1. Security Working Group
2017 Aug 09
Conference Call

2. 2017 Aug 09 - Agenda Discuss Today Meeting Action Plan
Agree to Next Face-to-Face Meeting Date
Discuss Security Framework High Level Outline
Discuss Suggestions and discussion topics for California release

3. 2017 Aug 09 Actions Plan Face-to-Face Sec WG working session (2 days)
Selected Aug 29 (noon start)-30 in San Fran – VMWare campus
Working session to finalize draft 1 of security framework and requirements
Post Security Requirements Review
Prioritize requirements
Identify security MVP functionality for beta
Define milestones
Assign owners and implement MVP
Additional Agreements
Focus on APIs so that vendors can provide plug-ins
Open Source core will provide basic security services
APIs will replace basic solutions with more advanced implementations
Need to collaborate with Core Architecture and System Management WG
Concerns
The scope seems broad with large amount of work
Appears that security group does not have sufficient active resources. Need to assess after security requirements review.

4. Barcelona MVP Plan The Barcelona MVP Status & Plan
Next EdgeX Release named Barcelona MVP to focus minds on target release date to coincide with IOT Solutions World Congress, Barcelona 3rd- 5th October
Barcelona MVP Draft Project Plan in Progress now released and available at EdgeXBarcelonaPlanJune2017_v1(draft).gan . Please note to view the full plan you will need to install the FREE Gantt tool from

5. Security
Functionality
Requirements
Fuse Arch.

6. Security High Level Architecture Functionality
Boot
Remote
Management
Security Device Management
Software Update
Management
Monitoring
Management
Reporting
Management

7. Security High Level Architecture Functionality
Question: secure boot is out of scope of EdgeX?
Just depend on OS services?
Secure boot
Verify images
Use PKI Public Signature methods
Enrollment
Use PKI CA methods
Dumb Device methods (other EdgeX services)
Discoverable
Services
Identity management
Use PKI methods
Dumb Device methods
Key management
Use PKI compatible methods
Service provisioning
Access control
Boot

8. Security High Level Architecture Functionality
Remote
Management
Secure Communications
Changes to settings
Triggers and actions

9. Security High Level Architecture Functionality
Software Update
Management
Secure update
Update application and system software
Bug Fixes, security patches, add new features

10. Security High Level Architecture Functionality
Monitoring
Management
Monitoring device status/health
Report status/errors
Remote attestation

11. Security High Level Architecture Functionality
Reporting
Management
Sensor data with identity and integrity
Notify changes in sensor values
Triggers and actions
Configuration settings

12. Special Thanks For - Providing Suggestions and discussion topics for California release milestone
Alain Pulluelo
VP Security & Mobile Innovation
ForgeRock Office of the CTO

13. Security WG: suggestions and discussion topics for California release milestone.
Security Main Focus
Build longer term roadmap for the EdgeX security framework
Agreement on what security features are going to be in EdgeX and what’s going to be provided by the platform that EdgeX runs on
Agreement on security requirements
Define what EdgeX security service(s) need to be eventually implemented
Define what security hooks need to be added to the existing micro services
Define what standards, cryptography, protocols, etc. are going to be adhered to and followed by EdgeX (IIC specs, OAuth2 tokens, Curves, etc.)
Provide guidance on how security features can/should be tested

14. Important: building security in to design and development
Security WG: suggestions and discussion topics for California release milestone.
Important: building security in to design and development
In order to securely engineer IoT products and systems it is important to build security in from the start by focusing on methodically understanding threats, tracing security requirements through to completion, and ensuring that there is a strong focus on securing data.
Confidentiality: Keeping sensitive information secret and protected from disclosure
Integrity: Ensuring that information is not modified, accidentally or purposefully, without being detected
Authentication: Ensuring that the source of data is from a known identity or endpoint (generally follows identification)
Non-repudiation: Ensuring that an individual or system cannot later deny having performed an action
Availability: Ensuring that information is available when needed

15. Security WG: suggestions and discussion topics for California release milestone.
Reference: prpl Foundation [link]

16. Security Topics (1/5) Secured/Trusted Boot mechanism (Root-of-Trust)
Security WG: suggestions and discussion topics for California release milestone.
Security Topics (1/5)
Secured/Trusted Boot mechanism (Root-of-Trust)
Solutions
Trusted Execution Environment (TEE)
Secure Element (SE)
Trusted Platform Module (TPM)
Implementation/Isolation
Closed – proprietary by SoC manufacturer
Two World (Secure and Normal, aka trustedOS/richOS)
Secure Hypervisor
OS image updates (OTA/FOTA)
Example: OSTree
HSM integrated factory process
Code signature (Trusted boot dependency - Signatures)
Runtime integrity
Micro services, applications, drivers, etc.

