iiw | 06 may 2014 secure identity consulting © copyright secure identity consulting 2014 jeff...
TRANSCRIPT
![Page 1: IIW | 06 May 2014 Secure Identity Consulting © Copyright Secure Identity Consulting 2014 Jeff Stollman Secure Identity Consulting Unexpected and Complex](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e2b5503460f94b1a1e9/html5/thumbnails/1.jpg)
IIW | 06 May 2014
Secure Identity Consulting
© Copyright Secure Identity Consulting 2014
Jeff Stollman
Secure Identity Consulting
Unexpected and Complex Implications of the Internet of Everything (IoE)
![Page 2: IIW | 06 May 2014 Secure Identity Consulting © Copyright Secure Identity Consulting 2014 Jeff Stollman Secure Identity Consulting Unexpected and Complex](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e2b5503460f94b1a1e9/html5/thumbnails/2.jpg)
Secure Identity Consulting
© Copyright Secure Identity Consulting 2014European Identity and Cloud Conference | 15 May, 2014
Agenda
Defining Terms
Promise and Implications
Issues Prompted by IoT
Legal Perspective
Q&A
![Page 3: IIW | 06 May 2014 Secure Identity Consulting © Copyright Secure Identity Consulting 2014 Jeff Stollman Secure Identity Consulting Unexpected and Complex](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e2b5503460f94b1a1e9/html5/thumbnails/3.jpg)
Secure Identity Consulting
© Copyright Secure Identity Consulting 2014European Identity and Cloud Conference | 15 May, 2014
DEFINING TERMS
![Page 4: IIW | 06 May 2014 Secure Identity Consulting © Copyright Secure Identity Consulting 2014 Jeff Stollman Secure Identity Consulting Unexpected and Complex](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e2b5503460f94b1a1e9/html5/thumbnails/4.jpg)
Secure Identity Consulting
© Copyright Secure Identity Consulting 2014European Identity and Cloud Conference | 15 May, 2014
What is it?
Internet of Things
Internet of EverythingS
enso
r Net
wor
ksSm
art Appliances
ServersNetbooks
Smar
t Pho
nes
Industrial Controllers
SCADA
Datab
ases
![Page 5: IIW | 06 May 2014 Secure Identity Consulting © Copyright Secure Identity Consulting 2014 Jeff Stollman Secure Identity Consulting Unexpected and Complex](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e2b5503460f94b1a1e9/html5/thumbnails/5.jpg)
Secure Identity Consulting
© Copyright Secure Identity Consulting 2014European Identity and Cloud Conference | 15 May, 2014
Definition
The Internet of Everything is:
ANY device that is connected to a network.
![Page 6: IIW | 06 May 2014 Secure Identity Consulting © Copyright Secure Identity Consulting 2014 Jeff Stollman Secure Identity Consulting Unexpected and Complex](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e2b5503460f94b1a1e9/html5/thumbnails/6.jpg)
Secure Identity Consulting
© Copyright Secure Identity Consulting 2014European Identity and Cloud Conference | 15 May, 2014
Constituent Devices
1. SENSOR 2. PROCESSOR 3. ACTUATOR
4. Combinations of the above
![Page 7: IIW | 06 May 2014 Secure Identity Consulting © Copyright Secure Identity Consulting 2014 Jeff Stollman Secure Identity Consulting Unexpected and Complex](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e2b5503460f94b1a1e9/html5/thumbnails/7.jpg)
Secure Identity Consulting
© Copyright Secure Identity Consulting 2014European Identity and Cloud Conference | 15 May, 2014
IoE is a superset
Traditional IT SCADA devices New Smart devices
IoE
![Page 8: IIW | 06 May 2014 Secure Identity Consulting © Copyright Secure Identity Consulting 2014 Jeff Stollman Secure Identity Consulting Unexpected and Complex](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e2b5503460f94b1a1e9/html5/thumbnails/8.jpg)
Secure Identity Consulting
© Copyright Secure Identity Consulting 2014European Identity and Cloud Conference | 15 May, 2014
PROMISE AND IMPLICATIONSUse Cases
![Page 9: IIW | 06 May 2014 Secure Identity Consulting © Copyright Secure Identity Consulting 2014 Jeff Stollman Secure Identity Consulting Unexpected and Complex](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e2b5503460f94b1a1e9/html5/thumbnails/9.jpg)
Secure Identity Consulting
© Copyright Secure Identity Consulting 2014European Identity and Cloud Conference | 15 May, 2014
The Promise
![Page 10: IIW | 06 May 2014 Secure Identity Consulting © Copyright Secure Identity Consulting 2014 Jeff Stollman Secure Identity Consulting Unexpected and Complex](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e2b5503460f94b1a1e9/html5/thumbnails/10.jpg)
Secure Identity Consulting
© Copyright Secure Identity Consulting 2014European Identity and Cloud Conference | 15 May, 2014
Use Case: Home Appliances – Security and Privacy
Who is ordering your perishables?
