Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Blueprint for creating a Secure IoT Product

585 views

Published on

What is the right way to authenticate IoT devices? What is Security-First software design? What design patterns can comply as HIPAA? Those questions and more will be answered in my presentation.

Published in: Internet
  • Be the first to comment

Blueprint for creating a Secure IoT Product

  1. 1. Guy Vinograd, CEO A Blueprint for Creating a Secure IoT Product
  2. 2.  Million-user scale, 10000s devices ◦ AWS & Google GCP partner  Secure IoT clouds for device vendors ◦ Device vendors - focus on your core ◦ Customers - global $Bn companies to start-ups  Your trusted advisor - IoT, security, and clouds About Me and Softimize
  3. 3.  ICS-Cert 2014 report ◦ 245 incidents involving IoT platforms ◦ 55% Advanced Persistent Threats (APT) ◦ 42% targeted communication, water, transport  <40% IoT vendors implemented measures Security - The #1 concern for IoT
  4. 4. What is IoT Security?
  5. 5.  Breach prevention ◦ Software - cloud & apps ◦ Environment – cloud, physical, network ◦ Devices  Privacy ◦ Let your users control their data  Trust ◦ Create customer confidence The 3 Goals of IoT Security
  6. 6. Create Trust with Security Standards
  7. 7.  Company-level standards  ISO 27001 - Information security ◦ ISO 27799 – Health guidelines  ISO 9001 – Quality management ◦ ISO 13485 – Health guidelines  Certification ◦ ~4 months (SMB), ~40 hours overhead ◦ Post overhead - ~10 hours/month ◦ Yearly audit ◦ Consulting companies. ~ILS 30K The ISOs
  8. 8.  Health care ◦ Medical devices and much more  American ◦ EU: Data Protection Directive 1995/46/EC  PHI – Protected Health Information  BAA - Business associate agreement  Self declaratory ◦ Audit comes later HIPAA – a Product-level Standard
  9. 9. ◦ DB - RDS (MySQL), DynamoDB, Redshift ◦ Files - EBS, S3, Glacier ◦ Process – EC2, ELB, EMR ◦ Utils – KMS, CloudWatch ◦ DB – CloudSQL, BigQuery, Genomics ◦ Files – Cloud Storage ◦ Process – Compute Engine ◦ Utils – Logging (Beta) ◦ Active Directory, API Management, Automation, Backup, Batch, BizTalk Services, Cloud Services, DocumentDB, Express Route, HDInsight, Key Vault, Machine Learning, Management Portal, Media Services, Mobile Services, Multi-Factor Authentication, Notification Hub, Operational Insights, Redis Cache, RemoteApp, Rights Management Service, Scheduler, Service Bus, Site Recovery, SQL Database, Storage, StorSimple, Stream Analytics, Traffic Manager, Virtual Machines, Virtual Network, Visual Studio Team Services, Web Sites, and Workflow Manager. ◦ Compute - SoftLayer HIPAA & Clouds Architecture
  10. 10. REST Zoom on IoT - What to Secure? HTTP | MQTT | CoAP | XMPP IoT Backend Service GW
  11. 11.  Cloud – the ideal ◦ Protects IP ◦ Data Privacy  GW knows only raw signal  No processed info = less risk  Caching on GW is a risk  GW ("fog") – the reality ◦ Offline – Get security policy from cloud and execute Zoom on IoT – Where to put Data/Logic
  12. 12. The Softimize Way for Designing a Secure IoT Product
  13. 13. Security Users/Devices Data Streaming Vendor Services Management Things Building Blocks (TBBTM) Push notificationsDevice Interaction Access Control – laas, SaaS Vendor and cloud provider protection Encryption, Tenant isolation Site management – Multi device Licensing – per Tenant. Trial license Bulk versioned FW updates Complex event processing Real-time, sub second latency Users | Devices and hierarchies Back-office, Audit Analytics – Failures, Usage patterns Prediction – Churn, Upsell Discover & Config – w/o wifi | Real time streaming | FW update Security – Encrypt, Auth | Reduce energy & bandwidth On Premise MQTT, HTTP Cloud Abstraction Multi Cloud Abstraction Layers for managed services NO DevOps-hungry open sources
  14. 14.  Cloud ◦ Physical ◦ Access control - Policy / role based  System – Cloud & GW ◦ Dedicated servers ◦ Micro services separation based on purpose ◦ App/Data access - User / group / role based  User interface ◦ “Need to know” basis ◦ Re-require password for export/sensitive Security-First Design
  15. 15.  Authentication and authenticity ◦ Temporary tokens when possible  Encryption  Validation Security-First Design - Data in Transit
  16. 16.  “Need to know” basis ◦ Microservices ◦ DB access Policy ◦ Fully identifiable, pseudonymized anonymized, fully anonymized  Per-tenant encryption ◦ Key management ◦ DB query of indexed data  Purge when expires (7 years / user request)  Routine integrity checks Security-First Design - Data at Rest
  17. 17.  Traceability ◦ Everything - access, input, data & operations ◦ Centralized logging/auditing - Cloud & GW  Availability ◦ Redundancy ◦ Backup  Plausibility checks ◦ Failure ◦ Penetration Security-First Design
  18. 18. Guy Vinograd guy@softimize.co Need an IoT Cloud? Use

×