2-625.mix.pptx

Azure IoT Security

1.0x

2-625.mix.pptx

Created 2 years ago

Duration 1:00:34
lesson view count 124
Azure IoT Security
Select the file type you wish to download
Slide Content
  1. Clemens Vasters

    Slide 1 - Clemens Vasters

    • Lead Architect, Azure IoT Services@clemensv
    • Azure IoT Security
    • 2-625
  2. Clemens Vasters

    Slide 2 - Clemens Vasters

    • Lead Architect, Azure IoT Services@clemensv
    • Azure IoT Security
    • 2-625
  3. Connected Things and the IoT

    Slide 3 - Connected Things and the IoT

    • Inventory – What We Already Know
    • Security and Privacy Principles
    • Azure IoT Services
    • Outlook and Roadmap
    • Agenda
  4. Slide 4

    • Internet
    • ISP
    • (Mobile) Network Operators
    • Personal Environment and Networks
    • Connected Things
    • Device
    • Device
    • Device
    • Device
    • Field Gateway
    • Cloud Systems
    • Device
    • Cloud Gateway
    • Device
    • LocalInteraction
    • MNOGateway
    • Cloud Portals and APIs
    • Mobile & WebInteraction
    • Control System
    • Analytics
    • Data Management
    • Watches, Glasses, Work Tools, Hearing Aids, Robotic Assistance, …
    • Homes, Vehicles, Vessels, Factories, Farms, Oil Platforms, …
    • Vehicle Fleets, Sea Vessels, LV Smart Grids, Cattle, …
    • Local Gateway
    • Local Portals and APIs
    • Control System
    • Analytics
    • Data Management
  5. Slide 5

    • Electricity Distribution
    • Gas Distribution
    • Patient Tracking
    • Mobile Care
    • Safety Management
    • Climate Control
    • Lighting
    • Energy Management
    • Drinking Water
    • Waste Water
    • Pollution Control
    • Fire Protection
    • Medical Emergency
    • Public Order
    • Energy
    • Toll Collection
    • Traffic Flow
    • Air Traffic Control
    • Bus/Tram/Train
    • Traffic Alerts
    • Street Quality
    • Mobility
    • City
    • Health
    • Buildings
    • IoT Enabled Infrastructure
    • Flood Control
    • Solid Waste
    • Air Quality
    • Lifts and Escalators
    • Signage
    • Water
    • Wind/Solar/Geothermal
    • Fuel Distribution
    • Power Plants
    • Nuclear Waste
    • Oil/Gas Production
    • Coal Mining
    • OR Equipment
    • Vital Monitoring
    • Implants
    • Disability Aids
    • Lab Equipment
    • Radiology Equipment
    • Rule Enforcement
    • Airports
    • Taxi
    • Diabetes
  6. Many IoT solutions control critical operations at the core of industrial and civil infrastructure. Digital security will be increasingly interwoven with physical safety of life and equipment.

    Slide 6 - Many IoT solutions control critical operations at the core of industrial and civil infrastructure. Digital security will be increasingly interwoven with physical safety of life and equipment.

  7. Many IoT solutions will provide very deep and near-real time insight into industrial and business processes, as well as into homes and the immediate personal environment.Privacy matters.

    Slide 7 - Many IoT solutions will provide very deep and near-real time insight into industrial and business processes, as well as into homes and the immediate personal environment.Privacy matters.

  8. Best Practice: IT and OT engineers collaborate in making “cyberphysical” systems safe and secure.

    Slide 8 - Best Practice: IT and OT engineers collaborate in making “cyberphysical” systems safe and secure.

    • What Do We Already Know?
    • OT engineers knows how to make physical things safe and secure
    • Standards, Procedures, Training, Continuous Improvement
    • Physical access management
    • Hazard and Risk Analysis
    • Monitoring and Maintenance
    • Fail Safe and Safety Equipment
    • IT engineers know how to make digital things secure.
    • Secure Development Lifecycle
    • Secure Network Technologies
    • Threat & Vulnerability Mitigation
    • Monitoring and Alerting
    • Software/Firmware Auto-Updates
    • Privacy Models
  9. Security Development Lifecycle & Operational Security Assurance

