Embed Size (px)
Citation preview
Security
for IOT
02
By year-end 2020, IoT risk and security needs will add an average of 2% to the total IoT project costs, up from 0% today.
Supply chain security needs through 2021 will account for 15% of total IoT security spend, up from less than 1% today.
IoT security solutions enable organizations to securely manage IoT devices, and ensure IoT endpoint and data security, and asset discovery.
IoT security and risk management leaders should use this research to understand how to evaluate and select solutions to meet their IoT security requirements.
Source: Gartner
03
Three eclectic types of product vendors are emerging for securing IoT: embedded trust; device identity and key/credential management; and real-time
visibility and control.
Clients who are performing proof-of-concept trials are getting better clarity about a product's compatibility with their organization's environment and
requirements.
Low complexity in IoT deployment, flexibility of IoT security controls, ease of integration and competitive product pricing are the main selection criteria
for IoT security and risk management leaders.
Source: Gartner
04
IoT security and risk management leaders selecting an IoT security solution should:Justify investment in IoT security by evaluating the impact of improved visibility and
control on the organization's risk exposure.
Engage with vendors that offer technical support and professional services help during proof-of-concept trials to mitigate risks and to ensure a
smooth alternative analysis.
Determine which security solutions are already installed on the IoT network, and then identify and favor IoT security products that have direct
integration with these existing solutions.
Source: Gartner
05
The scale of security risks in the Internet of Things (IoT) era is therefore much greater than in the pre-IoT environment, and the "attack surface" is much larger.
Most sensor based things have minimal computing resources, and the opportunities for antivirus, encryption and other forms of protection within things
are more restricted.
Therefore, IoT security products with a variety of capabilities emerged to help dispel some of these challenges.
These IoT security products help IoT security and risk management leaders
Source: Gartner
06
Device management:
Tackle secure cryptographic key provisioning and management challenges in cases in which the mass number of IoT devices deployed
simultaneously and their environmental characteristics create a challenge.
Provide quick, secure, scalable and device-independent identity, access and relationship management experience that customers, partners and
suppliers are looking for.
Have a means to provision IoT devices by downloading software, patches, updates and other information periodically (a common requirement for
security management systems).
Source: Gartner
07
Endpoint and data security:
Protect endpoints in cases in which traditional authentication and cryptography cannot be implemented due to resource constraints and long device
life cycles outliving encryption effectiveness.
Obtain anti-tampering functions for devices used in high-risk environments, as IoT devices require strong device identity and a root of trust as a foundation.
Satisfy personal data privacy expectations between individuals and organizations in the IoT era.
Source: Gartner
08
Asset discovery:
Detect IoT devices in enterprise networks when these devices are part of proprietary or non-IT-standard engineering networks, or if they aren't
continuously connected.
Build an effective IoT "asset database" complete with attributes and entitlements for access by those devices (a major requirement of identity and
access management as well as IT asset management [ITAM] systems).
Evaluators and buyers of IoT security products are security and risk management leaders who are trying to establish end-to-end trust — from chip to
cloud — in their IoT use cases across all industry verticals and domains.
Multiple and wide-ranging IoT security technology providers are evolving toaddress these technical requirements and the business opportunities.
Source: Gartner
09
Product vendors, with varied levels of consulting and professional servicescapabilities, in the IoT security market involve:
Embedded trust vendors that provide a hardware root of trust — that is, a foundation to secure many variety of functions at the endpoint.
Device identity and key/credential management vendors that offer IoT-scale-federated and secure device management implementations.
Real-time visibility and control vendors that offer complete real-time visibility and control for every network-connected IoT device.
Source: Gartner
010
The threat of a limited availability of security skills is also changing the manner in which IoT systems are managed and operated, resulting in more automation and
more cognitive security controls.
To enable effective automation of functions originally performed by people in security operations centers, vendors are embracing technologies, such as machine
learning and artificial intelligence.
High-profile cyberattacks and attempted compromises in the connected automobile and medical device industries have driven early security spend
(digital as well as IoT-specific) in those verticals.
