application security as crucial to the modern distributed trust model

© 2017 Intertrust Technologies Corporation. All rights reserved.

Application security as crucial to the modern distributed trust modelLINE-Intertrust Security Summit 1 —TokyoMay 17, 2017

Dave Maher, CTO Intertrust

© 2017 Intertrust Technologies Corporation. All rights reserved.

Three drivers for Application layer security

2

1. Scale

2. Hyper-connectivity

3. Implications of Merger of the Cyber and Physical worlds

© 2017 Intertrust Technologies Corporation. All rights reserved.

Scale

3

20204

BILLIONConnected People

$4 TRILLIONRevenue Opportunity

25+ MILLION

Apps

25+ BILLION

Embedded and Intelligent Systems

50 TRILLION

GBs of Data

© 2017 Intertrust Technologies Corporation. All rights reserved.

Hyperconnectivity and dynamic and ephehemeral networks

4

© 2017 Intertrust Technologies Corporation. All rights reserved.

Merger of Cyber and Physical worlds bring huuuuge risks

5

© 2017 Intertrust Technologies Corporation. All rights reserved.

Isolation defeats the purpose of connectivity

6

© 2017 Intertrust Technologies Corporation. All rights reserved.

Ransomware and other malware

7

© 2017 Intertrust Technologies Corporation. All rights reserved.

Software self-defense addresses scale

8

Things must become responsible for themselves

© 2017 Intertrust Technologies Corporation. All rights reserved. 9

© 2017 Intertrust Technologies Corporation. All rights reserved.

• Security within the device or application — self-defense

• Security mechanisms that are simple for users, self-maintaining, inexpensive yet strong

• Security can be lightweight yet strong

• Defense-in-depth: Additional layers, including

• Network security where appropriate

• Cloud-based services that can detect patterns of illicit activity

• Protection of application data and device sensor info

• Protection of resources

• Secure delegation: Make it easy to give access to legitimate users but hard for illicit users

Trust models — what we rely on for Safety, Security, Privacy

10

© 2017 Intertrust Technologies Corporation. All rights reserved.

Model for an internet connected thing

11

Sensors

Physical Interfaces

Communications

Security Associations

Remote Controller

CloudServices

Thing

Remote Front Panel Status

Security Manager

© 2017 Intertrust Technologies Corporation. All rights reserved.

• Except by legitimate users

• Part of a defensed in depth strategy

• When a device or application appears on a network, don’t shout out too much

• Incremental and tokenized discovery can keep things friendly for legitimate users

• Protocols can help assure things appear uninteresting to illegitimate users

Make valuable devices difficult to discover

12

© 2017 Intertrust Technologies Corporation. All rights reserved.

Reference Monitor

13

Reference Monitor

Security Associations

Audit Trail

Device ControlsUser

© 2017 Intertrust Technologies Corporation. All rights reserved.

• A Security Association (SA) is the establishment of shared security attributes between two network entities to support secure communication

• We can use a similar approach for authorization using Message Authentication Codes

• We can include permissions in an SA authorizing use of commands or access to state and sensor data in a device or application

• Keys are typically part of an SA

• We can use cloud services to simplify SA management and associated key management for IoT devices and applications

Security Associations

14

© 2017 Intertrust Technologies Corporation. All rights reserved.

Secure Key Vault

15

• Access to applications and devices can be protected using cryptographic keys in security associations

• Need a secure place to keep them

© 2017 Intertrust Technologies Corporation. All rights reserved.

• Collect behavior info from devices and applications

• Learn normal behavior

• Detect and classify anomalies

• Determine threat thresholds

• Set alarms and notifications

• All without tipping off intruders

Secure Telemetry and Threat Analytics

16

© 2017 Intertrust Technologies Corporation. All rights reserved.

1. When we design applications and IoT devices today we must keep in mind• Scale• Hyper-connectivity• Implications of Merger of the Cyber and Physical worlds

2. We CAN keep things simple and friendly but we must take care

17

Conclusion

© 2017 Intertrust Technologies Corporation. All rights reserved.

Thank you