Upload
forgerock
View
301
Download
3
Embed Size (px)
Citation preview
© 2016 ForgeRock. All rights reserved.
© 2016 ForgeRock. All rights reserved.
[email protected] Technical Product Manager @SimonMoffatt
Security & Identity for the Internet of Things
[email protected] Product Marketing Director
© 2016 ForgeRock. All rights reserved.
2010 Founded
10 Offices worldwide with headquarters in San Francisco
400+ Employees
600+ Enterprise Customers
50% Americas / 50% International commercial revenues
30+ Countries
ForgeRock The leading, next-generation,
identity security software platform, driving digital business.
© 2016 ForgeRock. All rights reserved.
Everyone And
Every Thing
Identity For
Internet of Things: Not Just for Tomorrow, But for Today
© 2016 ForgeRock. All rights reserved.
#1 Recent IoT Attacks
#2 IoT Security Best Practices
#3 Device & Identity Pairing
#4 IoT Data Sharing
#5 Summary
© 2016 ForgeRock. All rights reserved.
Recent IoT Attacks
© 2016 ForgeRock. All rights reserved.
© 2016 ForgeRock. All rights reserved.
The IoT - An Evolving Attack Vector
2012 – New gadgets enter the consumer market, focused on basic connectivity
“Hacks for Headlines” - home CCTV cameras, “smart-toys”, baby monitors
2014 – Luxury goods, personal health monitors become common place
Connected car vulnerabilities exposed, PII risks identified
2016 – Mass produced replica devices & secondary markets - “everything connected”
Use of devices as bot-net armies, proxies, 3rd
party attack vectors
© 2016 ForgeRock. All rights reserved.
Impact & Consequences
Personal data loss at the device
Brand damage for manufacturers
Security becomes inhibitive & expensive
Identity data easier to harvest
New 3rd party attack victims emerge– e.g., insurance providers
DDoS planners have new attack
vehicle Data sharing becomes
complex and silo’d
© 2016 ForgeRock. All rights reserved.
IoT Security Best Practices
© 2016 ForgeRock. All rights reserved.
IoT Security Best Practices
Modern update-able
OS
Modern update-able
firmware
No hard coded
passwords
Use of HTTPS / modern
TLS
Root access & accounts
disabled
Secure / trusted token Storage area
Disable non-essential
services & ports
Perform device
authentication
Default passwords Changeable on 1st use
© 2016 ForgeRock. All rights reserved.
Device created with some unique, immutable identifier – MAC, certificate
Synchronized and activated in central store
Device authenticates - to download API details, client credentials
© 2016 ForgeRock. All rights reserved.
Device & Identity Pairing
© 2016 ForgeRock. All rights reserved.
Simple out of band pairing
Device should have scoped permissions
Device needs to represent user to APIs & services
Bind a token
to a device – reduce impact of token theft
from MITM
Need to pair a device to a
person
Revoke device access when device
is lost, stolen or sold
Device Pairing Requirements
© 2016 ForgeRock. All rights reserved.
Device often has limited input capability and UI
“Pin & Pair” - user enters a unique device code out of band on their laptop/tablet
Device receives scoped access, with simple revocation
Device accesses
services on users behalf
Simple out of band pairing
© 2016 ForgeRock. All rights reserved.
Device accesses
services on users behalf
Smart Guitar demo at the London Identity Summit Oct 2016 2016 - https://youtu.be/MUoicwT9s34
1 - Start registration 2 – Device gets code 3 – User enters code out of band on web page 4 - Device polls AS then pairs 5 - Device gets access token 6 - Device uses token against service 7 - Device can be revoked via end user dashboard
Images courtesy of Jon Knight, UK Customer Engineering
OAuth2 Device Pairing Flow - “Demo”
© 2016 ForgeRock. All rights reserved.
Protect access_token through device binding Device may not use HTTPS or a secure token storage area – need a method to protect hijacking or MITM Use proof-of-possession with public key being baked into the access_token Provides the RS an ability to initiate challenge-response to prove correct owner
Resource server uses
key for challenge response
Token request with pub key
OAuth2 Proof-of-Possession Token Safety
© 2016 ForgeRock. All rights reserved.
IoT Device Data Sharing
© 2016 ForgeRock. All rights reserved.
Simple out of band pairing
Leverage simple standards for fast
integration
Ability for end user to perform simple approval
Ability for authorization policies to be created by end user not an admin
Ability to perform simple
revocation
Ability to share arbitrary data from a
device to other users or services
IoT Data Sharing Requirements
© 2016 ForgeRock. All rights reserved.
Simple out of band pairing
Ability to perform simple
revocation
Ability to share arbitrary data from a
device to other users or services
User-Managed Access
Devices registered & managed
Devices make data! Needs protecting...
© 2016 ForgeRock. All rights reserved.
Device accesses
services on users behalf
Simple out of band pairing
Ability for data owner to make well
informed and consent driven
decisions
Ability for data owner to make easy access revocation decisions across
User-Managed Access
© 2016 ForgeRock. All rights reserved.
Summary Attacks becoming more frequent and more complex… Devices need local protection Devices need pairing to identities Cloud services need protecting too IoT platforms need identity embedded
© 2016 ForgeRock. All rights reserved.
Questions and Comments
© 2016 ForgeRock. All rights reserved.
Thank You