Security Working Group 2017 July 07 Conference Call

2017 July 07 - Agenda Review last Security Working Group (SWG) meeting notes Discuss Today Meeting Action Plan

Review - 2017 June 1-2 Actions Plan Agreed to process All members to review the EdgeX Architecture Identity threat surfaces Define mitigation plan for threats Review and comment on existing Security Requirements document – Security Requirements for Fuse IoT Gateway Software (Dated: January 27, 2017) Provided review comments by 2017 July 11. To be sent by email using Sec WG alias. Conference call to discuss all comments on 2017 July 18 at 10:00 AM (US Eastern Standard Time)

Review - 2017 June 1-2 Actions Plan Post Security Requirements Review Prioritize requirements Identify security MVP functionality for beta Define milestones Assign owners and implement MVP Additional Agreements Focus on APIs so that vendors can provide plug-ins Open Source core will provide basic security services APIs will replace basic solutions with more advanced implementations Need to collaborate with Core Architecture and System Management WG Concerns The scope seems broad with large amount of work Not clear if the group has sufficient resources and what can be delivered by beta deadline. Need to assess after security requirements review.

Review - Security Working Group Governance Plans Team structure and communication Current SWG Chairman: John Walsh (role will rotate every 6 months) Email alias: edgex-tsc-security@lists.edgexfoundry.org Wiki: https://wikiedgexfoundry.org/display/FA/Security_Working_Group

2017 July 07 - Agenda Need teams to review and provide written comments on existing security requirements by July 11 Discuss current security requirements comments/changes Discuss which members have content, products and personnel that are relevant to each element in Security MVP

Barcelona MVP Plan The Barcelona MVP Status & Plan Next EdgeX Release named Barcelona MVP to focus minds on target release date to coincide with IOT Solutions World Congress, Barcelona 3rd- 5th October 2017 http://www.iotsworldcongress.com/ Barcelona MVP Draft Project Plan in Progress now released and available at EdgeXBarcelonaPlanJune2017_v1(draft).gan . Please note to view the full plan you will need to install the FREE Gantt tool from http://www.ganttproject.biz/

Barcelona MVP Plan 13 Week Development Interval starting 7/9/17

Barcelona MVP Resource Plan

Fuse Arch.

Security Discussion Points - Barcelona MVP “Fuse microservices to enforce access control, authentication, and authorization (AAA).” - Needs to support smart end points to cloud (AAA) Need to support tunneled and encrypted sensor data to the cloud – Gateway in passthrough mode only. Specifies Gateway administrator provisions devices. Should it allow for smart devices? “Rely on installation-unique credentials for protecting access to any of the Fuse repositories.” - Smart end points support (certificate, authentication, integrity, optional encryption) “Documentation provided with Fuse should strongly recommend that implementers expose HTTPS only.” – Needs to require TLS 2.0 or higher, down grade to unsecure modes should be flagged as insecure by EdgeX. “For those subscribers of MQTT data, there is no ability to protect sensitive data in transit” – This statement is in error. Typical protection is provided by a TLS layer that MQTT is tunneled through. Mangement Use Cases “EdgeX Administrator updates software” – Does everyone agree that this is only the EdgeX software upgrade and not end devices? Control Use Cases “EdgeX published all data” – This disallows smart devices from publishing data – This seems too restrictive.

Conclusion – The End Review action items Review agreements Review Next steps Review and comment on existing Security Requirements document – Security Requirements for Fuse IoT Gateway Software (Dated: January 27, 2017) Provided review comments by 2017 July 11. To be sent by email using Sec WG alias.