introduction & overview to fog computing - tmcnet · introduction & overview to fog...
TRANSCRIPT
![Page 2: Introduction & Overview to Fog Computing - TMCnet · Introduction & Overview to Fog Computing Lynne Canavan Executive Director, OpenFog Consortium Lynne_canavan@openfogconsortium.org](https://reader030.vdocuments.us/reader030/viewer/2022041019/5ece445cdbf94954267db8cd/html5/thumbnails/2.jpg)
Panelists
Don BanksSenior Principal Engineer/ System [email protected]
Chuck ByersArchitecture Co-Chair, OpenFog Consortium & Principal Engineer,
Moderator
Ken HosacVP Business Development
Cradlepoint
Fog Computing: A Panel Discussion
Yuta EndoVP/GM of APAC Operation,
Product MarketingFogHorn Systems
Lynne CanavanExecutive Director
OpenFog [email protected]
![Page 3: Introduction & Overview to Fog Computing - TMCnet · Introduction & Overview to Fog Computing Lynne Canavan Executive Director, OpenFog Consortium Lynne_canavan@openfogconsortium.org](https://reader030.vdocuments.us/reader030/viewer/2022041019/5ece445cdbf94954267db8cd/html5/thumbnails/3.jpg)
![Page 4: Introduction & Overview to Fog Computing - TMCnet · Introduction & Overview to Fog Computing Lynne Canavan Executive Director, OpenFog Consortium Lynne_canavan@openfogconsortium.org](https://reader030.vdocuments.us/reader030/viewer/2022041019/5ece445cdbf94954267db8cd/html5/thumbnails/4.jpg)
2
OpenFog Security
Don BanksSenior Principal Engineer,
System Architect, Architecture & TechnologyARM
![Page 5: Introduction & Overview to Fog Computing - TMCnet · Introduction & Overview to Fog Computing Lynne Canavan Executive Director, OpenFog Consortium Lynne_canavan@openfogconsortium.org](https://reader030.vdocuments.us/reader030/viewer/2022041019/5ece445cdbf94954267db8cd/html5/thumbnails/5.jpg)
Security Challenges• As intelligence, local data storage, analytics, and other compute moves
towards the edge, many devices will be located in unsecured/low security locations– The cost of a breach can be enormous– Protecting both the device and its data is critical for many deployments
• OpenFog needs to provide a rich and flexible set of security features that enable sufficient security for each circumstance– Not every security mechanism will need to be implemented on every node or for
every communication• It will always be a threat vs. cost evaluation• Use discovery and publishing mechanisms to enumerate available services
– Policy-based amelioration
• Approach needs to be “global”• Implementations need to accommodate regional standards and requirements
– e.g., cryptographic algorithms
• Architecture needs to be vendor neutral
• No such thing as absolute security
3 3
![Page 6: Introduction & Overview to Fog Computing - TMCnet · Introduction & Overview to Fog Computing Lynne Canavan Executive Director, OpenFog Consortium Lynne_canavan@openfogconsortium.org](https://reader030.vdocuments.us/reader030/viewer/2022041019/5ece445cdbf94954267db8cd/html5/thumbnails/6.jpg)
Security ScopeSecurity must be end-to-end
• It starts with each Node
• Includes the Network (Communication)– Between end points and across the network
– Cryptography +
• Includes Data Protection– Data-in-Motion (between vms/containers and between end-point systems & applications
– Data-at-Rest (on disk or other non-volatile storage media including SCM)
– Cryptography +
• Management & Orchestration– Command, Control, Configuration
– Software Upgrade
• Physical Security– Tamper Resistance, Detection, and Remediation
5 5
![Page 7: Introduction & Overview to Fog Computing - TMCnet · Introduction & Overview to Fog Computing Lynne Canavan Executive Director, OpenFog Consortium Lynne_canavan@openfogconsortium.org](https://reader030.vdocuments.us/reader030/viewer/2022041019/5ece445cdbf94954267db8cd/html5/thumbnails/7.jpg)
Security as a Service• Security is a cross-cutting function
– It provides services to all of the other vertical and horizontal functions
– It may provide services through any combination of trusted hardware, firmware, and/or software
6 6
![Page 8: Introduction & Overview to Fog Computing - TMCnet · Introduction & Overview to Fog Computing Lynne Canavan Executive Director, OpenFog Consortium Lynne_canavan@openfogconsortium.org](https://reader030.vdocuments.us/reader030/viewer/2022041019/5ece445cdbf94954267db8cd/html5/thumbnails/8.jpg)
Security Scope• If the node is not secure, no amount of network security or encryption
will make it secure
• Starts with a Trusted hardware component receiving control at power-on
– This is called the [Hardware] Root-of-Trust
• Uses h/w-based virtualization as a security mechanism
– Supports multi-tenant with isolation & QoS guarantees
