Tackling Data Security and Privacy Challenges for the Internet of ...
19
Tackling Data Security and Privacy Challenges for the Internet of Things Dave Raggett W3C Tuesday, 14 th June 2016 IoT TechExpo, Berlin
Transcript of Tackling Data Security and Privacy Challenges for the Internet of ...
TacklingDataSecurityandPrivacyChallengesfortheInternetofThings
DaveRaggettW3C
Tuesday,14th June2016IoTTechExpo,Berlin
ThePromiseoftheInternetofThings
l Services thatareenriched throughaccesstothephysicalandabstractWorld
l SmartHomes
l SmartCities
l SmartBusinesses
l SmartGovernment
l Environment,healthcare,agriculture,manufacturing,logisticsandmanymore
2/19
SecurityandPrivacyChallengesfortheInternetofThings
l “LackofTrustinInternetPrivacyandSecurityMayDeterEconomicandOtherOnlineActivities”,NTIAMay2016
l HowlongwillconsumersputupwiththeIoT's failures?– IoTsupport panel,CES2016
l IoT“plugandpray”alloveragain,sayssecurityconsultantDavidAlexander,PAConsulting, CRESTcon &IISP2016
l ThreequartersofUK’s informationsecurityprofessionals thinkIoTdevicemanufacturersaren’timplementingenoughsecurityontheirproductsand73%saidthere’sagenerallackofindustry standards– ISACA2015poll
l 72%ofAmericansseecyberattacksasamajorthreat,coming2nd afterISIS– PewResearchpoll, April2016
l “Allofthepotentialweaknesses thatcouldafflictIoTsystems,suchasauthenticationandtrafficencryption,arealreadywellknowntothesecurityindustry...”,InsecurityintheInternetofThings, Symantec,March2015
3/19
4/19
EightInternetofThingsFailsduetosloppypracticesandpoorusability
l Target’sHeatingandCoolingSysteml HackersgainedaccessthroughHVACaccount,and
wereabletoinstallcardskimmings/wonPOSterminals
l Wink’sIoTHubsl ConsumersfoundtheirdevicesbrickedwhentheHub
securitycertificateunexpectedlyexpired
l Insteon connectedhomesl Reporterabletoturn lightsonandoffwhilstchatting
withhomeownersoverthephone
l Homeroutersl Opentomaninthemiddleattackswhenpeopleuse
defaultoreasytoguesspasswords
l Spammyrefrigeratorsl Defaultpasswordsallowedattackertouseconnected
refrigeratorsaspartofa botnet
l TrendNet’s nannycamsl Easyremoteaccessonceyouhavethecamera’sIP
address
l Samsung’ssmartTVsl Easytocommandeertoviewpeople’s livingrooms
l Nestthermostatl Easytohackifyoucangetphysicalaccessforafew
minutes
From:TheObserver,16July2015 Note:theseproductshaveeitherbeenwithdrawn orpatched
IoTSecurityShouldWorryUsAll
l Breachesofprivacy
l Cybercrime
l Physicalsafetyinthehome,acrossthecityandwithinbusinesses
l Threatstonationalinfrastructure
l Loomingrisksofcyberwar
5/19
UniqueChallengesforIoTSecurity
l IoTreliesonmicrocontrollerswithlimitedmemoryandcomputationalpowerl Thisoftenmakesitimpractical toimplementapproachesdesignedforpowerfulcomputersl ThisinturnrequiresconstrainedIoTdevicestobehiddenbehindsecuregateways
l ThreatsbasedupongainingphysicalaccesstoIoTdevices
l Howtobootstraptrustandsecurity,andwaysthatthiscanunravel
l Evolvingtechnologyl MorepowerfulSystemsonaChip(SOC)embeddinghardwaresecuritysupportl EclipticCurveCryptographywithreducedcomputationaldemands
l AnythingthatisexposedtotheInternetmustbesecurelysoftwareupgradable
l Userexperiencemustbegoodenoughtoavoidbecomingaweaklinkinthechain
l Thenecessityofkeepinguptodatewithsecuritybestpractices
6/19
TheChallengesfortheIoTandBigData
l Lotsofsensorswillgenerateavastamountofdatal APIResearchestimated200exabytes in2014and1.6zettabytesin2020l 90%iscurrentlyprocessed locally,althoughthisvariesbydomain
l Thiscreatesagreatervolumeofsensitive data,creatingagreaterriskofl Dataandidentitytheft,l Devicemanipulation,l Datafalsificationl IPtheft,server/networkmanipulation,etc.
l Impactofintroductionofdataconsolidation andanalyticsatnetworkedgel Cisco,HPEandothersl Appplatformsinthecloudoratthenetworkedgewillbetargetsforattacks
7/19
EnablingDataSecurityfortheInternetofThings
l Transportandapplayerencryptionl TLSandDTLSforencryptingdatatransmittedovertheInternetl Applayerencryptionforgreatersecurity(e.g.asinfinancialtransactions)l Securekeyexchangealgorithmsoverunsecuredchannels
l AuthenticationandKeymanagementl IoTdevicesneedtocheckthattheserveriswhoitsaysitisl ServerslikewiseneedtocheckthisforIoTdevicesl AsymmetricPublic/PrivatekeypairsvsSymmetrickeysl Tamperresistantstorageofkeysandcertificatesl Challengesforprovisioningservices
8/19
Authorisation– DeterminingWhoCanDoWhat
l Authorisationrulesl Authentication ofthedatarecipientl Simpleformofrulesasaccesscontrol listsl Moregeneralruleswith complexconditions
l Capabilitybasedsecurityl Acapabilityiscommunicable andunforgeable tokenofauthorityl Thetokenisassociatedwith asetofaccessrights
l IETFworkonACEandJOSEl ACE:accesscontrol inconstrained environmentsl JOSE:JavaScriptObjectSigningandEncryption
l Relationshiptomodelsoftrustl Prior agreementsbetweentwopartiesl Attestations bytrusted third parties
9/19
PrivacyandtheInternetofThings
l TheIoThasthepotentialtoprovidehugeandunprecedentedamountsofpersonalinformationl Thisinformationmaylastindefinitelyl Riskofabusebyindividuals,criminals,companiesandgovernmentsl Senseofintrusionintoyourpersonalspacel Fearofharmduetodisclosureofpersonalinformation
l Stronglyidentifyinginformationl Youraddress,dataofbirth,sexualorientation,…l Principleofdataminimisation– highcosttocompaniesforhandlingpersonaldatasecurelyl Privacypoliciesdeterminingwhatpurposesdatacanbeusedfor,andforhowlong
l Weaklyidentifyinginformationl Whensufficientsuchdataiscombinedthiscanuniquelycharacteriseyoul Companiesneedtoprovideprivacypoliciesonhowtheyhandlesuchdata
l Needforadheringtobestpracticestoavoidreputationaldamagetocompaniesl Includingregulatory requirements
10/19
TheIoTandtheWeb
l WebtechnologiesareincreasinglyimportantfortheIoTl Webprotocols likeHTTPl Semanticdescriptions basedonRDFl HTML5andtheOpenWebPlatform forhumanmachineinterface
l TheWebsecuritymodelanditsrelationshiptotheIoTl Accessrights forwebappsarescopedtoapp’soriginl TheWebismovingtoencrypt allcommunicationl We’repreparing totransition theWebfrompasswordstopublic keycrypto
l Usersauthenticate tothebrowser, andbrowserauthenticates tothewebsite
l FortheIoT,theuser(owner)isn’taroundatthetimethedeviceneedstoauthenticateitselftoaservice
l Wethereforeneedawayforuserstoauthorizethedeviceinadvancel Thisisaformoftrust delegation, andintroduces theneedtoauthenticate users
aswellasserviceproviders
11/19
SomeTakeAwayMessages
l Securityiscrucialandmustnotbeseenasanafterthoughtl Needtoconsider securityandprivacyfromthestartl Needtoadheretoevolvingbestsecuritypracticesl Failuretodosorisksreputational andfinancialdamage
l Recruitexperiencedsecuritystaffl Takeadvantageoftheavailableresources, e.g.
