Gab2016 - Découverte d'Azure IoT Hub Samir Arezki ☁
 
InfoSec: Evolve Thyself to Keep Pace in the Age of DevOps
InfoSec: Evolve Thyself to Keep Pace in the Age of DevOpsInfoSec: Evolve Thyself to Keep Pace in the Age of DevOps
InfoSec: Evolve Thyself to Keep Pace in the Age of DevOpsVMware Tanzu
 
Build embedded and IoT solutions with Microsoft Windows IoT Core (BRK30077)
Build embedded and IoT solutions with Microsoft Windows IoT Core (BRK30077)Build embedded and IoT solutions with Microsoft Windows IoT Core (BRK30077)
Build embedded and IoT solutions with Microsoft Windows IoT Core (BRK30077)Callon Campbell
 
Architecting io t solutions with microisoft azure ignite tour version
Architecting io t solutions with microisoft azure ignite tour versionArchitecting io t solutions with microisoft azure ignite tour version
Architecting io t solutions with microisoft azure ignite tour versionAlon Fliess
 
DevOps Security: A New Paradigm
DevOps Security: A New ParadigmDevOps Security: A New Paradigm
DevOps Security: A New ParadigmTripwire
 
Mendix Maker Meetup - London (2019-10-17)
Mendix Maker Meetup - London (2019-10-17)Mendix Maker Meetup - London (2019-10-17)
Mendix Maker Meetup - London (2019-10-17)Iain Lindsay
 
Azure Application Modernization
Azure Application ModernizationAzure Application Modernization
Azure Application ModernizationKarina Matos
 
Using Modern Tools and Technologies to Improve Your Software Architecture
Using Modern Tools and Technologies to Improve Your Software ArchitectureUsing Modern Tools and Technologies to Improve Your Software Architecture
Using Modern Tools and Technologies to Improve Your Software ArchitectureEran Stiller
 
Java Application Modernization Patterns and Stories from the IBM Garage
Java Application Modernization Patterns and Stories from the IBM GarageJava Application Modernization Patterns and Stories from the IBM Garage
Java Application Modernization Patterns and Stories from the IBM GarageHolly Cummins
 
Introduction to Microsoft IoT Central
Introduction to Microsoft IoT Central Introduction to Microsoft IoT Central
Introduction to Microsoft IoT Central Codit
 
Introducing PagerDuty Process Automation
Introducing PagerDuty Process AutomationIntroducing PagerDuty Process Automation
Introducing PagerDuty Process AutomationRundeck
 
Cap2194 migration from weblogic to v fabric - cloud application platform
Cap2194  migration from weblogic to v fabric - cloud application platformCap2194  migration from weblogic to v fabric - cloud application platform
Cap2194 migration from weblogic to v fabric - cloud application platformRamarao Kanneganti
 
Infrastructure less development with Azure Service Fabric
Infrastructure less development with Azure Service FabricInfrastructure less development with Azure Service Fabric
Infrastructure less development with Azure Service FabricSaba Jamalian
 

What's hot (20)

Build end-to-end solutions with BlueMix, Avi Vizel & Ziv Dai, IBM
Build end-to-end solutions with BlueMix, Avi Vizel & Ziv Dai, IBMBuild end-to-end solutions with BlueMix, Avi Vizel & Ziv Dai, IBM
Build end-to-end solutions with BlueMix, Avi Vizel & Ziv Dai, IBM
 
Smart building mendix azure influx / smart City / IoT
Smart building mendix azure influx  / smart  City / IoT Smart building mendix azure influx  / smart  City / IoT
Smart building mendix azure influx / smart City / IoT
 
Legacy application modernization with microsoft azure
Legacy application modernization with microsoft azureLegacy application modernization with microsoft azure
Legacy application modernization with microsoft azure
 
2016-09-eclipse-iot-cf-summit
2016-09-eclipse-iot-cf-summit2016-09-eclipse-iot-cf-summit
2016-09-eclipse-iot-cf-summit
 
Azure Hybid
Azure HybidAzure Hybid
Azure Hybid
 
Gab2016 - Découverte d'Azure IoT Hub
Gab2016 - Découverte d'Azure IoT Hub Gab2016 - Découverte d'Azure IoT Hub
Gab2016 - Découverte d'Azure IoT Hub
 
