Security Working Group 2017 Aug 16 Conference Call
2017 Aug 09 - Agenda Discuss Today Meeting Action Plan Finalize August 29-30 Face-to-Face Security WG Meeting Details Discuss Security Framework High Level Outline Discuss Suggestions and discussion topics for California release
2017 Aug 29, 30 Security Working Group Meeting Agenda Tuesday Aug 29 Noon (PDT): Arrival and Check-in. Lunch is available in the VMWare cafeteria in the building 1:00 PM (PDT): Meeting Start 3:00 PM (PDT: Coffee/Dessert break 5:00 PM (PDT): Meeting End 6:30 PM (PDT): Security Team Dinner (location TBD) Wednesday Aug 30 8:00 AM (PDT): Arrival with Breakfast and Coffee 8:30 AM (PDT): Meeting Start Noon (PDT): Lunch at the VMWare cafeteria 3:00 PM (PDT): Coffee/Dessert break 6:30 PM (PDT): Optional Security Team Dinner (location TBD)
2017 Aug 29, 30 Security Working Group Meeting Agenda Location: VMWare Campus 3401 Hillview Ave. Palo Alto, CA 94304 Detailed campus map will be sent Recommended Airports: San Jose (SJC) [closest] or San Francisco (SFO)
2017 Aug 09 Actions Plan Face-to-Face Sec WG working session (2 days) Selected Aug 29 (1 pm start)-30 in San Fran – VMWare campus Working session to finalize draft 1 of security framework and requirements Post Security Requirements Review Prioritize requirements Identify security MVP functionality for beta Define milestones Assign owners and implement MVP Additional Agreements Team will focus on northbound intefaces 1st and southbound 2nd Focus on APIs so that vendors can provide plug-ins Open Source core will provide basic security services APIs will replace basic solutions with more advanced implementations Need to collaborate with Core Architecture and System Management WG Concerns The scope seems broad with large amount of work Appears that security group does not have sufficient active resources. Need to assess after security requirements review.
Barcelona MVP Plan The Barcelona MVP Status & Plan Next EdgeX Release named Barcelona MVP to focus minds on target release date to coincide with IOT Solutions World Congress, Barcelona 3rd- 5th October 2017 http://www.iotsworldcongress.com/ Barcelona MVP Draft Project Plan in Progress now released and available at EdgeXBarcelonaPlanJune2017_v1(draft).gan . Please note to view the full plan you will need to install the FREE Gantt tool from http://www.ganttproject.biz/
Security Functionality Requirements Fuse Arch.
Device Security High Level Architecture Functionality Boot Remote Management Security Device Management Software Update Management Monitoring Management Reporting Management
Device Security High Level Architecture Functionality Question: secure boot is out of scope of EdgeX? Just depend on OS services? Secure boot Verify images Use PKI Public Signature methods Enrollment Use PKI CA methods Dumb Device methods (other EdgeX services) Discoverable Services Identity management Use PKI methods Dumb Device methods Key management Use PKI compatible methods Service provisioning Access control Boot
Device Security High Level Architecture Functionality Remote Management Secure Communications Changes to settings Triggers and actions
Device Security High Level Architecture Functionality Software Update Management Secure update Update application and system software Bug Fixes, security patches, add new features
Device Security High Level Architecture Functionality Monitoring Management Monitoring device status/health Report status/errors Remote attestation
Device Security High Level Architecture Functionality Reporting Management Sensor data with identity and integrity Notify changes in sensor values Triggers and actions Configuration settings
EdgeX Security High Level Architecture Functionality Access Control Anomaly detection services Human Attestation services Username/password, OpenID, OAuth 2.0, LDAP, SAML 2.0 Identity management northbound and southbound connections Devices - Southbound Dumb devices via services plug-in Northbound Authentication Smart devices via X.509, PKCS Southbound Authentication Cloud Services - Northbound Dumb device methods ?? Smart device methods Security Policy Patch management and version reporting Allowed encrypted communications Dumb devices XACML standard? Smart devices Encrypted communications (DIT) Traffic Filtering (firewall) HTTPS, TLS Intrusion Detection / Prevention Encrypted storage (DAR) Privacy Audit services Alert services
Special Thanks For - Providing Suggestions and discussion topics for California release milestone Alain Pulluelo VP Security & Mobile Innovation ForgeRock Office of the CTO
Security WG: suggestions and discussion topics for California release milestone. Security Main Focus Build longer term roadmap for the EdgeX security framework Agreement on what security features are going to be in EdgeX and what’s going to be provided by the platform that EdgeX runs on Agreement on security requirements Define what EdgeX security service(s) need to be eventually implemented Define what security hooks need to be added to the existing micro services Define what standards, cryptography, protocols, etc. are going to be adhered to and followed by EdgeX (IIC specs, OAuth2 tokens, Curves, etc.) Provide guidance on how security features can/should be tested
Important: building security in to design and development Security WG: suggestions and discussion topics for California release milestone. Important: building security in to design and development In order to securely engineer IoT products and systems it is important to build security in from the start by focusing on methodically understanding threats, tracing security requirements through to completion, and ensuring that there is a strong focus on securing data. Confidentiality: Keeping sensitive information secret and protected from disclosure Integrity: Ensuring that information is not modified, accidentally or purposefully, without being detected Authentication: Ensuring that the source of data is from a known identity or endpoint (generally follows identification) Non-repudiation: Ensuring that an individual or system cannot later deny having performed an action Availability: Ensuring that information is available when needed
Security WG: suggestions and discussion topics for California release milestone. Reference: prpl Foundation [link]
Security Topics (1/5) Secured/Trusted Boot mechanism (Root-of-Trust) Security WG: suggestions and discussion topics for California release milestone. Security Topics (1/5) Secured/Trusted Boot mechanism (Root-of-Trust) Solutions Trusted Execution Environment (TEE) Secure Element (SE) Trusted Platform Module (TPM) Implementation/Isolation Closed – proprietary by SoC manufacturer Two World (Secure and Normal, aka trustedOS/richOS) Secure Hypervisor OS image updates (OTA/FOTA) Example: OSTree https://ostree.readthedocs.io/en/latest/manual/introduction/ HSM integrated factory process Code signature (Trusted boot dependency - Signatures) Runtime integrity Micro services, applications, drivers, etc.