    Slide 9 - Security Development Lifecycle & Operational Security Assurance

    • Network and Identity Isolation
    • Vulnerability / Update Management
    • Least Privilege / Just-in-Time (JIT) Access
    • Respond
    • Protect
    • Auditing and Certification
    • Live Site Penetration Testing
    • Fraud and Abuse Detection
    • Centralized Logging and Monitoring
    • Detect
    • Breach Containment
    • Coordinated Security Response
    • Customer Notification
    • Microsoft Cloud Security Principles
  10. http://microsoft.com/sdl

    Slide 10 - http://microsoft.com/sdl

    • Development process for creating (and running) secure software as practiced at Microsoft
    • Secure Development Lifecycle
  11. Policies, Procedures, Guidance

    Slide 11 - Policies, Procedures, Guidance

    • Defense in Depth
    • Cloud
    • Field Gateways
    • Devices
    • Physical
    • Global Network
    • Identity and Access Control
    • Application
    • Data
    • Physical
    • Physical
    • Local Network
    • Local Network
    • Edge
    • Application
    • Data
    • Data
    • Host
    • Host
    • Host
    • Data Privacy Protection and Controls
    • People and Device Identity Federation, Data Attestation
    • Trustworthy Platform Hardware, Signed Firmware, Secure Boot/Load
    • Secure Networks, Transport and Application Protocols, Segmentation
    • Tamper/Intrusion Detection Physical Access Security
  12. Where things get tricky…

    Slide 12 - Where things get tricky…

  13. IoT Sweet Spot

    Slide 13 - IoT Sweet Spot

    • $1000 PCs
    • $400 Phones
    • IoT capabilities are primarily value-add to other primary capabilities
    • How much computer, storage, and networking circuitry can you add to the BOM for a $40-range retail product for that value-add?
    • Tiny devices make awfully vulnerable network servers
    • Capability constrained devices
    • Cost
    • Computational Capabilities
    • Memory/Storage Capacity
    • Energy Consumption/Source
    • $1 Sensor
    • $10000 Server
    • Component Quality
  14. Factories and other industrial and utility environments are “brown-field”

    Slide 14 - Factories and other industrial and utility environments are “brown-field”

    • Production lines and facilities represent very significant capital investments
    • Iterative technology deployment and upgrades
    • Re-fit of existing (sometimes decades old) equipment with tech add-ons
    • Buildings and homes are too
    • Entertainment systems (TV, A/V receivers, Set-Top boxes, Bluray Players)
    • Comfort and sanitation systems (Heaters, A/C, Water, Gas, Thermostats)
    • Kitchen appliances
    • Security systems
    • IoT solutions must often integrate into environments with devices designed and deployed a decade or more apart
    • Not everything is “green-field”
  15. Network Security modeled after physical access security

    Slide 15 - Network Security modeled after physical access security

    • Segregated networks. Well-defined gates.
    • Access control at the network/gateway level.
    • Network access sufficient to access assets.
    • Legacy Network Design Attitude Reality
    • Device
    • Device
    • Device
    • Device
    • LocalInteraction
    • Local Gateway
    • Local Portals and APIs
    • Control System
    • Analytics
    • Data Management
    • AuthN/Z
  16. Slide 16

    • PLC
    • VPN
    • LAN
    • LAN
    • Legacy Remote Access Practices
  17. Threats?

    Slide 17 - Threats?

    • Service Desk
    • Machine Control Logic
    • Operator
    • Configuration
    • S,R
    • T,I,D
    • T,I,D
    • T,I,D
    • T,I,D
    • T,I,D
    • T,I,D
    • S,T,R,I,D,E
    • S,T,R,I,D,E
    • T,R,I,D
    • Spoofing
    • Tampering
    • Repudiation
    • Information Disclosure
    • Denial of Service
    • Elevation of Privilege
    • PLC
  18. What do the boxes help with?

    Slide 18 - What do the boxes help with?

    • Service Desk
    • Machine Control Logic
    • Operator
    • Configuration
    • T,I
    • T,I
    • Spoofing
    • Tampering
    • Repudiation
    • Information Disclosure
    • Denial of Service
    • Elevation of Privilege
    • … and they even broaden the attack surface area by fusing the networks
    • Not a whole lot …
  19. What do the boxes really nicely help with?

    Slide 19 - What do the boxes really nicely help with?

