Page 1
12/1/2016
1
Confidential and Proprietary -- © 2016 Device Authority
Securely enabling the Internet of ThingsBy Robert Dobson| Pre-Sales Director EMEA
Confidential and Proprietary -- © 2016 Device Authority
www.deviceauthority.com
Agenda
1. Introduction
2. Why does IoT Security need a rethink?
3. What does Device Authority provide to deliver Security Enablement and Automation?
4. Summary
5. Questions & Answers
Page 2
12/1/2016
2
Confidential and Proprietary -- © 2016 Device Authority
www.deviceauthority.com
Device Authority History
Q2 2016
CompanyMerge
GartnerCool Vendor
UK’s Most Innovative Small Cyber
Security Company
MachineShopPartnership
Q4 2015 Q1 2016
ThingWorxPartnership
SymantecAlliance
InVMAPartnership
Q3 2016
Intel IoT SolutionsAlliance Member
CumulocityPartnership
DigiCertPartnership
Q4 2016
Confidential and Proprietary -- © 2016 Device Authority
Why does IoT Securityneed a re-think?
Page 3
12/1/2016
3
Confidential and Proprietary -- © 2016 Device Authority
www.deviceauthority.com
A couple of recent real world example attacks
• Malware introduced to camera because of weak security posture
• Default Username/Password used and no way to update them, or the software!
• Cameras used as a small “army” to create DDOS attack (Twiter, Netflix etc… attacked)
• Wireless connected lightbulbs (Zigbee) remotely hacked from car or drone
• Gained access by exploiting hard coded symmetric keys and introduced malicious firmware
• Attacker could turn on/off tower block lighting, this could be extended to large installations
Confidential and Proprietary -- © 2016 Device Authority
www.deviceauthority.com
A shift in IoT Security ownership
Customers security posture is left to the manufacturer to define.
Manufacture centric approach…
Present (Manufacturer) Future (End customer)
Customers are moving toward defining their own security posture specified for the needs of their
business, supply chain and product
Page 4
12/1/2016
4
Confidential and Proprietary -- © 2016 Device Authority
www.deviceauthority.com
Challenges Facing Security and IoT
Attack surface is expanding beyond traditional IT systems
Multiple off-ramps into untrusted networks
Enrolling a large number of devices securely and efficiently is difficult!
Edge devices become compromised as they typically have a poorly security posture
Devices can be used maliciously to attack services and cause havoc
IoT velocity and scale is challenging traditional networking and certificate
management techniques
Security is normally an after thought!Lack of standards is driving complacency
Confidential and Proprietary -- © 2016 Device Authority
What does Device Authorityprovide to deliver SecurityEnablement and Automation?
Page 5
12/1/2016
5
Confidential and Proprietary -- © 2016 Device Authority
www.deviceauthority.com
Security Enablement and Automation Solutions
Secure Device Provisioning
• Policy Based Enrolment• Dynamic Trust Anchor• Customer Security Domain
PKI Credential Management
• Secure Delivery of Keys & Certs • Encrypted Credential Store• Credential Rotation and Re-Provisioning• Automated Certificate Binding and Authorization
Policy Driven Encryption
• End to End Data Encryption (AES 256) • Dynamic Session Based Keys• Selective Field Level Encryption• Transport Independent
Security Posture
Secure OTA Updates
• Encrypted Update Package Delivery• Data Integrity Update Validation• Device Bound Authentication of
Update Nodes• Granular Policy Controls
Confidential and Proprietary -- © 2016 Device Authority
www.deviceauthority.com
Dynamic Device Key Generation
1. Dynamic Device Authentication
2. Device-derived Crypto
Device Authentication Keys are dynamically generated and
unique to each device for each authentication session
Device-derived Crypto Keys and IV’s are generated from
the dynamic device authentication process
Dynamic Device Keys are not stored on devices
or servers and are never passed over the network
Page 6
12/1/2016
6
Confidential and Proprietary -- © 2016 Device Authority
KeyScaler™ PlatformArchitecture Security
Dashboard
PolicyManagement
Device Management
AssetManagement
Reporting& Notifications
Key RotationControls
LicenseManagement
APIControls
Management Control Panel
IoT Devices& Applications
DeviceAuthentication
Policy Enforcement
Derived KeyManagement
AssetDelivery
LicenseManagement
APIServices
Device & Events Stats
Device Authority Engine (DAE)
Service AccessController
AssetRepository
System andSecurity Logs
PolicyRepository
DeviceRegistry
KMS KeyStore
Service Connectors
IoT Platform and Service Partners
DA Agent/Library
Confidential and Proprietary -- © 2016 Device Authority
www.deviceauthority.com
KeyScaler™ : Secure Certificate Delivery
Manufacturer-Independent Security Posture - Customer-specific certificates and credentials are provisioned and controlled independently from the device manufacturing process.
Automated Camera Security Management - KeyScaler enables rapid deployment and ongoing security management for surveillance cameras through automated device registration, certificate provisioning, renewing and password management.
Scalability – KeyScaler provides large-scale security automation for system integrators and customers with hundreds or thousands of cameras across multiple facilities or geographic locations.
Integrity Validation - KeyScaler provides a mechanism to check Firmware and executable verification with automated policy enforcement and alert notification. Detect changes in the edge device, which allows the customer to quarantine the device and disable network connectivity to it (DDoS Prevention).
Page 7
12/1/2016
7
Confidential and Proprietary -- © 2016 Device Authority
www.deviceauthority.com
KeyScaler: Secure Password Management and Provisioning
Device Registration
Credential Delivery(encrypted password)
DA AgentKeyScaler™ with
Certificate Management Module
1
PasswordUpdate
4
PasswordGeneration & Storage
5
2
Administrative Control Panel
Access
Automated default password change for initial camera provisioning with ongoing policy-driven password rotation
Automated Admin Password Management (Upcoming Release)
• Provisioning and management of device-specific passwords to remove vulnerabilities of manufacturer-default passwords
• Automated, policy-driven password rotation to support large-scale camera deployments
• Eliminates security vulnerabilities and large-scale manual password management required after administrator staffing changes
Confidential and Proprietary -- © 2016 Device Authority
www.deviceauthority.com
Summary
• IoT Security goes beyond the scope of a traditional IT Security System
• Security needs to be considered End to End through what ever architecture you deploy
• Attack surface should be minimized using dynamic session based crypto keys where possible
• Automate on-boarding devices at scale in a secure frictionless way
• Tailor your security posture to your requirements using policy driven, field level encryption for data at rest and in transit
• Use tools that allow you to quarantine and blacklist devices which seem untrustworthy
• Automate delivery, rotation and revocation of certificates securely when using standard PKI certs
• Support an elevated security posture for device and firmware updates
Page 8
12/1/2016
8
Confidential and Proprietary -- © 2016 Device Authority
www.deviceauthority.com
Thank you!
Contact us:
[email protected] Pre Sales Director
www.deviceauthority.com
@IoT_Dobson
http://info.deviceauthority.com/blog-da