The Identity of Things - Toznytozny.com/wp-content/uploads/2016/07/gis-identity-of... · 2019. 6....
Transcript of The Identity of Things - Toznytozny.com/wp-content/uploads/2016/07/gis-identity-of... · 2019. 6....
The Identity of Things
Limitations, Markets, and Future Vision
Isaac Potoczny-Jones - CEO of Tozny - [email protected]
Paul Madsen – Ping Identity – [email protected]
Agenda
• Call to Action: Help define the Identity of Things
• Level Setting: Current Markets, Limitations, and Vulnerabilities • Future Visions: Strategy, Bootstrapping, and Sustainment
What we need from you
Participate, challenge, and question.
Help define the future of the Identity of Things.
Note: I’m including questions in each slide to seed the workshop discussion.
What is IoT? Here is a rough consensus
Lots of devices, many are low-power, they sense and control things
• Consumer: Smart Home, Wearables, Transportation
• Industrial: Control Systems (SCADA), Heating & Cooling (HVAC)
• Health: Fitness Bands, Medical Devices
Questions: What areas are we missing? How closely do market segments align with risk?
The value of IoT is certain
• Transportation improvements like self-driving cars will save lives
• Fitness and health care wearables can drastically improve outcomes
• Intelligent automation from thermostats to smart grid saves money
Question: What are the best examples of the value of IoT?
IoT Limitations
And Vulnerabilities
Why is IoT Different?
• Low Power: Devices are cheap & batteries need to last for a long time • Impacts strength of crypto and network connectivity
• Large Scale: Lots of devices, distributed by various manufacturers • Makes key distribution complex, other problems?
• Lack of User Interfaces: Some devices have no screens or buttons • How to use knowledge-based factors like passwords?
• Security Updates: Disconnected systems or stuff that can’t go offline • Patches don’t get applied leaving systems vulnerable
Question: How else is IoT different? How does it impact Identity?
Example: Cryptographic Authentication
• Many IoT devices use hard-coded AES keys
• AES is a symmetric protocol that’s suitable for low power
• Public / Private crypto (PKI) would make key distribution easier
• But the low-power nature of these devices makes using PKI hard
“IoT Risk” is hard to define
• Low Risk: Some devices have low to moderate risk • Smart home, Fitness bands, Entertainment
• High Risk: Other devices have life & death consequences • Medical, SCADA, HVAC, Vehicles
• Challenge: How to understand risk in multi-device systems? • A motion sensor in your house turns on the coffee pot in the morning • The same motion sensor in your neighbor’s house calls the police
• Blurred Lines: Composing different types of IoT in one system • Your car entertainment system might not be properly segregated from breaks
Question: How do we handle “IoT Risk” when devices get composed into a greater whole?
Lack of Standards and Best Practices
• Many IoT devices have almost no communication security • Everything happens unauthenticated, in the clear
• Others use standards with relatively weak crypto • Zigbee and ZWave have not had the scrutiny of Wi-Fi and Bluetooth
• Key distribution is far from solved • I’ve seen AES keys printed in user manuals – security through obscurity • Some vulnerable devices re-key on command - defeating auth altogether
Question: What standards and best practices would most help IoT?
Future Vision
And Planning
Future Vision: The IoT Should Be:
• Authenticated and Secure: It should be a part of the internet… • While maintaining appropriate segregation
• Interoperable and Compositional: Protocols to work together • Applies to auth, crypto, and wireless
• Privacy-Preserving: Take users into account • Including the wide variety of users that a single device might “see”
• Risk-Based: How to balance the limitations of IoT with the risk • Power, networking, crypto, and UI
Question: What’s important to you about the future of Identity of Things
Strategy Overview
• Defining the Strategy: Where are we trying to go?
• Bootstrapping: How can we get started?
• Sustainment: How do we keep forward progress?
You have a unique opportunity to be part of this process!
Defining the Strategy
• What existing technologies most closely align with unique IoT needs?
• What are the unique IoT constraints that will impact technologies?
• Who are the key stakeholders in industry and government?
Question: What are the most important aspects of the strategy to you and your org?
Bootstrapping
• Surface best practices for enrollment and authentication • Device-to-device, device-to-net, user-to-device
• Develop protocols and standards • How to make them widely deployed to improve interoperability?
• Identify and fill gaps in cybersecurity and risk management standards • Do existing standards effectively apply to IoT?
• Experiment with innovative products • Demonstrate best practices and unique opportunities
Question: How can we bring industry and government groups together with projects that will remove barriers and spur innovation?
Sustainment
• Develop reusable and open infrastructure for auth and security
• Incentivize hardware and software developers to build on that
• Upgrade, augment or layer security on top of legacy infrastructure
Question: How can we leverage the growth of the IoT market to sustain robust shared infrastructure?
Workshop Structure – 4PM
Please come and help define the vision!
Workshop Groups: 4PM – Room 18-19
• Group1: Current State • IoT Challenges, Auth, Security, and Privacy
• Group 2: Future Vision • IoT Requirements: A Joint Future Vision • IoT Opportunities and Technologies
Pre-Conference Paper: https://t.co/2YesLIxjlu
Workshop Outcomes
• Post-conference papers to document what we learn • Starting with these talks and discussions • Plus the pre-conference papers
• Volunteers to help provide input, write, and review
• Remember: Chatham House Rule • Participants are free to use information received, but neither the identity nor
the affiliation of speakers, nor that of any other participant, may be revealed.
Last Question:
What Questions Did We Miss?
The Identity of Things
Thank You!
Isaac Potoczny-Jones - CEO of Tozny - [email protected]
Paul Madsen – Ping Identity – [email protected]