    • Service Desk
    • Machine Control Logic
    • Operator
    • Configuration
    • T,I
    • T,I
    • 1. Pwn This
    • 2. Pwn That
  20. Slide 20

    • We’ve also seen this in vehicle telematics
    • Vehicle
    • Diagnostics
    • Entertainment
    • Control
    • CAN BUS / “Telematics Box”
    • VPN Gateway
    • ERP
    • CRM
    • Fleet, Vehicle, and Driver Solutions
    • MNO Private APN
    • Public APN
    • Vehicle
    • Vehicle
    • Vehicle
    • Vehicle
    • Own one, own them all
    • More issues:
    • + Addressing and Discovery + Temporal Coupling
  21. Authentication Credentials Management

    Slide 21 - Authentication Credentials Management

    • Authorization Policy Management
    • Denial of Service
    • Intrusion Detection
    • Auditing
    • Monitoring
    • Alerting
    • Defense Strategies
    • Will you defend a million tiny, underpowered, public network servers that must triage unsolicited traffic?
    • Or do you think they could use some help with defense?
  22. Slide 22

    • Service Assisted Communication (SAC)
    • (CG)NATFirewallRouter
    • Isolated Network
    • Service Gateway
    • Client
    • Port Mapping is automatic, outbound
    • Device does not actively listen for unsolicited traffic
    • No inbound ports open, attack surface is minimized
    • Public address, full and well defendable server platform
    • Q
    • Q
    • Device Identity Registry/Directory
    • Connections are device-initiated and outbound
    • Non-IP
    • Field Gateway
    • Access Control Policies
  23. Slide 23

    • Service Assisted Communication “Peer to Peer”
    • (CG)NATFirewallRouter
    • Mobile Cell
    • Service Gateway
    • Q
    • Q
    • (CG)NAT Router
    • Mobile Cell
    • Temporal DecouplingLogical Addressing
    • Device Authentication
    • Authorization (Access Policy Enforcement)
    • DoS Defense
    • Application Layer Integration (vs. Link/Network)
    • Mobile Backend
  24. Slide 24

    • SAC - Trust Brokerage for Nomadic Devices
    • Trust
    • Device Identity Registry/DirectoryAccess Policies
    • “Resident Devices”
    • “Nomadic Devices”
    • Berlin
    • 2
    • Tokens
    • LocalNetworkingScope
    • CloudScope
    • Token expresses current membership of the device in the solution context.
    • Asymmetrically signed by directory. Cacheable. Expires periodically.
  25. Vehicle Telematics

    Slide 25 - Vehicle Telematics

    • Datacenter(“Cloud”)
    • Vehicle
    • Diagnostics
    • Entertainment
    • Control
    • CAN BUS / “Telematics Box”
    • Telematics Gateway
    • ERP
    • CRM
    • Fleet, Vehicle, and Driver Solutions
    • Control
    • Value-Add Services, Analysis and Optimization
    • Servicing
    • Hard real-time
    • Near real-time
    • AMQP 1.0 LinkBi-DirectionalSecure
    • Reliable TransferApplication Level
    • No Peer Exposure
  26. Slide 26

    • Industrial Automation
    • Device
    • Device
    • Device
    • Device
    • OPC UA Gateway
    • Cloud Systems
    • Cloud Gateway
    • Cloud Portals and APIs
    • Control System
    • Analytics
    • Data Management
    • Local Gateway
    • Local Portals and APIs
    • Control System
    • Analytics
    • Data Management
    • AMQP
    • OPC/TCP &Fieldbuses
    • AMQP 1.0 LinkBi-DirectionalSecure
    • Reliable TransferApplication Level
    • No Inbound Ports
  27. Roadmap

    Slide 27 - Roadmap

  28. Roadmap

    Slide 28 - Roadmap

  29. Device Identities.Device Management.Hyper Scale.

    Slide 29 - Device Identities.Device Management.Hyper Scale.

    • 100
    • 10,000
    • 1,000,000
    • Makers.Prototypes.Hackathons.
    • “EnterpriseScale”
    • ConsumerProducts
  30. Azure IoT Hub

    Slide 30 - Azure IoT Hub

  31. HTTPSAMQPS

    Slide 31 - HTTPSAMQPS

    • Azure IoT Hub
    • IoT Hub
    • Up to 10M Devices per Hub
    • Identity Registry
    • Device Management
    • Provisioning
    • IoT Hub GatewayHTTPS,AMQPS
    • Data and Command Flow
    • Per-device command queues
    • Event Hub
    • Self-Hosted GatewayMQTT,Custom
    • Field GatewayOPC UA,CoAP, AllJoyn, …
    • Cloud
    • Field
    • M
    • M
    • M
    • APIs
    • OSS Device Agents
    • Management
    • Communication
    • Provisioning
  32. HTTPSAMQPS