![Page 11: IIW | 06 May 2014 Secure Identity Consulting © Copyright Secure Identity Consulting 2014 Jeff Stollman Secure Identity Consulting Unexpected and Complex](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e2b5503460f94b1a1e9/html5/thumbnails/11.jpg)
Secure Identity Consulting
© Copyright Secure Identity Consulting 2014European Identity and Cloud Conference | 15 May, 2014
Use Case: Irrigation & Flood Control - Security
Who is ensuring data integrity?
![Page 12: IIW | 06 May 2014 Secure Identity Consulting © Copyright Secure Identity Consulting 2014 Jeff Stollman Secure Identity Consulting Unexpected and Complex](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e2b5503460f94b1a1e9/html5/thumbnails/12.jpg)
Secure Identity Consulting
© Copyright Secure Identity Consulting 2014European Identity and Cloud Conference | 15 May, 2014
Use Case: Farming – Information Ownership
Who owns the data you collect?
![Page 13: IIW | 06 May 2014 Secure Identity Consulting © Copyright Secure Identity Consulting 2014 Jeff Stollman Secure Identity Consulting Unexpected and Complex](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e2b5503460f94b1a1e9/html5/thumbnails/13.jpg)
Secure Identity Consulting
© Copyright Secure Identity Consulting 2014European Identity and Cloud Conference | 15 May, 2014
Use Case: Automotive Management – Privacy and Liability
Who is controlling your vehicle?
![Page 14: IIW | 06 May 2014 Secure Identity Consulting © Copyright Secure Identity Consulting 2014 Jeff Stollman Secure Identity Consulting Unexpected and Complex](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e2b5503460f94b1a1e9/html5/thumbnails/14.jpg)
Secure Identity Consulting
© Copyright Secure Identity Consulting 2014European Identity and Cloud Conference | 15 May, 2014
Use Case: Electric Vehicle Recharging Systems – Security and Liability
Who is paying for power from your outlet?
![Page 15: IIW | 06 May 2014 Secure Identity Consulting © Copyright Secure Identity Consulting 2014 Jeff Stollman Secure Identity Consulting Unexpected and Complex](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e2b5503460f94b1a1e9/html5/thumbnails/15.jpg)
Secure Identity Consulting
© Copyright Secure Identity Consulting 2014European Identity and Cloud Conference | 15 May, 2014
Use Case: Smart Packaging – Privacy and Liability
Who can learn what drugs you are taking?
![Page 16: IIW | 06 May 2014 Secure Identity Consulting © Copyright Secure Identity Consulting 2014 Jeff Stollman Secure Identity Consulting Unexpected and Complex](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e2b5503460f94b1a1e9/html5/thumbnails/16.jpg)
Secure Identity Consulting
© Copyright Secure Identity Consulting 2014European Identity and Cloud Conference | 15 May, 2014
Use Case: Physical Security – Privacy
Does privacy exist anymore?
![Page 17: IIW | 06 May 2014 Secure Identity Consulting © Copyright Secure Identity Consulting 2014 Jeff Stollman Secure Identity Consulting Unexpected and Complex](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e2b5503460f94b1a1e9/html5/thumbnails/17.jpg)
Secure Identity Consulting
© Copyright Secure Identity Consulting 2014European Identity and Cloud Conference | 15 May, 2014
Use Case: Electrical Grid – Security and LIability
Who is managing your power?
