iot security and privacy at scale
TRANSCRIPT
Nuviser Inc
Nuviser provides Cloud Advisory Services including Assessment, Strategy,
Program Management and New Product Introduction to Enterprise Clients and
Service Providers. All engagements are led by cloud industry leaders and follow
our cloud acceleration framework.
About Me
BSc. Electrical Engineering, UNB
Large Scale Cloud Infrastructures
Security and Privacy Strategy
IoT/Wireless Architectures
Telecommunications
WINSTON MORTON
CEO, Nuviser Inc
Twitter: @WinstonMorton
Won’t be
Cheap
FAST
To Market
CHEAP
To Produce
SECURE
Infrastructure
Won’t be
Fast
Won’t be
Secure
GOOD, FAST,
OR CHEAP.
PICK TWO.
The delicate balance of speed to
market and the appropriate level
of security.
70% of the time
we’ll always get it right
The MECHANISMS to protect data assets
Security
The nature of the DATA and how it relates to a person or business.
PrivacySECURITY
AND
PRIVACY
ARE VERY
DIFFERENT
(ALTHOUGH SOMETIMES
LINKED)
Examples of Private Data:
Health Records
Phone Records
Bank Records
Home Address
Private Communications
and Files
Example Mechanisms:
Corporate Security Policies
Encrypted Communications
Intrusion Prevention Systems
Virtual Private Networks
Firewalls
What is Private Data
Canadian privacy laws apply to any data that can uniquely identify an individual. This can be via direct or indirect means.
Requires explicit consent specifically for intended use
Just because people have become accustom to giving away private data doesn’t mean corporations don’t have a legal obligation to protect it.
Companies have a obligation to extend private data protection to include 3rd parties.
WHAT MARKET DO WE SERVE.
• Do we serve the business or consumer market
• Do we REALLY need the data we are collecting
WHAT DATA DO WE COLLECT.
Location Information
Personal Details
WHAT DATA DO WE CREATE.
• Are we correlating difference sources of data
• Are we mining the data for personal features
WHERE DO WE COLLECT AND STORE DATA.
• Where and how are we acquiring the data
• Where and how is the data stored
• Do we share the data with anyone else
• How long are we keeping the data
BIG DATA PRIVACY
Defining the Privacy Profile
Most IoT innovation from Startups
Most “Next Generation” IoT frameworks are open-source and undergoing rapid development themselves
Large players investing heavily in IoTand Wireless Innovation
Consolidation on horizon
Some excellent proven development frameworks
Sometimes developers miss the “Plumbing”
Design/ Build Measure
.
Code
Deploy Code
Data
Measure results and test
hypothesis.
Ideas
Customer Discover
THE LEAN STARTUP MOVEMENT
The Lean Startup allows for rapid iteration of corporate alignment with
product and market fit. This experimental approach creates a nimble,
customer driven process but can have drastic changes in product
function or target markets.
THE “PIVOT” CHALLENGE
Security /Privacy are Contextual
and take into account product
and the respective market.
Learn
Customer Validation
- Do we create Different Data?- Do we serve a Different Market?- Is the data in a Different Location?
Pivot
Wireless Network
• 802.11 Client or Access Point Mode
• Full Security Stack (WPA2, EAP, TLS,etc)
• Hardware Based Encryption
• Full TCP/IP Stack
• 802.11 B/G/N
Rapid Development
• More Than 500 Open Source IP Projects and GROWING
• Full Tool Chain Dev Environment
• Arduino Project Compatible
• Node.js Real Time Application Services
• MTQQ Message Client
Embedded Processor
• Integrated low power 32-bit CPU
• Standby power consumption of less than 1.0mW
• Integrated Temperature Sensor
• Up to 16 Digital I/O ports
Game Changers
Ultra-Low Cost Wireless SOC Platforms
• Wi-Fi position system beacons
• Wi-Fi location-aware devices
• Industrial wireless control
• Smart power plugs
• Home automation
• Mesh network
• Baby monitors
• IP Cameras
• Sensor networks
• Wearable electronics
• Security ID tags
$3
ESP 8266 Wi-Fi SOC
INTERNET FACING API’s
0
2,000
4,000
6,000
8,000
10,000
12,000
14,000
2007 2008 2009 2010 2011 2012 2013 2014
API Calls are the new “Web Hits” of high tech growthMachine to Machine connections are exploding. These API’s are
generally open to Internet based communication and many have
not been thoroughly tested for protocol security
Whole new marketplace for API brokers
Development environments with “Pre-Built”
API’s such as IBM BlueMix, Microsoft Azure IoT
Suite
Value Added API Abstraction Services
IFTTT.Com “IFmy car comes within 1Km of
home THEN open garage door”
Emergence of IoTand API Aggregators
Source:www.programmableweb.com
TOP 10 IoT SECURITY CHALLENGES
1. Insecure Web Interface
2. Insufficient Authentication/Authorization
3. Insecure Network Services
4. Lack of Transport Encryption
5. Privacy Concerns
6. Insecure Cloud Interface
7. Insecure Mobile Interface
8. Insufficient Security Configurability
9. Insecure Software/Firmware
10. Poor Physical Security
IoT Security
The OWASP Internet of Things (IoT)
Top 10 is a project designed to help
vendors who are interested in making
common appliances and gadgets
network/Internet accessible.
https://www.owasp.org/index.php/OWASP_Internet_of_Things_Top_Ten_Project
Hackers are also
extremely Innovative
Security is increasingly challenging as we expose
more data, more interfaces, more mobile devices
that can be compromised.
MONETIZED ACTIVITY ESTABLISHED INDUSTRY
• $400B+ Market
• High returns with low risk
• High value targets
• International cyber programs
• Open source hacking tools
• Hacker groups collaborate at
amazing speed.
Source: PWC-The Global State of Information Security® Survey 2015
Security Incident Growth
Source: Symantec 2015 Internet Security Threat Report
LEVERAGE TECHNOLOGY
Security tools are getting
much better. Security best
practices are well defined.
2
KNOW YOUR CUSTOMER
The nature of the
customer creates Context
for your security program.
1
KNOW YOUR DATA
Data is most likely your
primary advantage. Learn
to protect it.
3
Balanced Approach
to IoT Security
Privacy and Secure are
fundamental components of your
product design