    Slide 32 - HTTPSAMQPS

    • Azure IoT Hub
    • IoT Hub
    • Identity Registry
    • Device Management
    • Provisioning
    • IoT Hub GatewayHTTPS,AMQPS
    • Data and Command Flow
    • Per-device command queues
    • Event Hub
    • Self-Hosted GatewayMQTT,Custom
    • Field GatewayOPC UA,CoAP, AllJoyn, …
    • M
    • M
    • M
    • APIs
    • OSS Device Agents
    • Management
    • Communication
    • Provisioning
    • Hyper-Scale Identity Registry for millions of devices per IoT Hub
    • Can federate identity with and via Azure Active Directory
  33. HTTPSAMQPS

    Slide 33 - HTTPSAMQPS

    • Azure IoT Hub
    • IoT Hub
    • Identity Registry
    • Device Management
    • Provisioning
    • IoT Hub GatewayHTTPS,AMQPS
    • Data and Command Flow
    • Per-device command queues
    • Event Hub
    • Self-Hosted GatewayMQTT,Custom
    • Field GatewayOPC UA,CoAP, AllJoyn, …
    • M
    • M
    • M
    • APIs
    • OSS Device Agents
    • Management
    • Communication
    • Provisioning
    • Native support for Service Assisted Communication model, potentially holding millions of concurrent bi-directional connections.
    • AMQP 1.0 (with WebSockets), HTTP/2
    • Secure by Principle.
    • IoT Hub does not permit insecure connections. TLS is always enforced.
    • TLS/X509 initially; TLS/PSK & TLS/RPK on roadmap for compute-constrained devices and bandwidth limited or expensive metered links.
  34. HTTPSAMQPS

    Slide 34 - HTTPSAMQPS

    • Azure IoT Hub
    • IoT Hub
    • Identity Registry
    • Device Management
    • Provisioning
    • IoT Hub GatewayHTTPS,AMQPS
    • Data and Command Flow
    • Per-device command queues
    • Event Hub
    • Self-Hosted GatewayMQTT,Custom
    • Field GatewayOPC UA,CoAP, AllJoyn, …
    • M
    • M
    • M
    • APIs
    • OSS Device Agents
    • Management
    • Communication
    • Provisioning
    • Channel-level authentication and authorization against the gateway
    • Validation of signatures against identity registry and blacklists (for signature tokens)
    • All messages are tagged with originator on service side allowing detection of in-payload origin spoofing attempts
  35. HTTPSAMQPS

    Slide 35 - HTTPSAMQPS

    • Azure IoT Hub
    • IoT Hub
    • Identity Registry
    • Device Management
    • Provisioning
    • IoT Hub GatewayHTTPS,AMQPS
    • Data and Command Flow
    • Per-device command queues
    • Event Hub
    • Self-Hosted GatewayMQTT,Custom
    • Field GatewayOPC UA,CoAP, AllJoyn, …
    • M
    • M
    • M
    • APIs
    • OSS Device Agents
    • Management
    • Communication
    • Provisioning
    • Device management foundation capabilities for device state inventory and update delivery
    • Device management foundation capabilities for device state inventory and update delivery
  36. Roadmap

    Slide 36 - Roadmap

  37. Policies, Procedures, Guidance

    Slide 37 - Policies, Procedures, Guidance

    • IoT Challenges
    • Cost pressure on device hardware
    • Cheap sensors
    • Weak/no crypto
    • Source of randomness
    • Analog Gap
    • Manipulations difficult to detect
    • Insecure Platforms
    • Tiny Real-Time Operating Systems
    • Legacy Protocols
    • Cloud
    • Field Gateways
    • Devices
    • Physical
    • Global Network
    • Identity and Access Control
    • Application
    • Data
    • Physical
    • Physical
    • Local Network
    • Local Network
    • Edge
    • Application
    • Data
    • Data
    • Host
    • Host
    • Host
  38. What can we do architecturally?

    Slide 38 - What can we do architecturally?