InfoSec: Evolve Thyself to Keep Pace in the Age of DevOps
InfoSec: Evolve Thyself to Keep Pace in the Age of DevOpsInfoSec: Evolve Thyself to Keep Pace in the Age of DevOps
InfoSec: Evolve Thyself to Keep Pace in the Age of DevOps
 
Build embedded and IoT solutions with Microsoft Windows IoT Core (BRK30077)
Build embedded and IoT solutions with Microsoft Windows IoT Core (BRK30077)Build embedded and IoT solutions with Microsoft Windows IoT Core (BRK30077)
Build embedded and IoT solutions with Microsoft Windows IoT Core (BRK30077)
 
Architecting io t solutions with microisoft azure ignite tour version
Architecting io t solutions with microisoft azure ignite tour versionArchitecting io t solutions with microisoft azure ignite tour version
Architecting io t solutions with microisoft azure ignite tour version
 
DevOps Security: A New Paradigm
DevOps Security: A New ParadigmDevOps Security: A New Paradigm
DevOps Security: A New Paradigm
 
App Modernization
App ModernizationApp Modernization
App Modernization
 
Mendix Maker Meetup - London (2019-10-17)
Mendix Maker Meetup - London (2019-10-17)Mendix Maker Meetup - London (2019-10-17)
Mendix Maker Meetup - London (2019-10-17)
 
Azure Application Modernization
Azure Application ModernizationAzure Application Modernization
Azure Application Modernization
 
Using Modern Tools and Technologies to Improve Your Software Architecture
Using Modern Tools and Technologies to Improve Your Software ArchitectureUsing Modern Tools and Technologies to Improve Your Software Architecture
Using Modern Tools and Technologies to Improve Your Software Architecture
 
Java Application Modernization Patterns and Stories from the IBM Garage
Java Application Modernization Patterns and Stories from the IBM GarageJava Application Modernization Patterns and Stories from the IBM Garage
Java Application Modernization Patterns and Stories from the IBM Garage
 
Introduction to Microsoft IoT Central
Introduction to Microsoft IoT Central Introduction to Microsoft IoT Central
Introduction to Microsoft IoT Central
 
Introducing PagerDuty Process Automation
Introducing PagerDuty Process AutomationIntroducing PagerDuty Process Automation
Introducing PagerDuty Process Automation
 
Cap2194 migration from weblogic to v fabric - cloud application platform
Cap2194  migration from weblogic to v fabric - cloud application platformCap2194  migration from weblogic to v fabric - cloud application platform
Cap2194 migration from weblogic to v fabric - cloud application platform
 
Azure DevOps
Azure DevOpsAzure DevOps
Azure DevOps
 
Infrastructure less development with Azure Service Fabric
Infrastructure less development with Azure Service FabricInfrastructure less development with Azure Service Fabric
Infrastructure less development with Azure Service Fabric
 

Similar to Removing Security Roadblocks to IoT Deployment Success

Safe and secure autonomous systems
Safe and secure autonomous systemsSafe and secure autonomous systems
Safe and secure autonomous systemsAlan Tatourian
 
Proving the Security of Low-Level Software Components & TEEs
Proving the Security of Low-Level Software Components & TEEsProving the Security of Low-Level Software Components & TEEs
Proving the Security of Low-Level Software Components & TEEsAshley Zupkus
 
Workshop 16 october 2015 paris
Workshop 16 october 2015 parisWorkshop 16 october 2015 paris
Workshop 16 october 2015 parisMarcel Hartgerink
 
Next Generation Embedded Systems Security for IOT: Powered by Kaspersky
Next Generation Embedded Systems Security for IOT:  Powered by KasperskyNext Generation Embedded Systems Security for IOT:  Powered by Kaspersky
Next Generation Embedded Systems Security for IOT: Powered by KasperskyL. Duke Golden
 
Kl iot cebit_dg_200317_finalmktg
Kl iot cebit_dg_200317_finalmktgKl iot cebit_dg_200317_finalmktg
Kl iot cebit_dg_200317_finalmktgL. Duke Golden
 
The 300 Leonidas Solution
The 300 Leonidas SolutionThe 300 Leonidas Solution
The 300 Leonidas Solutionmatthew.maisel
 
Hardwar based Security of Systems
Hardwar based Security of SystemsHardwar based Security of Systems
Hardwar based Security of SystemsJamal Jamali
 
Are you ready for Microsoft Azure Sphere?
Are you ready for Microsoft Azure Sphere?Are you ready for Microsoft Azure Sphere?
Are you ready for Microsoft Azure Sphere?Mirco Vanini
 
SCADA Cyber Sec | ISACA 2013 | Patricia Watson
SCADA Cyber Sec | ISACA 2013 | Patricia WatsonSCADA Cyber Sec | ISACA 2013 | Patricia Watson
SCADA Cyber Sec | ISACA 2013 | Patricia WatsonPatricia M Watson
 
Schneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Schneider-Electric & NextNine – Comparing Remote Connectivity SolutionsSchneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Schneider-Electric & NextNine – Comparing Remote Connectivity SolutionsHoneywell
 
Sfa community of practice a natural way of building
Sfa community of practice  a natural way of buildingSfa community of practice  a natural way of building
Sfa community of practice a natural way of buildingChuck Speicher
 
Mobile Devices & BYOD Security – Deployment & Best Practices
Mobile Devices & BYOD Security – Deployment & Best PracticesMobile Devices & BYOD Security – Deployment & Best Practices
Mobile Devices & BYOD Security – Deployment & Best PracticesCisco Canada
 
Standardizing the tee with global platform and RISC-V
Standardizing the tee with global platform and RISC-VStandardizing the tee with global platform and RISC-V
Standardizing the tee with global platform and RISC-VRISC-V International
 
Nozomi Networks SCADAguardian - Data-Sheet
Nozomi Networks SCADAguardian - Data-SheetNozomi Networks SCADAguardian - Data-Sheet
Nozomi Networks SCADAguardian - Data-SheetNozomi Networks
 
Io t security and azure sphere
Io t security and azure sphereIo t security and azure sphere
Io t security and azure spherePushkar Saraf
 
Azure security and Compliance
Azure security and ComplianceAzure security and Compliance
Azure security and ComplianceKarina Matos
 

Similar to Removing Security Roadblocks to IoT Deployment Success (20)

ICC Networking Data Security
ICC Networking Data SecurityICC Networking Data Security
ICC Networking Data Security
 
ICC Networking Data Security
ICC Networking Data SecurityICC Networking Data Security
ICC Networking Data Security
 
Safe and secure autonomous systems
Safe and secure autonomous systemsSafe and secure autonomous systems
Safe and secure autonomous systems
 
Proving the Security of Low-Level Software Components & TEEs
Proving the Security of Low-Level Software Components & TEEsProving the Security of Low-Level Software Components & TEEs
Proving the Security of Low-Level Software Components & TEEs
 
Workshop 16 october 2015 paris
Workshop 16 october 2015 parisWorkshop 16 october 2015 paris
Workshop 16 october 2015 paris
 
Next Generation Embedded Systems Security for IOT: Powered by Kaspersky
Next Generation Embedded Systems Security for IOT:  Powered by KasperskyNext Generation Embedded Systems Security for IOT:  Powered by Kaspersky
Next Generation Embedded Systems Security for IOT: Powered by Kaspersky
 
Kl iot cebit_dg_200317_finalmktg
Kl iot cebit_dg_200317_finalmktgKl iot cebit_dg_200317_finalmktg
Kl iot cebit_dg_200317_finalmktg
 
The 300 Leonidas Solution
The 300 Leonidas SolutionThe 300 Leonidas Solution
The 300 Leonidas Solution
 
Hardwar based Security of Systems
Hardwar based Security of SystemsHardwar based Security of Systems
Hardwar based Security of Systems
 
Are you ready for Microsoft Azure Sphere?
Are you ready for Microsoft Azure Sphere?Are you ready for Microsoft Azure Sphere?
Are you ready for Microsoft Azure Sphere?
 
SCADA Cyber Sec | ISACA 2013 | Patricia Watson
SCADA Cyber Sec | ISACA 2013 | Patricia WatsonSCADA Cyber Sec | ISACA 2013 | Patricia Watson
SCADA Cyber Sec | ISACA 2013 | Patricia Watson
 
IoT on azure
IoT on azureIoT on azure
IoT on azure
 
Schneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Schneider-Electric & NextNine – Comparing Remote Connectivity SolutionsSchneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Schneider-Electric & NextNine – Comparing Remote Connectivity Solutions
 
Sfa community of practice a natural way of building
Sfa community of practice  a natural way of buildingSfa community of practice  a natural way of building
Sfa community of practice a natural way of building
 
Mobile Devices & BYOD Security – Deployment & Best Practices
Mobile Devices & BYOD Security – Deployment & Best PracticesMobile Devices & BYOD Security – Deployment & Best Practices
Mobile Devices & BYOD Security – Deployment & Best Practices
 
Standardizing the tee with global platform and RISC-V
Standardizing the tee with global platform and RISC-VStandardizing the tee with global platform and RISC-V
Standardizing the tee with global platform and RISC-V
 
Nozomi Networks SCADAguardian - Data-Sheet
Nozomi Networks SCADAguardian - Data-SheetNozomi Networks SCADAguardian - Data-Sheet
Nozomi Networks SCADAguardian - Data-Sheet
 
Io t security and azure sphere
Io t security and azure sphereIo t security and azure sphere
Io t security and azure sphere
 
Azure security and Compliance
Azure security and ComplianceAzure security and Compliance
Azure security and Compliance
 
CyberSecurity Best Practices for the IIoT
CyberSecurity Best Practices for the IIoTCyberSecurity Best Practices for the IIoT
CyberSecurity Best Practices for the IIoT
 

More from Microsoft Tech Community

Building mobile apps with Visual Studio and Xamarin
Building mobile apps with Visual Studio and XamarinBuilding mobile apps with Visual Studio and Xamarin
Building mobile apps with Visual Studio and XamarinMicrosoft Tech Community
 
Best practices with Microsoft Graph: Making your applications more performant...
Best practices with Microsoft Graph: Making your applications more performant...Best practices with Microsoft Graph: Making your applications more performant...
Best practices with Microsoft Graph: Making your applications more performant...Microsoft Tech Community
 
Interactive emails in Outlook with Adaptive Cards
Interactive emails in Outlook with Adaptive CardsInteractive emails in Outlook with Adaptive Cards
Interactive emails in Outlook with Adaptive CardsMicrosoft Tech Community
 
Break through the serverless barriers with Durable Functions
Break through the serverless barriers with Durable FunctionsBreak through the serverless barriers with Durable Functions
Break through the serverless barriers with Durable FunctionsMicrosoft Tech Community
 
Multiplayer Server Scaling with Azure Container Instances
Multiplayer Server Scaling with Azure Container InstancesMultiplayer Server Scaling with Azure Container Instances
Multiplayer Server Scaling with Azure Container InstancesMicrosoft Tech Community
 
Media Streaming Apps with Azure and Xamarin
Media Streaming Apps with Azure and XamarinMedia Streaming Apps with Azure and Xamarin
Media Streaming Apps with Azure and XamarinMicrosoft Tech Community
 
Real-World Solutions with PowerApps: Tips & tricks to manage your app complexity
Real-World Solutions with PowerApps: Tips & tricks to manage your app complexityReal-World Solutions with PowerApps: Tips & tricks to manage your app complexity
Real-World Solutions with PowerApps: Tips & tricks to manage your app complexityMicrosoft Tech Community
 
Ingestion in data pipelines with Managed Kafka Clusters in Azure HDInsight
Ingestion in data pipelines with Managed Kafka Clusters in Azure HDInsightIngestion in data pipelines with Managed Kafka Clusters in Azure HDInsight
Ingestion in data pipelines with Managed Kafka Clusters in Azure HDInsightMicrosoft Tech Community
 
Getting Started with Visual Studio Tools for AI
Getting Started with Visual Studio Tools for AIGetting Started with Visual Studio Tools for AI
Getting Started with Visual Studio Tools for AIMicrosoft Tech Community
 
Mobile Workforce Location Tracking with Bing Maps
Mobile Workforce Location Tracking with Bing MapsMobile Workforce Location Tracking with Bing Maps
Mobile Workforce Location Tracking with Bing MapsMicrosoft Tech Community
 
Cognitive Services Labs in action Anomaly detection
Cognitive Services Labs in action Anomaly detectionCognitive Services Labs in action Anomaly detection
Cognitive Services Labs in action Anomaly detectionMicrosoft Tech Community
 
LinkedIn Learning presents: Securing web applications in ASP.NET Core 2.1
LinkedIn Learning presents: Securing web applications in ASP.NET Core 2.1LinkedIn Learning presents: Securing web applications in ASP.NET Core 2.1
LinkedIn Learning presents: Securing web applications in ASP.NET Core 2.1Microsoft Tech Community
 
Building document processes using Adobe + Microsoft
Building document processes using Adobe + MicrosoftBuilding document processes using Adobe + Microsoft
Building document processes using Adobe + MicrosoftMicrosoft Tech Community
 

More from Microsoft Tech Community (20)

100 ways to use Yammer
100 ways to use Yammer100 ways to use Yammer
100 ways to use Yammer
 
10 Yammer Group Suggestions
10 Yammer Group Suggestions10 Yammer Group Suggestions
10 Yammer Group Suggestions
 
Building mobile apps with Visual Studio and Xamarin
Building mobile apps with Visual Studio and XamarinBuilding mobile apps with Visual Studio and Xamarin
Building mobile apps with Visual Studio and Xamarin
 
Best practices with Microsoft Graph: Making your applications more performant...
Best practices with Microsoft Graph: Making your applications more performant...Best practices with Microsoft Graph: Making your applications more performant...
Best practices with Microsoft Graph: Making your applications more performant...
 
Interactive emails in Outlook with Adaptive Cards
Interactive emails in Outlook with Adaptive CardsInteractive emails in Outlook with Adaptive Cards
Interactive emails in Outlook with Adaptive Cards
 
Break through the serverless barriers with Durable Functions
Break through the serverless barriers with Durable FunctionsBreak through the serverless barriers with Durable Functions
Break through the serverless barriers with Durable Functions
 
Multiplayer Server Scaling with Azure Container Instances
Multiplayer Server Scaling with Azure Container InstancesMultiplayer Server Scaling with Azure Container Instances
Multiplayer Server Scaling with Azure Container Instances
 
Explore Azure Cosmos DB
Explore Azure Cosmos DBExplore Azure Cosmos DB
Explore Azure Cosmos DB
 
Media Streaming Apps with Azure and Xamarin
Media Streaming Apps with Azure and XamarinMedia Streaming Apps with Azure and Xamarin
Media Streaming Apps with Azure and Xamarin
 
DevOps for Data Science
DevOps for Data ScienceDevOps for Data Science
DevOps for Data Science
 
Real-World Solutions with PowerApps: Tips & tricks to manage your app complexity
Real-World Solutions with PowerApps: Tips & tricks to manage your app complexityReal-World Solutions with PowerApps: Tips & tricks to manage your app complexity
Real-World Solutions with PowerApps: Tips & tricks to manage your app complexity
 
Azure Functions and Microsoft Graph
Azure Functions and Microsoft GraphAzure Functions and Microsoft Graph
Azure Functions and Microsoft Graph
 
Ingestion in data pipelines with Managed Kafka Clusters in Azure HDInsight
Ingestion in data pipelines with Managed Kafka Clusters in Azure HDInsightIngestion in data pipelines with Managed Kafka Clusters in Azure HDInsight
Ingestion in data pipelines with Managed Kafka Clusters in Azure HDInsight
 
Getting Started with Visual Studio Tools for AI
Getting Started with Visual Studio Tools for AIGetting Started with Visual Studio Tools for AI
Getting Started with Visual Studio Tools for AI
 
Using AML Python SDK
Using AML Python SDKUsing AML Python SDK
Using AML Python SDK
 
Mobile Workforce Location Tracking with Bing Maps
Mobile Workforce Location Tracking with Bing MapsMobile Workforce Location Tracking with Bing Maps
Mobile Workforce Location Tracking with Bing Maps
 
Cognitive Services Labs in action Anomaly detection
Cognitive Services Labs in action Anomaly detectionCognitive Services Labs in action Anomaly detection
Cognitive Services Labs in action Anomaly detection
 
Speech Devices SDK
Speech Devices SDKSpeech Devices SDK
Speech Devices SDK
 
LinkedIn Learning presents: Securing web applications in ASP.NET Core 2.1
LinkedIn Learning presents: Securing web applications in ASP.NET Core 2.1LinkedIn Learning presents: Securing web applications in ASP.NET Core 2.1
LinkedIn Learning presents: Securing web applications in ASP.NET Core 2.1
 
Building document processes using Adobe + Microsoft
Building document processes using Adobe + MicrosoftBuilding document processes using Adobe + Microsoft
Building document processes using Adobe + Microsoft
 

Recently uploaded

Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdfLinux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdfFIDO Alliance
 
Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024Patrick Viafore
 
PLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. StartupsPLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. StartupsStefano
 
Designing for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at ComcastDesigning for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at ComcastUXDXConf
 
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfSimplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfFIDO Alliance
 
Buy Epson EcoTank L3210 Colour Printer Online.pptx
Buy Epson EcoTank L3210 Colour Printer Online.pptxBuy Epson EcoTank L3210 Colour Printer Online.pptx
Buy Epson EcoTank L3210 Colour Printer Online.pptxEasyPrinterHelp
 
