Security & Identity for the Internet of Things Webinar

24
© 2016 ForgeRock. All rights reserved.

Transcript of Security & Identity for the Internet of Things Webinar

Page 1: Security & Identity for the Internet of Things Webinar

© 2016 ForgeRock. All rights reserved.

Page 2: Security & Identity for the Internet of Things Webinar

© 2016 ForgeRock. All rights reserved.

[email protected] Technical Product Manager @SimonMoffatt

Security & Identity for the Internet of Things

[email protected] Product Marketing Director

Page 3: Security & Identity for the Internet of Things Webinar

© 2016 ForgeRock. All rights reserved.

2010 Founded

10 Offices worldwide with headquarters in San Francisco

400+ Employees

600+ Enterprise Customers

50% Americas / 50% International commercial revenues

30+ Countries

ForgeRock The leading, next-generation,

identity security software platform, driving digital business.

Page 4: Security & Identity for the Internet of Things Webinar

© 2016 ForgeRock. All rights reserved.

Everyone And

Every Thing

Identity For

Internet of Things: Not Just for Tomorrow, But for Today

Page 5: Security & Identity for the Internet of Things Webinar

© 2016 ForgeRock. All rights reserved.

#1 Recent IoT Attacks

#2 IoT Security Best Practices

#3 Device & Identity Pairing

#4 IoT Data Sharing

#5 Summary

Page 6: Security & Identity for the Internet of Things Webinar

© 2016 ForgeRock. All rights reserved.

Recent IoT Attacks

Page 7: Security & Identity for the Internet of Things Webinar

© 2016 ForgeRock. All rights reserved.

Page 8: Security & Identity for the Internet of Things Webinar

© 2016 ForgeRock. All rights reserved.

The IoT - An Evolving Attack Vector

2012 – New gadgets enter the consumer market, focused on basic connectivity

“Hacks for Headlines” - home CCTV cameras, “smart-toys”, baby monitors

2014 – Luxury goods, personal health monitors become common place

Connected car vulnerabilities exposed, PII risks identified

2016 – Mass produced replica devices & secondary markets - “everything connected”

Use of devices as bot-net armies, proxies, 3rd

party attack vectors

Page 9: Security & Identity for the Internet of Things Webinar

© 2016 ForgeRock. All rights reserved.

Impact & Consequences

Personal data loss at the device

Brand damage for manufacturers

Security becomes inhibitive & expensive

Identity data easier to harvest

New 3rd party attack victims emerge– e.g., insurance providers

DDoS planners have new attack

vehicle Data sharing becomes

complex and silo’d

Page 10: Security & Identity for the Internet of Things Webinar

© 2016 ForgeRock. All rights reserved.

IoT Security Best Practices

Page 11: Security & Identity for the Internet of Things Webinar

© 2016 ForgeRock. All rights reserved.

IoT Security Best Practices

Modern update-able

OS

Modern update-able

firmware

No hard coded

passwords

Use of HTTPS / modern

TLS

Root access & accounts

disabled

Secure / trusted token Storage area

Disable non-essential

services & ports

Perform device

authentication

Default passwords Changeable on 1st use

Page 12: Security & Identity for the Internet of Things Webinar

© 2016 ForgeRock. All rights reserved.

Device created with some unique, immutable identifier – MAC, certificate

Synchronized and activated in central store

Device authenticates - to download API details, client credentials

Page 13: Security & Identity for the Internet of Things Webinar

© 2016 ForgeRock. All rights reserved.

Device & Identity Pairing

Page 14: Security & Identity for the Internet of Things Webinar

© 2016 ForgeRock. All rights reserved.

Simple out of band pairing

Device should have scoped permissions

Device needs to represent user to APIs & services

Bind a token

to a device – reduce impact of token theft

from MITM

Need to pair a device to a

person

Revoke device access when device

is lost, stolen or sold

Device Pairing Requirements

Page 15: Security & Identity for the Internet of Things Webinar

© 2016 ForgeRock. All rights reserved.

Device often has limited input capability and UI

“Pin & Pair” - user enters a unique device code out of band on their laptop/tablet

Device receives scoped access, with simple revocation

Device accesses

services on users behalf

Simple out of band pairing

Page 16: Security & Identity for the Internet of Things Webinar

© 2016 ForgeRock. All rights reserved.

Device accesses

services on users behalf

Smart Guitar demo at the London Identity Summit Oct 2016 2016 - https://youtu.be/MUoicwT9s34

1 - Start registration 2 – Device gets code 3 – User enters code out of band on web page 4 - Device polls AS then pairs 5 - Device gets access token 6 - Device uses token against service 7 - Device can be revoked via end user dashboard

Images courtesy of Jon Knight, UK Customer Engineering

OAuth2 Device Pairing Flow - “Demo”

Page 17: Security & Identity for the Internet of Things Webinar

© 2016 ForgeRock. All rights reserved.

Protect access_token through device binding Device may not use HTTPS or a secure token storage area – need a method to protect hijacking or MITM Use proof-of-possession with public key being baked into the access_token Provides the RS an ability to initiate challenge-response to prove correct owner

Resource server uses

key for challenge response

Token request with pub key

OAuth2 Proof-of-Possession Token Safety

Page 18: Security & Identity for the Internet of Things Webinar

© 2016 ForgeRock. All rights reserved.

IoT Device Data Sharing

Page 19: Security & Identity for the Internet of Things Webinar

© 2016 ForgeRock. All rights reserved.

Simple out of band pairing

Leverage simple standards for fast

integration

Ability for end user to perform simple approval

Ability for authorization policies to be created by end user not an admin

Ability to perform simple

revocation

Ability to share arbitrary data from a

device to other users or services

IoT Data Sharing Requirements

Page 20: Security & Identity for the Internet of Things Webinar

© 2016 ForgeRock. All rights reserved.

Simple out of band pairing

Ability to perform simple

revocation

Ability to share arbitrary data from a

device to other users or services

User-Managed Access

Devices registered & managed

Devices make data! Needs protecting...

Page 21: Security & Identity for the Internet of Things Webinar

© 2016 ForgeRock. All rights reserved.

Device accesses

services on users behalf

Simple out of band pairing

Ability for data owner to make well

informed and consent driven

decisions

Ability for data owner to make easy access revocation decisions across

User-Managed Access

Page 22: Security & Identity for the Internet of Things Webinar

© 2016 ForgeRock. All rights reserved.

Summary Attacks becoming more frequent and more complex… Devices need local protection Devices need pairing to identities Cloud services need protecting too IoT platforms need identity embedded

Page 23: Security & Identity for the Internet of Things Webinar

© 2016 ForgeRock. All rights reserved.

Questions and Comments

Page 24: Security & Identity for the Internet of Things Webinar

© 2016 ForgeRock. All rights reserved.

Thank You