the identity of things - tozny.com · each slide to seed the workshop discussion. ... composing...
TRANSCRIPT
The Identity of Things
Limitations, Markets, and Future Vision
Isaac Potoczny-Jones - CEO of Tozny - [email protected]
Paul Madsen – Ping Identity – [email protected]
Agenda
• Call to Action: Help define the Identity of Things
• Level Setting: Current Markets, Limitations, and Vulnerabilities • Future Visions: Strategy, Bootstrapping, and Sustainment
What we need from you
Participate, challenge, and question.
Help define the future of the Identity of Things.
Note: I’m including questions in each slide to seed the workshop discussion.
What is IoT? Here is a rough consensus
Lots of devices, many are low-power, they sense and control things
• Consumer: Smart Home, Wearables, Transportation
• Industrial: Control Systems (SCADA), Heating & Cooling (HVAC)
• Health: Fitness Bands, Medical Devices
Questions: What areas are we missing? How closely do market segments align with risk?
The value of IoT is certain
• Transportation improvements like self-driving cars will save lives
• Fitness and health care wearables can drastically improve outcomes
• Intelligent automation from thermostats to smart grid saves money
Question: What are the best examples of the value of IoT?
Why is IoT Different?
• Low Power: Devices are cheap & batteries need to last for a long time • Impacts strength of crypto and network connectivity
• Large Scale: Lots of devices, distributed by various manufacturers • Makes key distribution complex, other problems?
• Lack of User Interfaces: Some devices have no screens or buttons • How to use knowledge-based factors like passwords?
• Security Updates: Disconnected systems or stuff that can’t go offline • Patches don’t get applied leaving systems vulnerable
Question: How else is IoT different? How does it impact Identity?
Example: Cryptographic Authentication
• Many IoT devices use hard-coded AES keys
• AES is a symmetric protocol that’s suitable for low power
• Public / Private crypto (PKI) would make key distribution easier
• But the low-power nature of these devices makes using PKI hard
“IoT Risk” is hard to define
• Low Risk: Some devices have low to moderate risk • Smart home, Fitness bands, Entertainment
• High Risk: Other devices have life & death consequences • Medical, SCADA, HVAC, Vehicles
• Challenge: How to understand risk in multi-device systems? • A motion sensor in your house turns on the coffee pot in the morning • The same motion sensor in your neighbor’s house calls the police
• Blurred Lines: Composing different types of IoT in one system • Your car entertainment system might not be properly segregated from breaks
Question: How do we handle “IoT Risk” when devices get composed into a greater whole?
Lack of Standards and Best Practices
• Many IoT devices have almost no communication security • Everything happens unauthenticated, in the clear
• Others use standards with relatively weak crypto • Zigbee and ZWave have not had the scrutiny of Wi-Fi and Bluetooth
• Key distribution is far from solved • I’ve seen AES keys printed in user manuals – security through obscurity • Some vulnerable devices re-key on command - defeating auth altogether
Question: What standards and best practices would most help IoT?
Future Vision: The IoT Should Be:
• Authenticated and Secure: It should be a part of the internet… • While maintaining appropriate segregation
• Interoperable and Compositional: Protocols to work together • Applies to auth, crypto, and wireless
• Privacy-Preserving: Take users into account • Including the wide variety of users that a single device might “see”
• Risk-Based: How to balance the limitations of IoT with the risk • Power, networking, crypto, and UI
Question: What’s important to you about the future of Identity of Things
Strategy Overview
• Defining the Strategy: Where are we trying to go?
• Bootstrapping: How can we get started?
• Sustainment: How do we keep forward progress?
You have a unique opportunity to be part of this process!
Defining the Strategy
• What existing technologies most closely align with unique IoT needs?
• What are the unique IoT constraints that will impact technologies?
• Who are the key stakeholders in industry and government?
Question: What are the most important aspects of the strategy to you and your org?
Bootstrapping
• Surface best practices for enrollment and authentication • Device-to-device, device-to-net, user-to-device
• Develop protocols and standards • How to make them widely deployed to improve interoperability?
• Identify and fill gaps in cybersecurity and risk management standards • Do existing standards effectively apply to IoT?
• Experiment with innovative products • Demonstrate best practices and unique opportunities
Question: How can we bring industry and government groups together with projects that will remove barriers and spur innovation?
Sustainment
• Develop reusable and open infrastructure for auth and security
• Incentivize hardware and software developers to build on that
• Upgrade, augment or layer security on top of legacy infrastructure
Question: How can we leverage the growth of the IoT market to sustain robust shared infrastructure?
Workshop Groups: 4PM – Room 18-19
• Group1: Current State • IoT Challenges, Auth, Security, and Privacy
• Group 2: Future Vision • IoT Requirements: A Joint Future Vision • IoT Opportunities and Technologies
Pre-Conference Paper: https://t.co/2YesLIxjlu
Workshop Outcomes
• Post-conference papers to document what we learn • Starting with these talks and discussions • Plus the pre-conference papers
• Volunteers to help provide input, write, and review
• Remember: Chatham House Rule • Participants are free to use information received, but neither the identity nor
the affiliation of speakers, nor that of any other participant, may be revealed.
The Identity of Things
Thank You!
Isaac Potoczny-Jones - CEO of Tozny - [email protected]
Paul Madsen – Ping Identity – [email protected]