7 7
vCorenvCore2vCore1Core0
h/w ROT
Security Engine
mmu + iommu
Processor & i/o virualization
(Hypervisor mode)
Trusted
Execution
Mgmt
Hardware
![Page 9: Introduction & Overview to Fog Computing - TMCnet · Introduction & Overview to Fog Computing Lynne Canavan Executive Director, OpenFog Consortium Lynne_canavan@openfogconsortium.org](https://reader030.vdocuments.us/reader030/viewer/2022041019/5ece445cdbf94954267db8cd/html5/thumbnails/9.jpg)
Security Scope• Extends the Chain-of-Trust
– Trusted hardware executes immutable firmware stored on-chip (trusted)• Starts the root-of-trust extension
– Secure Boot (Verified)/Trusted Boot (Measured)
• Continues the root-of-trust extension
– Secure/Trusted Boot secure OS / bare metal OS / Hypervisor
8 8
vSE
RTIC
vCorenvCore2vCore1vCore0
vCorenvCore2vCore1Core0
h/w ROT
Security Engine
mmu + iommu
Processor & i/o virualization
(Hypervisor mode)
Trusted
Execution
Mgmt
DiskDiskvDisk
DiskDisk
Disk
NIC
NICNIC
NICNIC
NIC
NIC
NICNIC
NICNIC
vNIC
Hypervisor
Hardware
Firmware/Option ROMs/Platform NVRAM
Trusted Boot
Static
ROT
Data at RestData in Motion
(encrypted)
(encrypted)
vSoC
acceleratorvSoC
acceleratorvSoC
accelerator
SoC
acceleratorSoC
acceleratorSoC
accelerator
![Page 10: Introduction & Overview to Fog Computing - TMCnet · Introduction & Overview to Fog Computing Lynne Canavan Executive Director, OpenFog Consortium Lynne_canavan@openfogconsortium.org](https://reader030.vdocuments.us/reader030/viewer/2022041019/5ece445cdbf94954267db8cd/html5/thumbnails/10.jpg)
Security Scope• Secure/Trusted Boot VMs and apps/containers
9 9
VM1 (TEE)
App1
App2
VNF0
OS
Dynamic
ROT
Trusted Loader
vSE
Trusted Boot
vSE
VM2 (TEE)
VNF1
Linux
Dynamic
ROT
Trusted Loader
vSE
Trusted BootRTIC
Container0
VNF3
VMn
VNF4
OS
Loader
Boot
Container0
App7
vCorenvCore2vCore1vCore0
vCorenvCore2vCore1Core0
h/w ROT
Security Engine
mmu + iommu
Processor & i/o virualization
(Hypervisor mode)
Trusted
Execution
Mgmt
DiskDiskvDisk
DiskDisk
Disk
NIC
NICNIC
NICNIC
NIC
NIC
NICNIC
NICNIC
vNIC
Hypervisor
Hardware
Firmware/Option ROMs/Platform NVRAM
Trusted Boot
Static
ROT
Data at RestData in Motion
(encrypted)
(encrypted)
Tamper Protection
SoC
acceleratorSoC
acceleratorSoC
accelerator
vSoC
acceleratorvSoC
acceleratorvSoC
accelerator
![Page 11: Introduction & Overview to Fog Computing - TMCnet · Introduction & Overview to Fog Computing Lynne Canavan Executive Director, OpenFog Consortium Lynne_canavan@openfogconsortium.org](https://reader030.vdocuments.us/reader030/viewer/2022041019/5ece445cdbf94954267db8cd/html5/thumbnails/11.jpg)
10 10
A Fog Network View
![Page 12: Introduction & Overview to Fog Computing - TMCnet · Introduction & Overview to Fog Computing Lynne Canavan Executive Director, OpenFog Consortium Lynne_canavan@openfogconsortium.org](https://reader030.vdocuments.us/reader030/viewer/2022041019/5ece445cdbf94954267db8cd/html5/thumbnails/12.jpg)
Network (Communication) Security• Fog Node Communication
– Node-to-Node, Node-to-Cloud, Node-to-thing/device
– Includes both physical and virtual end points
– Cryptography +
• Provides CIA + Nonrepudiation
– Confidentiality
• Connection and Connectionless Data Confidentiality, Traffic Flow Confidentiality
– Integrity
• Connection Integrity with Recovery, Connectionless Integrity with Detection, Anti-replay Protection
– Authentication
• Data Origin Authentication for Connectionless Communications, Peer Entity Authentication for Connection-based Communications, Authenticated Channel Access Control
– Nonrepudiation (optional)
• Nonrepudiation of Origin and Destination
11 11
![Page 13: Introduction & Overview to Fog Computing - TMCnet · Introduction & Overview to Fog Computing Lynne Canavan Executive Director, OpenFog Consortium Lynne_canavan@openfogconsortium.org](https://reader030.vdocuments.us/reader030/viewer/2022041019/5ece445cdbf94954267db8cd/html5/thumbnails/13.jpg)
12 12
Cloud
OT
DMZ
IT
OT Partners & services
Enterprise Network
Demilitarized Zone
Process, Supervisory
Control, Automation
Cloud-based threat ProtectionNetwork-wide Policy EnforcementSecurity Information & Event Management (SIEM)
Enterprise Edge (VPN, IPS NGFW)Anti-Virus, Malware DetectionCorporate Directory, Web & Email Security
Plant Edge (VPN, IPS & Remote Access)Stateful Firewall, NGFWAccess Control
SIEM, Remote Services PlatformOT Policy Mgmt, SW, Config, AV & Asset Mgmt.Cyber & Physical Access Control System
Ruggedized FirewallRuggedized IDS/IPSSegmentation: VLANs, VRFs, ACLs
Internet
An Example OpenFog Network Security Architecture
After Complete Option02
Access ControlThreat Detection
Data PrivacyDevice Integrity