M2M / IoT Security. Eurotech`s Everyware IoT Security Elements Overview. Robert Andres

Similar documents
Real Use Cases where Eurotech applied KURA for businesses

for Multi-Services Gateways

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Creating a Java Internet of Things Gateway. David Woodard, Eurotech

Introduction. Deployment Models. IBM Watson on the IBM Cloud Security Overview

CPM. Quick Start Guide V2.4.0

Integrating IoT into your Enterprise. Tiziano Modotti Sales Manager IoT products, SEMEA

SoftLayer Security and Compliance:

AWS IoT Overview. July 2016 Thomas Jones, Partner Solutions Architect

Security & Compliance in the AWS Cloud. Vijay Rangarajan Senior Cloud Architect, ASEAN Amazon Web

CIS Controls Measures and Metrics for Version 7

Securing MQTT. #javaland

Security & Compliance in the AWS Cloud. Amazon Web Services

Security+ SY0-501 Study Guide Table of Contents

epldt Web Builder Security March 2017

Cloud Customer Architecture for Securing Workloads on Cloud Services

How to Route Internet Traffic between A Mobile Application and IoT Device?

Guide to Deploying VMware Workspace ONE. VMware Identity Manager VMware AirWatch 9.1

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.

CIS Controls Measures and Metrics for Version 7

How-to Guide: Tenable.io for Microsoft Azure. Last Updated: November 16, 2018

The Basic Architecture of successful M2M Solutions. Field-to-Cloud Technology Building Blocks for Internet of Things Applications

SECURITY ON AWS 8/3/17. AWS Security Standards MORE. By Max Ellsberry

Amazon Web Services Training. Training Topics:

How-to Guide: Tenable Nessus for Microsoft Azure. Last Updated: April 03, 2018

Deploying Tableau at Enterprise Scale in the Cloud

IPM Secure Hardening Guidelines

BMC Remedyforce Discovery and Client Management. Frequently asked questions

Solution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

Guide to Deploying VMware Workspace ONE with VMware Identity Manager. SEP 2018 VMware Workspace ONE

Security. ITM Platform

Securing VMware NSX-T J U N E 2018

PCI DSS Compliance. White Paper Parallels Remote Application Server

The StrideLinx Remote Access Solution comprises the StrideLinx router, web-based platform, and VPN client.

Google on BeyondCorp: Empowering employees with security for the cloud era

INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.1 SUCCESS AKAMAI SOLUTIONS BRIEF INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.

Security in Bomgar Remote Support

Guide to Deploying VMware Workspace ONE. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager 3.1

IBM SmartCloud Notes Security

Amazon Web Services (AWS) Training Course Content

Security in the Privileged Remote Access Appliance

Securing ArcGIS Services

CPM Quick Start Guide V2.2.0

Cloud FastPath: Highly Secure Data Transfer

Cyber Essentials Questionnaire Guidance

Amazon Web Services (AWS) Solutions Architect Intermediate Level Course Content

Certified Secure Web Application Engineer

Managing and Auditing Organizational Migration to the Cloud TELASA SECURITY

G/On. G/On is available for Windows, MacOS and Linux (selected distributions).

Office 365 and Azure Active Directory Identities In-depth

Secured by RSA Implementation Guide. Last Modified: August 2, 2013

Paperspace. Security Primer & Architecture Overview. Business Whitepaper. 20 Jay St. Suite 312 Brooklyn, NY 11201

SAP Security in a Hybrid World. Kiran Kola

Network Security. Thierry Sans

AXIAD IDS CLOUD SOLUTION. Trusted User PKI, Trusted User Flexible Authentication & Trusted Infrastructure

Securing Containers Using a PNSC and a Cisco VSG

Google Identity Services for work

Securing Containers Using a PNSC and a Cisco VSG

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

W H IT E P A P E R. Salesforce Security for the IT Executive

Intelligent WAN: Leveraging the Internet Secure WAN Transport and Internet Access

Securing VMware NSX MAY 2014

VMware Workspace ONE UEM VMware AirWatch Cloud Connector

VMware AirWatch Content Gateway for Windows. VMware Workspace ONE UEM 1811 Unified Access Gateway

Technical Brief SUPPORTPOINT TECHNICAL BRIEF MARCH

Layer Security White Paper

Inventory and Reporting Security Q&A

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

VMware AirWatch Content Gateway for Linux. VMware Workspace ONE UEM 1811 Unified Access Gateway

Exam : Title : Security Solutions for Systems Engineers. Version : Demo

Introduction. The Safe-T Solution

Integrating AirWatch and VMware Identity Manager

Endpoint Protection with DigitalPersona Pro

Simple Security for Startups. Mark Bate, AWS Solutions Architect

Syllabus: The syllabus is broadly structured as follows:

TIBCO Cloud Integration Security Overview

Understanding Perimeter Security

Secure VFX in the Cloud. Microsoft Azure

Let s say that hosting a cloudbased application is like car ownership

Drive Remote Service Platform

ELIMINATE SECURITY BLIND SPOTS WITH THE VENAFI AGENT

10 Defense Mechanisms

Simple and Powerful Security for PCI DSS

INTERNET OF THINGS KONTRON

OUR CUSTOMER TERMS CLOUD SERVICES - INFRASTRUCTURE

271 Waverley Oaks Rd. Telephone: Suite 206 Waltham, MA USA

GLOBALPROTECT. Key Usage Scenarios and Benefits. Remote Access VPN Provides secure access to internal and cloud-based business applications

CYBERSECURITY AND SERVICE STATIONS

MarkLogic Server. Common Criteria Evaluated Configuration Guide. MarkLogic 9 May, Copyright 2019 MarkLogic Corporation. All rights reserved.

NA120 Network Automation 10.x Essentials

Google Cloud Platform: Customer Responsibility Matrix. December 2018

ASA/PIX Security Appliance

Course overview. CompTIA Security+ Certification (Exam SY0-501) Study Guide (G635eng v107)

Security Readiness Assessment

IBM Secure Proxy. Advanced edge security for your multienterprise. Secure your network at the edge. Highlights

VMware AirWatch Cloud Connector Guide ACC Installation and Integration

Security Overview of the BGI Online Platform

Pass Microsoft Exam

CLIQ Remote - System description and requirements

Transcription:

M2M / IoT Security Eurotech`s Everyware IoT Security Elements Overview Robert Andres 23. September 2015

The Eurotech IoT Approach : E2E Overview Application Layer Analytics Mining Enterprise Applications ERP CRM. Databases CEP Communication Infrastructure apaas SaaS Enterprise IT Big Data Application Infrastructure Layer M2M Integration Platform M2M Integration / Application Enablement / Device and Application Management Platform System Infrastructure Public Cloud Private Cloud Aggregators & On- Premise Platforms Communication Infrastructure MQTT Client SIM Card & Communication Infrastructure Management Optimum M2M / IoT Protocols Field Infrastructure Device HW Device, Gateway, OS, Security Device Application Framework Certifications, etc Sensors, HMIs, Actuators, etc.

M2M / IoT Security Security Focus Points Communication Security Authentication (verified) Encryption Message integrity MitM protection DNS spoofing protection Things Gateways / Smart Devices IoT / OT Platform Application IoT Device Security Authentication (verified) Service discovery / provisioning / pairing Trusted execution environment (ESF 3.2) Network security / firewall Secure Boot IoT Device Cloud Security Authentication (verified) PKI / certificate management Trusted execution environment Network security / firewall Access control (role based)

Everyware Security Architecture Foundation for IoT Security Device has a validated identity IoT platform has a validated identity Mutual authentication for communication Signed messages over an encrypted channel Secure execution environment (devices & IoT platform) Secure software management / distribution State-of-the art network & system security (firewall, hardening) Role based access control Secure management access

Device Connectivity Administration Everyware Cloud / EDC Security Overview EC 4.0 Device to Cloud to Application Security Architecture X.509 Certificate based authentication Integrated PKI / Certificate management Regular Vulnerability Assessments and Penetration Tests Security in the Cloud (IoT / OT Platform) Allowed traffic is secure and authenticated Application Integration Data Management Secure cloud infrastructure / Perimeter Defense Device Management Firewalling (two firewalls in front of broker) All in-bound ports other than HTTPS and MQTTS ports are closed Security Access Control Centralized Access Control & User Management Role-Based Access Control, Roles and Permissions Strong Passwords and User s Lockout Policy Optionally 2-factor Authentication Data Security & Tenant Isolation Dedicated Message Brokers & Topic Partitioning for Messaging Data Segregation through Virtual Private Database Separate Execution Context for Complex Event Processing

Everyware Cloud / EDC Security Overview EC 4.0 & ESF Securing Device to Cloud (Communication Security) Device Authentication Options Unique per-device credentials distributed by Provisioning SSL/TLS Mutual Authentication DNS-SEC Authentication (Coming Soon) Platform-Signed Device Management Messages Device Initiated Connections (No open ports on Device) Allowed traffic is secure and mutual authenticated (SSL/TLS) Everyware VPN Service Securing the Device Secure device identity Secure execution environment (ESF 3.2) Encrypted Configuration Storage and Certificates Stores Device Unique Master Password Remote Certificate Management Firewall OSGi / Signed Code Everyware VPN Client Secure Boot (in roadmap) on Code Java VM Linux Hardware