    • Service Assisted Communication
    • Reduce the attack surface area for system and devices
    • Only accept commands to the device from a “trusted source”
    • Enforce secure channel
    • Machine Identity and Access Authorization
    • Who is part of a system and gets to submit data?
    • Authorize the sender
    • Data Streams and Processing Authorization
    • Which data gets sent and who is authorized to process which data?
    • Authorize the receiver
    • Data Plausibility and Flow Authorization
    • What is the data quality and how plausible is it considering the system context? Is it plausible enough to permit it flowing further into the system and for it to influence decisions?
    • Authorize the data stream
    • Data Attestation, Lineage, and Privacy Control
    • Where did data originate, who participated in producing it, and how can we answer these questions only in an authorized context and break the associations altogether when required by policy or law?
    • Authorize identification and association
    • STRIDE
    • STRIDE
    • STRIDE
    • STRIDE
    • STRIDE
  39. Policies, Procedures, Guidance

    Slide 39 - Policies, Procedures, Guidance

    • IoT Challenges
    • Cost pressure on device hardware
    • Cheap sensors
    • Weak/no crypto
    • Source of randomness
    • Analog Gap
    • Manipulations difficult to detect
    • Insecure Platforms
    • Tiny Real-Time Operating Systems
    • Legacy Protocols
    • Cloud
    • Field Gateways
    • Devices
    • Physical
    • Global Network
    • Identity and Access Control
    • Application
    • Data
    • Physical
    • Physical
    • Local Network
    • Local Network
    • Edge
    • Application
    • Data
    • Data
    • Host
    • Host
    • Host
  40. What can we do architecturally?

    Slide 40 - What can we do architecturally?

    • Service Assisted Communication
    • Reduce the attack surface area for system and devices
    • Only accept commands to the device from a “trusted source”
    • Enforce secure channel
    • Machine Identity and Access Authorization
    • Who is part of a system and gets to submit data?
    • Authorize the sender
    • Data Streams and Processing Authorization
    • Which data gets sent and who is authorized to process which data?
    • Authorize the receiver
    • Data Plausibility and Flow Authorization
    • What is the data quality and how plausible is it considering the system context? Is it plausible enough to permit it flowing further into the system and for it to influence decisions?
    • Authorize the data stream
    • Data Attestation, Lineage, and Privacy Control
    • Where did data originate, who participated in producing it, and how can we answer these questions only in an authorized context and break the associations altogether when required by policy or law?
    • Authorize identification and association
    • STRIDE
    • STRIDE
    • STRIDE
    • STRIDE
    • STRIDE
  41. IoT Security is a shared responsibility

    Slide 41 - IoT Security is a shared responsibility

    • Security concepts to the edge
    • Device code, provisioning, certificates, data management
    • Implement a Secure Development Lifecycle
    • http://microsoft.com/sdl
    • Keep track of the cyber supply chain
    • Work out an incident response plan that includes updates
    • Leverage industry best practices for defense-in-depth
    • Select device platforms by best balance between feature and security capabilities for your scenario and budget.
    • Leverage best practice network design, but don’t just trust the network.
    • Establish security boundaries at the application layer
    • Call to Action!
  42. Build on the Azure IoT Suite and IoT Hub

    Slide 42 - Build on the Azure IoT Suite and IoT Hub

    • Secure, Service Assisted, Bi-Directional Communication
    • Hyper-Scale Device Identity Management
    • Device Management Foundation
    • Review our platform principles and certifications
    • Azure Trust Center http://azure.microsoft.com/en-us/support/trust-center/
    • Call to Action!
    • ISO 27001/27002
    • SOC 1/SSAE 16/ISAE 3402 and SOC 2
    • Cloud Security Alliance CCM
    • FedRAMP
    • FISMA
    • FBI CJIS (Azure Government)
    • PCI DSS Level 1
    • United Kingdom G-Cloud
    • Australian Government IRAP
    • Singapore MTCS Standard
    • HIPAA
    • CDSA
    • EU Model Clauses
    • Food and Drug Administration 21 CFR Part 11
    • FERPA
    • FIPS 140-2
    • CCCPPF
    • MLPS
  43. Improve your skills by enrolling in our free cloud development courses at the Microsoft Virtual Academy.

    Slide 43 - Improve your skills by enrolling in our free cloud development courses at the Microsoft Virtual Academy.

    • Try Microsoft Azure for free and deploy your first cloud solution in under 5 minutes!
    • Easily build web and mobile apps for any platform with AzureAppService for free.
    • Resources