The effects of these attacks also highlight the overlapping safety regulation and general safety management impacts of digital security.
Source: Gartner
011
The potential scale of many IoT deployments drives market changes in how security monitoring, detection and response must take place.
Cloud-based security services will play an indispensable role in providing IoT security due to the scale of services required: IoT will not be viable in the long term
without the cloud.
The diversity of IoT devices and their life cycles drive hybrid security solutions forlegacy and modern IoT deployments, depending on the vertical industry.
Authentication for IoT devices will generate a substantial market opportunity. The support for root of trust in devices and the "identity of things" model
will drive centralized and federated key and certificate management services, lightweight encryption adoption, and multifactor authentication in security
markets.
Source: Gartner
012
Smart city projects are spreading across regions at a fast pace.
These projects are developed in close integration with IoT, technology and security related elements from utility, automotive and manufacturing industries as part of
advanced metering infrastructure, connected cars and smart homeinitiatives.
The compound spend on IoT security relating to government, utility, building and facilities automation, and manufacturing will continue to grow.
From a design and economics perspective, the balance of spending between IoT endpoints and IoT gateways will shift toward a gateway-centric
deployment model over time.
We project that 2019 will be the tipping point at which gateway security spending surpasses endpoint security spending.
Source: Gartner
013
Most IoT security products from established traditional IT security vendors or small/midsize new entrants are only in their development or proof-of-concept stage. While vendors are
working on improving their product and service offerings, IoT leaders, and security and risk management leaders should work with IoT security consultants to:
Assess integration points in their networks for IoT implementations, and determine gaps in capability and infrastructure.
Assess risk exposure from IoT-related initiatives, and assess their organization's security posture.
Keep a record of all of their IoT assets, from sensors to large industrial equipment, and have visibility into their whole IoT networks and topologies.
Analyze regulatory exposure to IoT security requirements.Work on developing in-house IoT security expertise, and familiarize themselves with
successful implementations in their verticals (with the help of partnerships or consortia activities).
Assign enterprise ownership for IoT technologies that are not already claimed by a business unit. Join neutral consortia activities to gain access to IoT ecosystems.
Source: Gartner
014
IoT leaders should use a scenario-driven approach in selecting discovery and provisioning solutions, and should not attempt to acquire a "one size fits all" product or service at this
stage. The number and type of IoT devices and support systems will continue to resist clear classification until at least 2018.
IoT leaders should not make large-scale investments in discovery, provisioning, access and data protection at this stage until product and service
boundaries are more clearly defined. Where possible, consider short-term, service-based leasing and minimal customization.
Adopt authentication frameworks that are flexible and meet the interoperability requirements for all classes of devices in operation. Use trusted computing techniques, such as hardware root of trust (HRoT), for device authentication to achieve the highest possible
identity assurance.Press the device manufacturers and authentication solution providers to explore new
context data points — derived at various operational stages — and utilize them in determining the risks associated with a particular device operation.
Assess product and service providers' preparedness for significant shifts in their product and service roadmaps, depending on their target markets.Significant integration may be
required, and more specific choices in industry vertical solutions could result.
Source: Gartner
Security
for IOT and
Cloud
IoT is a Paradise for Hackers
16
Source: HP Security Research
Almost 90 percent of the devices collect personal information such as
name, address, date of birth, email, credit card number, etc.
Un-encrypted format on to the cloud and big data, thus endangering
the privacy of users
26 billion devices on the Internet of Things by 2020
(Gartner)
15 Billion existing devices connected
to the internet (Intel)
Not adequately protected at the device level
• Cannot wait for a new generation of secure devices to be
developed
Require robust and layered security controls
90% of world's data generated over last two years
17
Ecosystems will transform fragmented
wearables market
18
The Department of Homeland Security
• Investigating 2 dozen cases of suspected cyber security
flaws in medical devices that could be exploited
• Can be detrimental to the patient, creating problems
such as instructing an infusion pump to overdose a
patient with drugs or forcing a heart implant to deliver a
deadly jolt of electricity
• Encrypt medical data that’s stored
PricewaterhouseCoopers study
• $30billion annual cost hit to the U.S. healthcare system
due to inadequate medical-device interoperability
Security Threats of Connected Medical Devices
19
www.computing.co.uk/ctg/opinion/2390029/security-threats-of-connected-
medical-devices#
Security
for Cloud
021
95% of cloud security failures will be the
customer's fault
Source: Gartner
Sensitive Data in the Cloud
22
82%Of organizations currently (or plan to) transfer
sensitive/confidential data to the cloud in next 24 mo.