The UX of Automation by AJ King, Senior UX Researcher, Ocado
The UX of Automation by AJ King, Senior UX Researcher, OcadoThe UX of Automation by AJ King, Senior UX Researcher, Ocado
The UX of Automation by AJ King, Senior UX Researcher, OcadoUXDXConf
 
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfThe Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfFIDO Alliance
 
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...FIDO Alliance
 
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...FIDO Alliance
 
UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1DianaGray10
 
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi IbrahimzadeFree and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi IbrahimzadeCzechDreamin
 
A Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System StrategyA Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System StrategyUXDXConf
 
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptxWSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptxJennifer Lim
 
Demystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyDemystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyJohn Staveley
 
Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessUXDXConf
 
THE BEST IPTV in GERMANY for 2024: IPTVreel
THE BEST IPTV in  GERMANY for 2024: IPTVreelTHE BEST IPTV in  GERMANY for 2024: IPTVreel
THE BEST IPTV in GERMANY for 2024: IPTVreelreely ones
 
WebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceWebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceSamy Fodil
 
10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka Doktorová10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka DoktorováCzechDreamin
 
IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoTAnalytics
 

Recently uploaded (20)

Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdfLinux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
 
Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024
 
PLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. StartupsPLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. Startups
 
Designing for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at ComcastDesigning for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at Comcast
 
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfSimplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
 
Buy Epson EcoTank L3210 Colour Printer Online.pptx
Buy Epson EcoTank L3210 Colour Printer Online.pptxBuy Epson EcoTank L3210 Colour Printer Online.pptx
Buy Epson EcoTank L3210 Colour Printer Online.pptx
 
The UX of Automation by AJ King, Senior UX Researcher, Ocado
The UX of Automation by AJ King, Senior UX Researcher, OcadoThe UX of Automation by AJ King, Senior UX Researcher, Ocado
The UX of Automation by AJ King, Senior UX Researcher, Ocado
 
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfThe Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
 
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
 
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
 
UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1
 
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi IbrahimzadeFree and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
 
A Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System StrategyA Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System Strategy
 
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptxWSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
 
Demystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyDemystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John Staveley
 
Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for Success
 
THE BEST IPTV in GERMANY for 2024: IPTVreel
THE BEST IPTV in  GERMANY for 2024: IPTVreelTHE BEST IPTV in  GERMANY for 2024: IPTVreel
THE BEST IPTV in GERMANY for 2024: IPTVreel
 
WebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceWebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM Performance
 
10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka Doktorová10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka Doktorová
 
IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024
 

Removing Security Roadblocks to IoT Deployment Success

  • 1.
  • 2.
  • 3. Connection Security X.509/TLS-Based Handshake and Encryption Device Security X.509 Certificate Based Identity and Attestation Device Provisioning, Authorization & Management Support for Diverse Hardware Secure Modules Securely connect millions of devices… …over a secure internet connection… …to Microsoft Azure – built with security from the ground up Cloud Security Azure Security Center | Azure Active Directory Key Vault | Policy-Based Access Control
  • 4. GLOBA L INDUSTR Y REGIONA L HIPAA / HITECHAct FERPAGxP 21 CFR Part11 ISO 27001 SOC 1 Type 2ISO 27018 CSA STAR Self-Assessment FISC Japan CDSA Shared Assessments FACT UK GLBA PCI DSS Level 1 MARS-E FFIEC SOC 2 Type 2 SOC 3 MPAA ISO 22301 Japan My ENISA Japan CS Spain Spain India Canada Privacy GermanyIT Number Act IAF Mark Gold ENS DPA MeitY Privacy Laws Shield Grundschutz workbook CSA STAR Certification CSA STAR Attestation HITRUST IG ToolkitUK Argentina EU UK China China China Singapore Australia New Zealand PDPA Model Clauses G-Cloud DJCP GB 18030 TRUCS MTCS IRAP/CCSL GCIO ISO 27017
  • 5. >90% of Fortune 500 use Microsoft Cloud
  • 6. Key Questions Does the device have a unique, unforgeable identity that is inseparablefrom the hardware? Is most of the device’s software outside thedevice’s trusted computing base? Is the devicestill protected if the security of one layer of device software is breached? Does a failure in one component of the device requirea reboot of theentire device to return to operation? Does thedevice use certificates instead of passwords for authentication? Is the device’s softwareupdated automatically? Property Hardware-based Small Trusted Defense Compartmentalization Certificate- Renewable Failure Root of Trust Computing Base in Depth based Authentication Security Reporting Does the device report failures toits manufacturer?
  • 7. high integrity software operations Choice of Secure Hardware - Many secure silicon providers including - Standards based and custom secure silicon - TPM - DICE https://aka.ms/RightSecureIoTHardware
  • 8. Authentication Attestation Access Controls 1 Share Access Secrets (SAS) Tokens Shared Access Key - Permission based - Role based - Action based - Per device granularity 2 Certificate Based Mutual Authentication Certificate Thumbprint 3 Certificate Based Mutual Authentication Certificate Authority IoT Hub Device Connection Security X.509/TLS-Based Handshake and Encryption
  • 9. IoT Device Methods Device Twin Properties Desired Reported IoT Hub Device Twin Tags Methods Telemetry Properties Desired Reported Telemetry channel Commands Cloud owned, device visible Device owned, cloud visible Cloud only, device metadata Cloud initiated C2D with response Cloud initiated C2D message
  • 10. Device Provisioning Service Automate device provisioning at scale and eliminate security threats from manual handling X X X XIoT Solution US IoT Solution Germany IoT Solution China
  • 11.
  • 12.
  • 13.
  • 14. https://azure.microsoft.com/en-us/blog/securing-the-intelligent-edge/ Threats Readily available tools and experience Rich development environment Heterogeneous hardware Physical accessibility Subject to physical analysis like on power and timing, and attacks based on micro-probing, fault injections, and environmental tampering. Non-standard security protocols Expands threat surface across architecture, vendor, and capabilities unlike a relatively more uniform datacenter hardware. The necessary mixture of scripted and compiled software using many technologies to enrich user experience also increases the probability for vulnerabilities. Proprietary hardware procedures for common security needs like secure hardware enforcements for secure boot and firmware updates precludes public scrutiny. The same tools and experience from other disciplines like failure analysis and patent research are easily repurposed for attacks. Requires assertive defense Requires uniformity
  • 15. Cloud Gateway ActionsIoT Edge IoT Hub Insights Insights Actions
  • 16. A Framework for Ecosystem Managed Security Hardware Root of Trust Secure Boot/Updates Secure Execution Environment Protected General Computing Application execution with runtime integrity checking Privileged executions and systems resource access control Bootstrapping and recovery Trust anchor and tamper resistance Azure IoT Edge Device IoT Hub Principles Realization
  • 17.
  • 18.  Communicate diligence in security  Administered by 3rd Party Labs for transparency (coming soon)  Open standards procedures  Certificate based signed device promise attestations (coming soon) Promise Standard Secure Element Secure Enclave Secure silicon None Standalone security processor e.g. TPM Integrated security processor Maximum protection to be expected in malicious custody None Secrets like cryptographic keys Secrets and the trusted computing base Typical transactions All with adequate risk mitigation Authentication, session key generation, certificates processing. All secure element transactions plus the trusted computing base for transactions such as metering, billing, secure I/O, secure logging. Maximum grade possible Level 2 Level 4 Level 4 Grade Level 1 Level 2 Level 3 Level 4 Requirements Custom implementations in lieu of using Azure IoT Device SDK Azure IoT Device SDK - Azure IoT Device SDK - FIPS 140-2 Level 2 - Common Criteria EAL 3+ (PP coming soon) - Azure IoT Device SDK - FIPS 140-2 Level 3 - Common Criteria EAL 4+ (PP coming soon)