Everyware Device Cloud - Security An Introduction to EDC Security Upcoming Versions of EC & ESF Amaro, 2015

EDC Security Elements Integrated Certificate Management / PKI Ensures: Integrity Authenticity Non-repudiation of origin Certificate Management Dedicated administrative web panel Standard X509 certificate format Certificate chain support Certificate validations and export functionalities Trusted message server signed digest over MQTT EDC jobs to provision, renew and revoke certificates @

EDC Security Elements Secure Messaging / MQTT All MQTT traffic is encrypted over an SSL connection. Data messages are subject to an algorithm of data transformation: data must be serialized before being transmitted with the same protocol that is used by the receiver (subscriber) to be de-serialized. Device Management Messages published by EC are signed to guarantee authenticity and message integrity. @

EDC Security Elements Tenant Segregation @ Secure multi-tenant implementation At the MQTT broker, broker data and traffic is segregated between accounts using virtual machine segregation All data (telemetrics, device events, ) are archived in a Big Data (no SQL) database and kept isolated by Virtual Private DB

EDC Security Elements Access to Console over encrypted HTTPS only @ Secure enforced passwords (12 chars long complex password) Password stored one-way-encrypted only Configurable lock-out policy per account Option: Two factor authentication based on one-time-password via QR code on mobile phone + username & password

EDC Security Elements Secure Programmable Interfaces @ Programmable interfaces (REST API, WEBSOCKETS) available exclusively over an encrypted HTTPS connection

EDC Security Elements Firewall Protection and reduced attack footprint The MQTT connection is always initiated by the gateway and remains always open. The opening session is an outbound MQTT connection from the local area network, possibly behind the firewall, towards Everyware Cloud. At all points only minimal number of open ports (MQTT, HTTPS, SSL, VPN) All databases in Everyware Cloud are protected through strict firewall rules from external access and they are only accessible from the mid-tier machines. Devices are firewall protected @

EDC Security Elements Secure Execution Environment (Device, ESF 3.2) OSGi Security: Signed Bundles Checks (Integrity, Authenticity) @ ESF Security Manager Environment Integrity Checks Environment Hardening Allowed Jar Signatures Allowed Bundle Access Device Unique Master Password (Code Obfuscation, String Encryption) Encrypted Configuration Storage SSL Mutual Authentication Device Management Checks (Integrity, Authenticity) Remote Certificate Management

EDC Security Elements ESF Security Manager Overview Application ESF ESF Bundles ESF Security ESF SSL Manager ESF Certificate Manager ESF Security Manager OSGi Java SE Embedded JKS ESF JKS SSL Encrypted Configuration Snapshots OSGi Security Signed Bundles Checks Integrity Authenticity ESF Security Manager Environment Integrity Checks Environment Hardening Allowed Jar Signatures Allowed Bundle Access Device Unique Master Password Code Obfuscation String Encryption Encrypted Configuration Storage SSL Mutual Authentication Device Management Checks Integrity Authenticity Remote Certificate Management

EDC Security Elements Remote Management / VPN @ Secure administrator initiated transparent IP connection between remote systems and devices in the field Gateways behind firewalls can be reached No IP addressing conflicts prevent or complicate the establishment of connections Using the established MQTT channel for initiating the VPN connection from the remote device (openvpn, soon IPSEC)

EDC Security Elements Auditing / Penetration Testing Eurotech performs regularly vulnerability assessments, like Code Injection, Cross Site Request Forgery, credentials stealing, etc, including network/host and applications. Eurotech ensures internal and external vulnerability scanning is conducted periodically and after any major changes to the environment @

Thank You! www.eurotech.com

M2M / IoT Security Device Security Questions Does the device have a unique ID and credentials? Does the device have a secure initialization & pairing mechanism? Does the device have a secure boot mechanism? Is the device closed from a network perspective? Does the device have a trusted execution environment? Is the device upgradable over-the-air? Is the device / local network accessible to anyone?

M2M / IoT Security Comunication Security Questions Is the communication encrypted? Are the messages signed to protect integrity? Communication nodes with a unique ID and credentials? Are the communication nodes closed / secured from a network perspective?

M2M / IoT Security IoT Device Cloud Security Questions Is the IoT Platform closed / secured from a network perspective? Does the IoT Platform have a trusted execution environment? Are you using PKI for key and certificate management? Easy to perform scheduled key-rollover? Can you revoke certificates and therefore devices? Is the device allowed / authenticated to connect? Is the application allowed / authenticated to connect? Do you have strong credential policy for users?

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback