Building the Internet of Things



Download 258.06 Kb.
Page6/13
Date10.06.2017
Size258.06 Kb.
#20222
1   2   3   4   5   6   7   8   9   ...   13

g.Security


With devices communicating sensitive information and acting on our behalf, we clearly need to ensure that the system and the information it captures, processes, and stores, is secure. With any system, security is a tradeoff with other requirements, such as user friendliness, performance, cost, and so on. In this section, we cover some important security aspects we have come across while working in this field.

“This is the weather forecast for the week of June 16, 2024 for Texas,” the weatherman says. “Last week was hot, but this week will be sizzling, with temperatures reaching in excess of 110 degrees, with no rain expected.” In hot weather, irrigation is the key to crop and cattle survival. Because most of the state’s farmers are using a new irrigation system that depends on thousands of sensors to determine the best time to irrigate, few of them worry. What they don’t know is that the system is sending faulty telemetry information that indicates that it rained every day last week. This keeps the system from irrigating, and now, crops and cattle start to die.

When distributed systems directly influence the physical world by turning valves, controlling servos, and much more, there is a clear need to ensure that compromised systems do not kill crops, cattle, and people, burn buildings, or crash cars. The security bar for commands and data that make things move must be much higher than in e-commerce or finance.

Let’s start with a short list of questions about security for the kinds of systems that we have come across in our work on predictive maintenance—a list of factors to think about as you architect an IoT system. On top of normal security precautions, you also need to know how to:



Securely onboard new devices. You must ensure that only devices that the system can register are allowed into the system.

Prevent devices from being duplicated or substituted. Because devices provide data that the system will directly or indirectly act upon, you must be able to trust data from devices. Peripherals that can be duplicated or substituted might allow a rogue entity to flood the system with false but trusted data. Also, in the past, a pirated copy of a device used to cost money in terms of a lost sale. If it is a connected device, it can now have actual costs in terms of those related to connectivity and cloud compute to support and interact with the device.

Ensure that device data can be trusted. As devices communicate, you need to ensure that the data that they transmit is received unaltered and from verified sources—that the data logged in the service by the device must be trustworthy, representing a point-in-time observation. This requires integrity and authenticity of data in information-security terms.56

Ensure the confidentiality of messages in transit and at rest. Because IoT systems span multiple physical networks and transport information over public and unknown networks through dynamic routes, information in transit must be secured against observation by non-authorized third parties.

Prevent devices from denying service. In modern software architecture, the level of interdependencies is high and increasing. Dependencies within the system—such as devices measuring data potentially critical to effective decision-making—need to be available and accessible.

Accept only authorized commands on devices. In any system that acts on external commands and especially one that interacts with the physical world, it is imperative to ensure that those commands are only acted on if they are properly authenticated and authorized.

Remove rogue devices from the system. If you find a bad actor such as a compromised device in the system, you must be able to remove it quickly.

Authenticate peers. If a system supports peer-to-peer communication among devices, for example, to enrich information or intelligent edge decision-taking without service intervention (autonomous system operation), you must have a way to authenticate in place to ensure that peers in the system are talking to trusted neighbors.

Ensure that devices are always connected to a particular service. A powerful part of how modern communication works is by using hyperlinks to let clients dynamically reroute traffic. Devices will blindly follow these hyperlink redirects without thinking twice (or once, for that matter). Besides offering flexibility, redirects pose a substantial risk if someone redirects the dataflow into an intermediate system to alter system behavior, copy the data, or modify the data stream.

In combinatory devices, ensure fine grained security is possible. When a component of a customer is embedded inside a larger system, such as smart brakes inside a train or components inside machines, ensure each interested party has access to the right information and commands, and that when a component is replaced, it is no longer authorized to act as being part of the larger device.

Virtual Private Networks



Figure . VPN connecting two networks at the link-layer
A common way to connect networks over an untrusted network is to use a virtual private network (VPN)57. VPNs act as a virtual network card on both ends of the connection, combining two networks as if they were a single entity.

The issue with this approach is that a VPN merely provides secure virtual network cables; it is the two networks and therefor everything in them that are connected. After the connection is established, the VPN provides access to all layers above the link-layer from any device on either network.

A VPN does not help establish any notion of authentication and authorization beyond their immediate scope. A network application that sits on the other end of a TCP socket, where a portion of the route is facilitated by the VPN, is oblivious to their existence because it acts on the transport and application layers of the network model. What matters for the trustworthiness of the information that travels from the logic on the device to a remote control system that does not reside on the same network, as well as for commands that travel back up to the device, is solely a fully protected end-to-end communication path spanning networks, where the identity of the parties is established at the application layer. Protecting the route at the transport layer by signature and encryption is done as a service for the application layer either after the application has given its permission (for example, via certificate validation hooks) or just before the application layer performs an authorization handshake, before entering into any conversations. Establishing end-to-end trust is the job of application infrastructure and services, not of networks.

Compliance


For vertical sectors such as government and healthcare, compliance is a key consideration as you architect an IoT solution. National and local governments and industry groups have mandates that affect what a company can share and with whom. Conversely, some regulations require the sharing of data among government entities or businesses that work on government programs. The EU has model clause regulations that dictate the storage and exposure of personal data.58 The U.S. has similar regulations, such as the Health Insurance Portability and Accountability Act (HIPAA)59 and the Privacy Act.60 Other countries and entities also have privacy mandates that consider the location of stored data, its origin, the location and nationality of the users, and the location, nationality, and use of the data consumers.

If ingested, processed, or published data offers no way to discern details about specific people, it will less likely be affected by regulation. But all data that is made available to the public or even a controlled set of partners must be reviewed to adhere to all applicable mandates because violations present high legal61 and reputational risks.62


Healthcare


The HIPAA and HITECH laws in the U.S. apply to healthcare and partner organizations that have access to sensitive patient information, called electronic protected health information (ePHI). Service providers that work with these entities usually must agree in writing to adhere to security and privacy provisions set forth in HIPAA and the HITECH act. If an IoT system that supports applications such as the one we described in the Healthcare scenario captures ePHI, it must adhere to these laws. Microsoft provides a Business Associate Agreement as a contract addendum to its cloud platform, Microsoft Azure.63 We also provide information on some of the best practices for HIPAA-compliant applications, and we detail Microsoft Azure provisions for handling security breaches.64


Download 258.06 Kb.

Share with your friends:
1   2   3   4   5   6   7   8   9   ...   13



The database is protected by copyright ©ininet.org 2024
send message
    Main page
information contained
current view
issues discussed as
express written permission
authors would like