  • 19. IoT Role Example Scenario OEM Investment optimal decision. Decide which market to play in. - Manufacture and certify for secure element devices for solutions with simple needs line authentication - Manufacture and certify for secure enclave devices for solutions with complex needs like monetization SI Cost optimal decisions. Balance device cost with deployments risk assessment - Secure element devices for endpoint identity - Secure enclave devices for endpoint identity and execution integrity Operator Optimal risk management. Balance between device security and personnel access controls - Less elaborate personnel access controls with secure element/enclave promise devices - More elaborate access controls with standard promise devices IoT Edge Module Developer Empowerment. Use signed attestations to programmatically detect and deploy accordingly - Detect and deploy to secure element devices for node count control - Detect and deploy to secure enclave devices for IP protection or metered usage
  • 20. SEQUITUR LABS LS1012A SAMA5D2 Demo Demo Blog Blog Blog Runtime Attestation via Hardware RTiC Module Runtime Attestation via Hardware ICM Module IoTHub
  • 21.
  • 22. “hackers have infiltrated the critical safety systems for industrial control units used in nuclear, oil and gas plants, halting operations at at least one facility” “The hackers used sophisticated malware, dubbed ‘Triton’, to take remote control of a safety control workstation” “Some controllers entered a failsafe mode as the hackers attempted to reprogram them”
  • 23. Properties of TCPS Separation of critical execution Help protect critical infrastructure from malware threats by separating non-critical from critical operations and concentrating on using hardware isolation to protect control of physical systems. Inspectability of execution process Ensure that any code that handles critical operations must be auditable by operators through source code review. Attestability of processing environment During operation, each component must be able to verify that data is received and sent only from trustworthy sources. A component also needs to attest its trustworthiness to other components. Minimizing number of entities that need to be trusted Reducing the number of trusted entities significantly reduces the attack surface for critical infrastructure. In the ideal TCPS solution, the operator will maintain the only root of trust for critical code execution. The device owner/operator is in complete control of critical systems
  • 24. SCADA system Factory Line Automation Attack to SCADA System SCADA System Attack vectors on factoryline Attacker Attack to Factory Line Automation Factory Line ControllerController
  • 25. SCADA System OPC UA message SCADA application SCADA/HMI System OPC UA message SCADA Application TEE Message Authorization Policy Decision Engine Attacker will simulate user input or directly issue control messages (e.g. OPC UA) using the SCADA system’s message authentication Attacker OPC UA message authenticated by TEE TEE Trusted UI terminal to approve messages Trusted UI (TEE) Protecting the SCADA/HMI system Policy Decision Engine
  • 26. i.MX6 + Windows IoT Core Transport stack (TCP/IP) i.MX6 + Windows IoT Core Transport Stack (TCP/IP) TrustZone (OP-TEE) OPC UA L AN Port i.MX6 Security Layer SPI Port i.MX6 SPI-LAN Adapter with TCP/IP Legacy OPC UA Device Attacker OPC UA Protecting factory line automation OPC UA Gateway Controller Factory Line Policy Decision Engine
  • 27. Host Operating System Edge Client Transport stack Trusted Execution Environment Security Layer Trusted I/O Cloud services Message Gateway Controller Factory Line Azure Policy Decision Engine Azure Confidential Computing Tamper- resistant logging Configuration and Provisioning Service Factory Line Control
  • 28. Additional information about TCPS TCPS Overview http://aka.ms/TCPS_TwoPager_HMI2018 Blog post http://aka.ms/TCPS_HMI2018 Whitepaper http://aka.ms/TCPS_Whitepaper Preview coming soon
  • 29.
  • 30. Windows IoT securitypromise Windows IoT provides the best endpoint security to protect your data at rest, in motion and during execution. Windows IoT devices are build with security in mind. Security is not in the way of your development, deployment and operation.
  • 31.
  • 32.
  • 33.
  • 34. Is my IoT infrastructure developed, deployed and operated securely? By deploying IoT what security risks am I taking for the rest of my business? Who can evaluate my IoT infrastructure and give me a threat assessment?
  • 35. Consider the threats most relevant to your IoT infrastructure Identify the consequences that are most important to your business Select evaluation strategies that provide the most value http://aka.ms/IoTSecurityEval
  • 36.
  • 37.
  • 38. Microsoft’s Security Program for Azure IoT connects customers with partners who are experts at evaluating an IoT infrastructure end-to-end. Not all partners may be listed; check internetofyourthings.com for latest status
  • 39.
  • 40. Standards for IoT Security None holistic in existence No end-to-end IoT Security standard Existing standards retrofitting IT security to IoT No scope for physical attacks such as tampering Microsoft actively engaged in 25+ standards organizations and consortia to help address IoT security challenges
  • 41.  Microsoft champions and chairs the IoT Security Maturity Model development at the Industrial Internet Consortium (IIC)  SMM assists with: • Security target definition • Current security maturity assessment • Security gap analysis • Security maturity enhancement planning
  • 42.
  • 44. Solution operator Hardware manufacturers or integrators Solution developer Solution deployer http://aka.ms/iotbestpractices
  • 45. Secure and power the intelligent edge with Azure Sphere 1:00pm-2:15pm, WSCC: Rooms 612 Azure IoT Solutions - Get your IoTproject started in minutes with SaaS and preconfigured solutions