SACON
SACONInternational2017
CISOPlatformandTiEIOTForum
India|Bangalore|November10– 11|HotelLalit Ashok
SecuringInternetofThings
SACON 2017
TheInternetofThings
TheContext Data&Analytics Information&ActionsTheState
BLE,ZigBe
e,W
iFi
TheEnvironm
ent
Insights&W
orkflow
Ethe
rnet/LTE/FTH
RESTAPI
TheRoof TheCloudTheThings TheApps&Services
SACON 2017
TheImplicationoftheHyperScale
BiggerAttackSpace
BigDataDay-to-DayUsage
Diversity
LackofExperience
Varietyofprotocols,devices,applications,environmentsusers,vendors.
Morepersonal
Realtimeinformation
Poordesign
SACON 2017
WhoIsResponsibleforSecurity
DeviceManufacturers
SoftwareVendors
NetworkBuilders
ServiceProviders
Standardswillbringtheecosystemtogethertobuildsecuresystems.
SACON 2017
IoTSecurity!=CyberSecurity
IoTSecurityRootofTrustNetworkSecurityPrivacy
NetworkSecurity=SecureProvisioning+SecureKeyManagement+Authentication&Authorization+SecureCommunication
SACON 2017
KeyPlayers
• IoTUsers• ISP• SecurityServiceProviders• NetworkServiceProviders• VarietyofCloudServiceProviders
SACON 2017
KeySecurityFunctions
• Identity– ofPeople,DeviceandNetworks• AccessControl– Zero-TrustModel,segregatednetworkforIoT• Monitoring– includinginvasiveactivitymonitoring• De-boarding– disconnect,block,de-registerandinitiatelegalactionagainstentitiessuspectedwithadversarialbehavior
SACON 2017
FunctionalAspectsofIoTSecurity
• ChannelSecurity• Protectthecommunicationpath
• RootofTrust• SecureBootCapabilities
• SecurityManagement• ManagementofCryptoMaterials,Policiesandupdates
• SecurityFusion• Detect,blockandreportadversarialattempts
• Cooperation• Shareinformationandlearnbestpractices
SACON 2017
FunctionalAspectsofIoTSecuritycontd.
• SecurityBootstrapping• InitialSecurityConfigurationandProcedures
• SecurityServices• ProtecttheSourcesandManageVulnerabilities
• DataProtection• Protectdataatrestinserversandend-pointequipments,protectdatainmotion
• Identify,AuthenticateandAuthorize• Primary,SecondaryandTertiaryauthentication,MFA,Zero-trust
SACON 2017
Identity
HWRootofTrust*
DeviceID
Ownership
OwnerID
DeviceConfiguration&ServiceIdentification
ServiceEnablement
Blockchain/TrustedDatabase
PKI
SACON 2017
AccessControl
UninternettingDon’texposethingsovertheInternet
IndirectionMovesecuritycomputingonelevelup
SecurityGateAllowonlytrustedsource
SecurityFusionContextualanalysis
MultiFactorAuthenticationExtralayersofsecurity
Acombinationofthesewouldhelpinbuildingrobustprotectionagainstthethreats.
SACON 2017
IoTSecurity– byIndirection
Communication
SecurityNegotiation
ResourceOwner
SecurityManager
ResourceServerClient
SecurityProvisioning
SecurityProvisioning
SecurityProvisioning
SecurityProvisioning
Cloud
Roof
Things
SACON 2017
SecuringNetworkSegments
CloudPAN WANLAN Internet
IPSecTunnel
CoAP/UDP/DTLS/IPv6
IPSecTunnel
WiFi/Ethernet
BB/LTE/MPLS
OTAEBLE,802
.15.4,W
iFi
SSPEdgeRouterApps
SACON 2017
NetworkAccessProxy
• SimilarArchitectureasGoogle’sBeyondCorp• Zero-Trust• Real-timeBehaviorAnalysis
SACON 2017
MonitoringandDe-boarding– SecurityFusion
Authorization
Authentication
ChannelSecurity
SecurityFusion
Security
Managem
ent
RootofTrust
• SecuritybyDesign• ContextualAnalysis• MFA• DoS PreventionmechanismonDevices• MinimizeDeviceComputing
SACON 2017
PrivacyManagement
InformedDecisionMaking
End-to-EndTransparency
WeighingPrivacyvs.Benefits
ContextualAwareness PrivacybyDesignGovernmentRegulations
SACON 2017
StrategicPrinciplesforIoTSecurity
* UnitedStatesDepartmentofHomelandSecurity,November2016
Incorporatesecurityatthedesignphase
Promotesecurityupdatesandvulnerabilitymanagement
Buildonprovensecuritypractices
Prioritizesecuritymeasuresaccordingtopotentialimpact
PromotetransparencyacrossIoT
Connectcarefullyanddeliberately
1 2 3
4 5 6
SACON 2017
ThankYou