iot data protection e4 - teserakt · iot security · 2020-04-01 · the iot data protection problem...
TRANSCRIPT
IoT Data Protection · E4
Internet of Things (IoT)? Connected systems are a growth and innovation factor across diverse industries
They enable “smart systems”, thanks to their connectivity and data-based behavior
But this also creates risk and challenges
Automotive
Smart cities Healthcare Transportation Energy smart grid
Supply chainAccess control Oil and gas
The IoT data protection problemIoT data transits over many systems such as cloud providers, message brokers, or network proxies
Data is thus exposed to cloud services, foreign entities, criminals, and other third parties
Risks from loss of data control • Industrial sabotage and fraud • Data resell to third parties • Covert collection for BI purposes • Covert data scanning and analytics • Business interruption and ransomware • Non-compliance with privacy regulations
The IoT data protection problemIoT data transits over many systems such as cloud providers, message brokers, or network proxies
Data is thus exposed to cloud services, foreign entities, criminals, and other third parties
Challenges of IoT data protection • Web technology insufficient (TLS, PKI)
• Not end-to-end, client–server only • Complex to manage • Failure-prone
• Diversity of devices and platforms • Large number of devices and messages
Teserakt’s solution: E4Designed to address IoT needs, by renowned experts in security and scalable systems
Full end-to-end data protection • Highest cryptographic security • No performance or bandwidth impact • Dynamic key server to manage devices • Simple integration:
• Lightweight client library • Virtualized server (containers, VMs)
Core innovations
Minimal energy consumption and bandwidth usage Thanks to an innovative protocol meticulously designed to minimize costs
Automation of security policies scaling to arbitrarily many devices/messages No change needed to the servers, compatible with AWS/Azure/GCP/IBM
Web UI for simple operation and network monitoring APIs and command-line interfaces for admin and scripting
E4’s two componentsClient library
• Available in C, Go, Java, Python, Rust
• Works on ARM, AVR, MIPS, x86 platforms
• Minimal code and RAM footprint
• Can leverage platforms’ hardware security
features/accelerators (TrustZone, AES engine, etc.)
Open-source on our GitHub (APLv2)
Business logic
Transport layer
Teserakt security
Dynamic key server
• Manage devices and message topics
• Automate security policies at scale
• Web and command-line interfaces
• HTTP and gRPC APIs
• Observability, monitoring, analytics
Modern cryptography and security
The right cryptography
• Confidentiality, integrity, authenticity
• Forward/backward secrecy, replay protection
• AES-SIV, Argon2, Curve25519, Ed25519, SHA-3
• FIPS 140-2 mode (AES-GCM, p256, ECDSA, PBKDF2)
• Minimal overhead (only 24 bytes per message)
Solid security engineering
• Encrypted database records
• TLS links between all internal services
• Support for KMS, software vaults, HSMs, etc.
• Secure-by default behavior and configuration
• If server down/attacked, messages still received
Server: easy integration & operation
State-of-the-art scalable design
• Written in Go, following modern design principles
• SQL-like database (Postgres, mySQL, MariaDB, etc.)
• Observability with OpenCensus (metrics, tracing)
• High-availability architecture with DB replication
Simple deployment and integration
• Automated via Ansible scripts (a few minutes)
• HTTP/JSON and gRPC/protobuf APIs
• Structured logs suitable for local SIEMs
• On-premise or managed version
Typical deployment over MQTT
MQTT
MQTT
MQTTMQTT MQTT
BROKERHTTP
gRPC/TLS
gRPC/TLS
Teserakt’s client library reside on your devices, and protects data sent to the broker
Teserakt’s key server connects to the network as a client to manage devices’ rights
Monitoring workstation - Web UI for desktop or mobile platforms - Dashboard with live data and analytics - Full key management functionalities
Automation service - Deploys key rotation policies - Using shell scripts or our SDK
Operator workstation - Command-line utility + interactive shell - Remotely manage keys and permissions - Support for batch commands and scripts
Technical data sheet
• AWS KMS (with CloudHSM) • Local HSM (such as Gemalto Safenet) • Hashicorp Vault
Client platform requirements
• Symmetric key mode: at least AVR ATMega328 • Public key mode: at least ARM Cortex-M0 • At least 128 bytes of RW local storage
Server components requirements
• 2GB RAM for core services • ELK analytics: depends on configuration • DB: SQL (Postgres, Maria, Cockroach, etc.) • OpenCensus metric and tracing: variable
Server protocols support
• Off-the-shelf: MQTT 3.1.1 and 5.0 • Compatible: AMQP, 0MQ, RabbitMQ, Kafka • Other protocols on demand
Cryptography algorithms
• AES-SIV 256 authenticated encryption (RFC 5297) • SHA3-256 hashing (NIST FIPS 202) • Argon2i password hashing • Ed25519 signatures (RFC 8032) • X25519 key agreement (RFC 7748)
Client enhanced security support
• Crypto hardware engines • PKCS11/SCP11-compatible secure elements • Execution as a TrustZone enclave
Server enhanced security support
IoT Data Protection · E4
For more information or demo request: [email protected]