23
Lack of Cloud Confidence
2/3Number of survey respondents that either agree or are unsure
that cloud services used by their organization are
NOT thoroughly vetted for security
24
Data Breach: Cloud Multiplier Effect
2xA data breach in the cloud can be 2x more costly. 66 percent
of respondents say their organization’s use of cloud resources
diminishes its ability to protect confidential or sensitive
information and 64 percent believe it makes it difficult to
secure business-critical applications
25
What Is Your No. 1 Issue Slowing
Adoption of Public Cloud Computing?
26
Threat Vector Inheritance
Data Security Holding Back Cloud Projects
27
Source: Cloud Adoption Practices & Priorities Survey Report January 2015
Security of Data in Cloud at Board-level
28
Source: Cloud Adoption Practices & Priorities Survey Report January 2015
High-profile Cyber Attacks
29
49% recommended Database security
40% of budget still on Network security
only
19% to Database security
Conclusion: Organizations have traditionally spent money on network security and so it is
earmarked in the budget and requires no further justification
30
How can we
Secure Data
in the new
Perimeter-less
Environments?
CHALLENGE
Security
Solutions
Fine Grained
Data Security
32
SOLUTION
Data–Centric Audit and Protection (DCAP)
033
Source: Gartner – Market Guide for Data – Centric Audit and Protection (DCAP), Nov 21 2014
Organizations that have not developed data-centric
security policies to coordinate management processes
and security controls across data silos need to act
By 2018, data-centric audit and protection strategies
will replace disparate siloed data security governance
approaches in 25% of large enterprises, up from less
than 5% today
Confidential
034
Centrally managed security policy
Across unstructured and structured silos
Classify data, control access and monitoring
Protection – encryption, tokenization and masking
Segregation of duties – application users and privileged users
Auditing and reporting
Source: Gartner – Market Guide for Data – Centric Audit and Protection (DCAP), Nov 21 2014
Confidential
Data–Centric Audit and Protection (DCAP)
Centralized Policy Management - Example
35
Application
File Servers
RDBMS
Big Data
Gateway
Servers
MPP
HP NonStop
Base24
IBM Mainframe
Protector
Audit
Log
Audit
Log
Audit
Log
Audit
Log Audit
Log
Audit
Log
Audit
Log
Enterprise
Security
Administrator
PolicyPolicyPolicyPolicyPolicyPolicyPolicyPolicyPolicy
Cloud
Protection
Servers
Audit
Log
Security Officer
Audit
Log
Audit
Log
Audit
Log
Audit
Log
Enterprise Data Security Policy
What is the sensitive data that needs to be protected.
How you want to protect and present sensitive data. There are
several methods for protecting sensitive data.
Who should have access to sensitive data and who should not.
Security access control.
When should sensitive data access be granted to those who
have access. Day of week, time of day.
Where is the sensitive data stored? This will be where the policy
is enforced.
Audit authorized or un-authorized access to sensitive data.
What
Who
When
Where
How
Audit
36
37
Securing
Cloud Data
Rather than making the protection platform based,
the security is applied directly to the data
Protecting the data wherever it goes, in any
environment
Cloud environments by nature have more access
points and cannot be disconnected
Data-centric protection reduces the reliance on
controlling the high number of access points
Data-Centric Protection Increases
Security in Cloud Computing
38
039
Through 2020, 95% of cloud security failures will be the customer's fault.
By year-end 2018, 50% of organizations with more than 2,500 users will use a cloud access security broker (CASB) product to control SaaS usage, up from less than 5% today.