Security WG: suggestions and discussion topics for California release milestone. Security Topics (2/5) Key Storage (PKI ) – Vault - Secure Storage (TEE, SE, TPM+fs) Signature, Hashing and Encryption At rest, in use and in motion Cryptography choices (guidance, i.e. NIST): schemes, standards, certifications, etc. modes of operation (i.e. Authenticated Encryption with additional data AEAD like AES-GCM) Key size/schedule, RNG/PRNG, cryptoperiods, MAC, tokenization, etc. Libraries, code obfuscation, white-crypto Micro services on-boarding: Discovery/Attestation Registration/Key issuance Service to service authN/authZ (Trusted Agent / TEE) Connectivity (IIC security framework, prpl end-to-end) Endpoint protection (gateway? Filter? FW? Example https://getkong.org) Network segmentation Inbound (Service to Service): lightweight (E/H/S), no OAuth2 JWT tokens Outbound (EdgeX to Cloud): standard OAuth2 flows/tokens
Security Topics (3/5) Identity and configuration management Security WG: suggestions and discussion topics for California release milestone. Security Topics (3/5) Identity and configuration management Enrolment/Decommissioning/Disposal Credentials/MFA/Out-of-Band AuthN/AuthZ Patching/Updates Adding/Removing services Roles/Policies/Transactions Devices/Sensors/Actuators connectivity Example for Bluetooth: NIST SP 800-121 Guide to Bluetooth Security http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800- 121r1.pdf
Security WG: suggestions and discussion topics for California release milestone. Security Topics (4/5) Privacy concerns (ISO/IEC, NIST, Frameworks, Regulations - GDPR) AuthN/AuthZ multi signatures, secret sharing tokenization, anonymization, homomorphy Zero Knowledge attestation Secure communication, protocol bindings Operations Event Monitoring/Alert and Auditing, Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) Crypto assets handling during failover/backup, log management Remote connections, JTAG debugging, segregation of duties, etc. Incident response, resilience and forensics Compliances & Certifications (FIPS) Threat Model (OWASP, STRIDE), Risk Assessment
Security Topics (5/5) EdgeX Internal Software Assurance Security WG: suggestions and discussion topics for California release milestone. Security Topics (5/5) EdgeX Internal Software Assurance CI Unit/Integration tests / Acceptance QA reports Coding Standards: static/dynamic scans (ex: SonarQube) 3rd Party Software Assurance Trustworthiness - No exploitable vulnerabilities exist, either maliciously or unintentionally inserted, and materials are what they claim to be without counterfeit, piracy, or violation of intellectual rights. Predictable Execution - Justifiable confidence that hardware and software, when executed, functions as intended. Conformance - Planned and systematic set of multidisciplinary activities that ensure hardware and software processes and products conform to requirements, standards, and procedures.
EdgeX Security Services & Hooks Security WG: suggestions and discussion topics for California release milestone. EdgeX Security Services & Hooks Hooks to Broker/Discovery Service Discovery, Registration, Attestation, Key issuance Key Store Security Model: Broker or Proxy or Gateway Edge Controller TEE/SE/TPM Trusted Boot
Security Agreements “Fuse microservices to enforce access control, authentication, and authorization (AAA).” – Also needs to support smart end points to cloud (AAA) Needs to support tunneled and encrypted sensor data to the cloud – Gateway in pass through mode only. Specifies Gateway administrator provisions devices. Should also allow for smart devices to connect to cloud in pass through mode. “Rely on installation-unique credentials for protecting access to any of the Fuse repositories.” – Add support for Smart end points support (certificate, authentication, integrity, optional encryption) “Documentation provided with Fuse should strongly recommend that implementers expose HTTPS only.” – Needs to require TLS 2.0 or higher, down grade to unsecure modes should be flagged as insecure by EdgeX. “For those subscribers of MQTT data, there is no ability to protect sensitive data in transit” – This statement is in error. Typical protection is provided by a TLS layer that MQTT is tunneled through. Mangement Use Cases “EdgeX Administrator updates software” – This is only the EdgeX software upgrade and not end devices. Needs to support upgrade of devices from cloud to device in pass through mode to support various vendor methods. Control Use Cases “EdgeX published all data” – Need to change to allow for smart devices to publishing data directly to cloud.
Conclusion – The End Next Week – Michael Hathaway from ixot.net will present a North Bound Security Strategy Strawman for discussion Review Face-to-Face Meeting Details Review action items