l Internet ofThingsSecurityFoundationl OWASPIoTSecurityGuidancel IABPrivacy&Securitystudies
l RFC7452– Architectural Considerations inSmartObjectNetworking
l RFC7456 – Cryptographic algorithm agility
l EUArticle29DataProtection Workingpartyl Anonymization, privacyandtheIoT
l Tracktheemergingstandards,e.g.l W3CSecurityActivityl IETFACE&JOSE
l SometipsfromMikeTurner@ComputerWeeklyl Setupanintegrated teamofbusinessexecutivesandsecurity
specialistsl Integratesecuritybestpractice withtheIoTproduct development
processl Educateconsumers aswellasfront-line staffinsecuritybestpracticel Addressprivacyconcerns witheasytounderstand privacypolicies
12/19
OvercomingtheFragmentationoftheInternetofThings
l Today,therearemanynon-interoperable platformsandasurfeitoftechnologies andstandards
l Thiscreatessilos, increasesdevelopment costsandreducesthemarketpotential
l W3CistheleadingorganizationforWeb technologystandards
l We’reworkingonapproachestoovercomingfragmentationandenablingopenmarketsofservices
l Analogywithnetworkservices beforeandaftertheInternetwasintroduced
l GetitrightandtherewillbeexponentialgrowthinIoTservices
13/19
TheWebofThings
l Aheterogeneoussetofplatforms,servingdifferentneedsl Nooneplatformandprotocol canbeexpectedtowinout
l TheWebofThingsl “Things”denotingphysicalandabstractentitiesl Crossplatform standardsforapplication accessto“things”
l Richmetadatadescribing“things”l Whatdataandinteraction modelsareexposedtoapplications?l Whatprotocols andcommunication patterns canbeused?l Whatkindofathingisit(semanticmodelsandconstraints)?l Whataretherelationships toother things?
l WebofThingsasinter-platformWebtechnologystandardsl BaseduponW3C’sestablishedstrengths insemantictechnologies,
websecurityandtheopenwebplatform
14/19
WebofThings– KeyChallenges
l Semantic interoperability– ensuringthatcommunicatingpartiessharethesamemeaningfordatal Platformsmayusedifferentprotocolsanddataformats,butwithoutshared
meaning,itwon’tbepossibletobuildservicesthatintegratedataacrossplatforms
l Sharedtrustassumptionsforendtoendsecurityacrossplatformsl Howaretheentitiesinvolvednamedandauthenticated?l Howistrustestablishedacrosstheseentities?l Howareauthorizationpoliciesdescribed?l Doallofthepartiesusehighlevelsofsecurity?
l Enablingresilience ofservicesl Bestpracticesfordealingwithfaultsandattacksl Defence indepthanditsimplicationsl Security,monitoring,machinelearningandpolicies
15/19
WorldWideWebConsortium
Mission: leadtheWebtoitsfullpotentiall TheWebistheworld'slargestvendor-neutraldistributedapplicationplatform
FoundedbySirTimBerners-Lee, inventoroftheWebl 400+Membersl Member-funded internationalorganisation
DevelopsstandardsforWebandsemantic technologiesl HTML,CSS,scriptingAPIs,XML,SVG,VoiceXML,
SemanticWebandLinkedDataetc.l Developeroriented,enablingcooperationbetween
organisationswithverydifferentbackgroundsl W3Cpatentpolicyforroyaltyfreestandardsl W3Cstaffofengineersactivelyparticipatinginstandardisationl Increasinglyinvolvedinverticals:Mobile,TV,Automotive,Digitalpublishing
16/19
W3CWebofThings
l WebofThingsInterestGroup– exploring thepotentialthroughtechnologysurveysandexperimental implementations
l WebofThingsWorkingGroup– plannedforlate2016– willdevelopinitial standards
l WebofThingsBusinessGroup– underdiscussion– toguidetechnicalworkbaseduponanalysis ofbusinessandpolicylevelrequirementsacrossmanyapplicationdomains
WebofThingsInterestGroup,Montreal201617/19
TheBottomLine
TheWebisessentialforrealizingthefullpotentialoftheIoT
TheWebprovidesaunifying frameworkforsemanticinteroperability
TheWebactsasaglobalmarketplaceforsuppliersandconsumersofservices
18/19
19/19
FormoreinformationonW3Csee:
www.w3.org
WorkwithustosecuretheWebofThings!
Thankyou!