![Page 18: IIW | 06 May 2014 Secure Identity Consulting © Copyright Secure Identity Consulting 2014 Jeff Stollman Secure Identity Consulting Unexpected and Complex](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e2b5503460f94b1a1e9/html5/thumbnails/18.jpg)
Secure Identity Consulting
© Copyright Secure Identity Consulting 2014European Identity and Cloud Conference | 15 May, 2014
ISSUES PROMPTED BY IOT
![Page 19: IIW | 06 May 2014 Secure Identity Consulting © Copyright Secure Identity Consulting 2014 Jeff Stollman Secure Identity Consulting Unexpected and Complex](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e2b5503460f94b1a1e9/html5/thumbnails/19.jpg)
Secure Identity Consulting
© Copyright Secure Identity Consulting 2014European Identity and Cloud Conference | 15 May, 2014
IoT prompts several areas of concern
Security- Security issues of IoT are not new, but new solutions will be required.
Privacy Privacy issues of IoT are not new, but new solutions will be required.
Ownership - Device ownership enters a new gray area.
- Data ownership represents a brave new world of possibility.
Liability- Liability, as well, opens up a Pandora’s box of complex issues.
![Page 20: IIW | 06 May 2014 Secure Identity Consulting © Copyright Secure Identity Consulting 2014 Jeff Stollman Secure Identity Consulting Unexpected and Complex](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e2b5503460f94b1a1e9/html5/thumbnails/20.jpg)
Secure Identity Consulting
© Copyright Secure Identity Consulting 2014European Identity and Cloud Conference | 15 May, 2014
Security Questions
1. As traditional enterprise perimeters disintegrate into a web of devices, how do we secure devices
1. From an adversary manipulating sensor input data ?
1. E.g., holding a lighter below an outdoor temperature sensor that triggers an emergency response)
2. While this could happen today, I submit that the additional layer of abstraction provided by the IoT may prompt less scrutiny of physical security and increase the vulnerability of such systems.
2. From an adversary manipulating output from a sensor or input to a processor?
1. E.g., dividing the output from sensors on a harvester in half to create the impression of a bad crop, causing commodity prices to rise
2. compromising the video feed from a surveillance camera during a burglary
3. or the altimeter in an airplane to cause it to crash
3. From an adversary compromising the instruction code in the processor
1. E.g., changing the rule that prompts an alarm to take no action instead
4. From an adversary compromising the instruction feed from the processor or the input feed to the actuator
1. E.g., dividing the changing ON to OFF or a LOW setting to HIGH
![Page 21: IIW | 06 May 2014 Secure Identity Consulting © Copyright Secure Identity Consulting 2014 Jeff Stollman Secure Identity Consulting Unexpected and Complex](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e2b5503460f94b1a1e9/html5/thumbnails/21.jpg)
Secure Identity Consulting
© Copyright Secure Identity Consulting 2014European Identity and Cloud Conference | 15 May, 2014
Security Questions cont’d.
2. Who is responsible for controlling access to the data?
2. At rest -- on the device
3. In transit -- between devices
3. Who is responsible for allowing a “man-in-the-middle” attack when there is no perimeter?
![Page 22: IIW | 06 May 2014 Secure Identity Consulting © Copyright Secure Identity Consulting 2014 Jeff Stollman Secure Identity Consulting Unexpected and Complex](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e2b5503460f94b1a1e9/html5/thumbnails/22.jpg)
Secure Identity Consulting
© Copyright Secure Identity Consulting 2014European Identity and Cloud Conference | 15 May, 2014
Practical Questions
1. Will all devices need enough intelligence to manage their own access control?
1. Will all devices need to be servers to do so?
2. If devices have enough intelligence (i.e., processing power and storage) to manage access control, will they also have enough processing power and storage to be victims of malware and/or hacking?
3. Once enough devices are deployed to be of interest to adversaries (e.g., malware and hack publishers), will the burden of managing access to devices outweigh the benefits to be gained from them?