By 2020, 85% of large enterprises will use a CASB product, up from less than 5% today.
Source: Gartner
Clouds Are Secure: Are You Using Them Securely?
040
Gartner released the report “Simplify Operations and Compliance in the
Cloud by Protecting Sensitive Data” in June 2015 that highlighted key
challenges as “cloud increases the risks of noncompliance through
unapproved access and data breach.”
The report recommended CIOs and CISOs to address data residency and
compliance issues by “applying encryption or tokenization,” and to also
“understand when data appears in clear text, where keys are made
available and stored, and who has access to the keys.”
Another recent Gartner report concluded that “Cloud Data Protection
Gateways” provides a “High Benefit Rating” and “offer a way to secure
sensitive enterprise data and files.”
Source: Gartner – xxxx
Confidential
Cloud Security
041
Protect the Entire Flow of Sensitive Data
Cloud Gateway
Corporate Network
Security Gateway Deployment – Hybrid Cloud
042
Client
System
Enterprise
Security
AdministratorSecurity Officer
Public Cloud
Cloud Gateway
Private Cloud
Out-sourced
Corporate Network
Security Gateway Deployment – Hybrid Cloud
043
Client
System
Enterprise
Security
AdministratorSecurity Officer
Private CloudPublic Cloud
Cloud
Gateway
Out-sourced
Corporate Network
044
Client
System Cloud
Gateway
Enterprise
Security
AdministratorSecurity Officer
Security Gateway – Searchable Encryption
RDBMSQuery
re-write
Order preserving
encryption
Corporate Network
045
Client
System
Cloud
Gateway
Enterprise
Security
AdministratorSecurity Officer
Security Gateway – Search & Indexing
RDBMS
IndexIndex
Query
re-write
Risk Adjusted Data Leakage
46
Index
Index Data
Trust
ElasticityOut-sourcedIn-house
H
L
Index
Leaking
Sensitive
Data
Index NOT
Leaking
Sensitive
Data
Sort Order Preserving
Encryption Algorithms
Leaking Sensitive
Data
47
Computational
Usefulness
Risk Adjusted Storage – Data Leaking Formats
Data
Leakage
Strong-encryption Truncation Sort-order-preserving-encryption Indexing
H
L
I I I I
Comparing
Fine Grained
Data Protection
Methods
48
Reduction of Pain with New Protection Techniques
1970 2000 2005 2010
High
Low
Pain
& TCO
Strong Encryption Output:
AES, 3DES
Format Preserving Encryption
DTP, FPE
Vault-based Tokenization
Vaultless Tokenization
Input Value: 3872 3789 1620 3675
!@#$%a^.,mhu7///&*B()_+!@
8278 2789 2990 2789
8278 2789 2990 2789
Format Preserving
Greatly reduced Key
Management
No Vault
8278 2789 2990 2789
49
Cloud Gateway - Requirements Adjusted Protection
Data Protection Methods Scalability Storage Security Transparency
System without data protection
Weak Encryption (1:1 mapping)
Searchable Gateway Index (IV)
Vaultless Tokenization
Partial Encryption
Data Type Preservation Encryption
Strong Encryption (AES CBC, IV)
Best Worst
50
10 000 000 -
1 000 000 -
100 000 -
10 000 -
1 000 -
100 -
Transactions per second*
I
Format
Preserving
Encryption
Speed of Fine Grained Protection Methods
I
Vaultless
Data
Tokenization
I
AES CBC
Encryption
Standard
I
Vault-based
Data
Tokenization
*: Speed will depend on the configuration
51
52
What is
Data Tokenization?
