Upload
chris-adriaensen
View
29
Download
4
Embed Size (px)
Citation preview
INTERNET OF THINGSSecurity & Privacy
Chris AdriaensenSenior Customer [email protected] @chrisadriaensen | @ForgeRock
© 2016 ForgeRock. All rights reserved.
What about...ROBOTICBEES
© 2016 ForgeRock. All rights reserved.
© 2016 ForgeRock. All rights reserved.
Think about...DEVICE IMPACT
Computer
Thing
Properties Security Privacy
Virtual Resources
Physical Resources
ProvidedData
SensorData
Scale & Mobility
Power & Storage
Device
Just keep in mind...
GENERAL LAYOUT
© 2016 ForgeRock. All rights reserved.
Edge (5G / LPN / WiFi / ZB / BLE) Services (Cloud)Platform (Local / Cloud)
MQTT / COAP HTTP(S)HTTP(S)HTTP(S) HTTP(S)
Just keep in mind...
END-TO-END SECURITY
Network
User Device ServiceUI +
Sen
sors
Secure Identified CommunicationIdentified Channel
Semi-Secure Identified Communication
Risk Risk Risk
© 2016 ForgeRock. All rights reserved.
Air(optional) A
PI
API
Unsecure
IDID ID
© 2016 ForgeRock. All rights reserved.
Crucial is...ACCESS CONTROL
Identification Authentication Authorization
Who is there? What is allowed?Can you proof it?
Providing data.(partial / full data set)
Determining accessbased on the data.
(full data set)
Proofing data belongsto the claiming entity.
(full data set)
Optional(Anonymous)
Optional(Implicit Authentication)
Optional(Implicit Authorization)
© 2016 ForgeRock. All rights reserved.
First comes...IDENTIFICATION
Level User Device
Globally Identified
Anonymous
IP / URI / Electrometrics(unique globally)
E-mail / Biometrics(unique globally)
Service Identifier(unique to service)
Service Identifier(unique to service)
OS / Brand / Token(non-unique attributes)
Adult / Member / Token(non-unique attributes)
© 2016 ForgeRock. All rights reserved.
How to do...IDENTIFICATION
Component Local Remote
Request
Remote-Asserted Data(signed assertion by trusted party)None / Self-Asserted DataResponse
Local-Asserted Data(unique match requiredwith self-asserted data)
Stored
None / Requested Data None / Requested Data & Trusted Party List
Trusted Party Certificates
TRUST (PKI)
© 2016 ForgeRock. All rights reserved.
Examples of...IDENTIFICATION
Web Control Border Control Event Control
Local / E-mail Remote / National ID Local / Token
© 2016 ForgeRock. All rights reserved.
Second comes...
AUTHENTICATIONCategory User Device
Knowledge(Secure Storage) Symmetric / AsymmetricSymmetric / Dynamic
Accessibility(Secure Access)
Direct / Front / Back(via API)
Direct / Front / Back(via UI & Sensors)
Properties(Secure Capture) Electrometrics / BehaviorBiometrics / Behavior
© 2016 ForgeRock. All rights reserved.
How to do...AUTHENTICATION
Component Local Remote
RequestNonce / AuthN. Request &
Trusted Party List(used to bind response to request)
None / Requested Input
Response Remote-Asserted AuthN.(signed assertion by trusted party)None / Requested Input
Stored Nonce / AuthN. Request & Trusted Party CertificatesLocal-Asserted AuthN.
TRUST (PKI)
© 2016 ForgeRock. All rights reserved.
Examples of...AUTHENTICATION
Web Control Border Control Event Control
Remote / Symmetric Local / Biometrics None
© 2016 ForgeRock. All rights reserved.
Third comes...AUTHORIZATION
• Reach decision based on a set of policies.• Each policy is defined using following elements:
• ENTITY• attributes of entity
• RESOURCE• resources under protection• both virtual as physical• attributes of resource
• ACTION• enter, get, delete, turn-on, turn-off, change, etc.
• CONTEXT• location, time, identification-level, authentication-level, risk-level, etc.
© 2016 ForgeRock. All rights reserved.
How to do...AUTHORIZATION
Component Local Remote
RequestNonce / AuthZ. Request &
Trusted Party List(used to bind response to request)
None
Response Remote-Asserted AuthZ.(signed assertion by trusted party)None
Stored Nonce / AuthZ. Request & Trusted Party CertificatesLocal-Asserted AuthZ.
TRUST (PKI)
© 2016 ForgeRock. All rights reserved.
How to do...AUTHORIZATION
Resource Action Risk
LowStop Watering
MediumOpen Door
HighSet Horizon
© 2016 ForgeRock. All rights reserved.
Examples of...AUTHORIZATION
Web Control Border Control Event Control
Local Local Local
© 2016 ForgeRock. All rights reserved.
Luckily...OPEN STANDARDS
Identification Authentication Authorization
X.509 Certificate
JSON Web Token(JWT)
User Managed Access(UMA)
OpenID Connect(OIDC)
SAML Assertion SAML 2.0 XACML
OAuth 2.0
WS-Security
© 2016 ForgeRock. All rights reserved.
User Client Authorization Server Resource Server
A bit more about...
OAUTH 2.0
Authorization Request
Authorization Grant Authenticate & Access Token
Authorization Request, Authenticate & Consent
Access Token
Protected Resource
Token Validation
Access Token
© 2016 ForgeRock. All rights reserved.
And now...OAUTH 2.0 DEVICE FLOW
Access Token
Protected Resource
Authorization CodeAuthorization Code
User Client Authorization Server Resource Server
Authorization Code, Authenticate & Consent
Token Validation
Authenticate & Access Token
© 2016 ForgeRock. All rights reserved.
To end...SUMMARY
Ethics Access Control OAuth 2.0
Internet of Things
Security & Privacy
Enormous Impact
Ethics
End-To-End Security
Access Control
Identification
Authentication
Authorization
Local vs. Remote
Open Standards
OAuth 2.0(Device Flow)
Secure Implementation
Chris AdriaensenSenior Customer [email protected] @chrisadriaensen | @ForgeRock
© 2016 ForgeRock. All rights reserved.
AND NOW YOU