Fine Grained Data Security Methods
Tokenization and Encryption are Different
Used Approach Cipher System Code System
Cryptographic algorithms
Cryptographic keys
Code books
Index tokens
Source: McGraw-HILL ENCYPLOPEDIA OF SCIENCE & TECHNOLOGY
TokenizationEncryption
53
Significantly Different Tokenization Approaches
54
Property Dynamic Pre-generated
Vault-based Vaultless
Examples of Protected DataField Real Data Tokenized / Pseudonymized
Name Joe Smith csu wusoj
Address 100 Main Street, Pleasantville, CA 476 srta coetse, cysieondusbak, CA
Date of Birth 12/25/1966 01/02/1966
Telephone 760-278-3389 760-389-2289
E-Mail Address [email protected] [email protected]
SSN 076-39-2778 076-28-3390
CC Number 3678 2289 3907 3378 3846 2290 3371 3378
Business URL www.surferdude.com www.sheyinctao.com
Fingerprint Encrypted
Photo Encrypted
X-Ray Encrypted
Healthcare /
Financial
Services
Dr. visits, prescriptions, hospital stays
and discharges, clinical, billing, etc.
Financial Services Consumer Products
and activities
Protection methods can be equally
applied to the actual data, but not
needed with de-identification
55
56
Cost of
Application
Changes
All-16-hidden Only-middle-6-hidden All-16-clear
High -
Low -
I I I
Partial Protection of Data Fields
Risk Exposure
Cost Example: 16 digit credit card number
57
Access to
Sensitive Data in
Clear
Low Access to Data High Access to Data
High -
Low -
I I
Risk Exposure
User Productivity and
Creativity
Traditional Access Control
58
Access to
Tokenized Data
Low Access to Data High Access to Data
High -
Low -
I I
Risk Exposure
User Productivity and
Creativity
Fine Grained Protection of Data Fields
Securing
Big Data
59
060
CISOs should not treat big data security in isolation, but
require policies that encompass all data
New data-centric audit and protection solutions and
management approaches are required
Big data initiatives require data to move between
structured and unstructured data silos, exposing
incoherent data security policies that CISOs must
address to avoid security chaos
Source: Gartner – Big Data Needs a Data-Centric Security Focus, 2014
Confidential
Big Data Needs a Data-Centric Security Focus
Oracle’s Big Data Platform
061
62
Oracle’s Exadata
Many Ways to Hack Big Data
Source: http://nosql.mypopescu.com/post/1473423255/apache-hadoop-and-hbase
63
HDFS
(Hadoop Distributed File System)
MapReduce
(Job Scheduling/Execution System)
Hbase (Column DB)
Pig (Data Flow) Hive (SQL) Sqoop
ETL Tools BI Reporting RDBMS
Avro
(S
eri
aliz
ation)
Zookee
per
(Coord
ination)
Hackers
Privileged
Users
Unvetted
Applications
Or
Ad Hoc
Processes
64
Securing Big Data
3. Volume encryption in Hadoop
4. Hbase, Pig, Hive, Flume and Scope
using protection API
5. MapReduce using protection API
6. File and folder encryption in HDFS
8. Export de-identified data
1. Data protection at
database, application or file
2. Data protection in a staging
area
7. Import de-identified
data
9. Export identifiable
data
10. Export audit s for
reporting
65
Critical Data Asset Discovery and Protection
67
Tokenization Reducing Attack Surface
123456 123456 1234
Tokenization on Each Node
The global shortage of technical skills in information
security is by now well documented, but an equally
concerning shortage of soft skills
"I need people who understand that they are here to
help the business make money and enable the
business to succeed -- that's the bottom line. But it's
very hard to find information security professionals
who have that mindset," a CISO at a leading
technology company told us
Security & Business Skills
68
Source: www.informationweek.com/strategic-cio/enterprise-agility/the-security-skills-shortage-no-
one-talks-about/a/d-id/1315690
Balancing Data Security & Utility
69
Index Data
Leaking
Sensitive
Data ?
Value
Preserving
Encoding
Leaking
Sensitive
Data ?
Classification of
Sensitive Data
Granular Protection
of Sensitive Data
Exponential growth of data generation
• New business models fueled by Big Data, cloud computing
and the Internet of Things
• Creating cybercriminal's paradise
Challenge in this interconnected world
• Merging data security with data value and productivity.
Urgently need a data-centric strategy
• Protect the sensitive data flowing through digital business
systems
Solutions to bring together data insight & security
• Safely unlock the power of digital business
Summary
70