17. Security WG: suggestions and discussion topics for California release milestone.
Security Topics (2/5)
Key Storage (PKI ) – Vault - Secure Storage (TEE, SE, TPM+fs)
Signature, Hashing and Encryption
At rest, in use and in motion
Cryptography choices (guidance, i.e. NIST):
schemes, standards, certifications, etc.
modes of operation (i.e. Authenticated Encryption with additional data AEAD like AES-GCM)
Key size/schedule, RNG/PRNG, cryptoperiods, MAC, tokenization, etc.
Libraries, code obfuscation, white-crypto
Micro services on-boarding:
Discovery/Attestation
Registration/Key issuance
Service to service authN/authZ (Trusted Agent / TEE)
Connectivity (IIC security framework, prpl end-to-end)
Endpoint protection (gateway? Filter? FW? Example
Network segmentation
Inbound (Service to Service): lightweight (E/H/S), no OAuth2 JWT tokens
Outbound (EdgeX to Cloud): standard OAuth2 flows/tokens

18. Security Topics (3/5) Identity and configuration management
Security WG: suggestions and discussion topics for California release milestone.
Security Topics (3/5)
Identity and configuration management
Enrolment/Decommissioning/Disposal
Credentials/MFA/Out-of-Band
AuthN/AuthZ
Patching/Updates
Adding/Removing services
Roles/Policies/Transactions
Devices/Sensors/Actuators connectivity
Example for Bluetooth: NIST SP Guide to Bluetooth Security r1.pdf

19. Security WG: suggestions and discussion topics for California release milestone.
Security Topics (4/5)
Privacy concerns (ISO/IEC, NIST, Frameworks, Regulations - GDPR)
AuthN/AuthZ
multi signatures, secret sharing
tokenization, anonymization, homomorphy
Zero Knowledge attestation
Secure communication, protocol bindings
Operations
Event Monitoring/Alert and Auditing,
Intrusion Detection System (IDS) and Intrusion Prevention System (IPS)
Crypto assets handling during failover/backup, log management
Remote connections, JTAG debugging, segregation of duties, etc.
Incident response, resilience and forensics
Compliances & Certifications (FIPS)
Threat Model (OWASP, STRIDE), Risk Assessment

20. Security Topics (5/5) EdgeX Internal Software Assurance
Security WG: suggestions and discussion topics for California release milestone.
Security Topics (5/5)
EdgeX Internal Software Assurance CI
Unit/Integration tests / Acceptance
QA reports
Coding Standards: static/dynamic scans (ex: SonarQube)
3rd Party Software Assurance
Trustworthiness - No exploitable vulnerabilities exist, either maliciously or unintentionally inserted, and materials are what they claim to be without counterfeit, piracy, or violation of intellectual rights. 
Predictable Execution - Justifiable confidence that hardware and software, when executed, functions as intended. 
Conformance - Planned and systematic set of multidisciplinary activities that ensure hardware and software processes and products conform to requirements, standards, and procedures. 

21. EdgeX Security Services & Hooks
Security WG: suggestions and discussion topics for California release milestone.
EdgeX Security Services & Hooks
Hooks to Broker/Discovery
Service
Discovery,
Registration,
Attestation,
Key issuance
Key
Store
Security Model:
Broker or
Proxy or
Gateway
Edge Controller
TEE/SE/TPM
Trusted Boot

22. Security Agreements
“Fuse microservices to enforce access control, authentication, and authorization (AAA).” – Also needs to support smart end points to cloud (AAA)
Needs to support tunneled and encrypted sensor data to the cloud – Gateway in pass through mode only.
Specifies Gateway administrator provisions devices. Should also allow for smart devices to connect to cloud in pass through mode.
“Rely on installation-unique credentials for protecting access to any of the Fuse repositories.” – Add support for Smart end points support (certificate, authentication, integrity, optional encryption)
“Documentation provided with Fuse should strongly recommend that implementers expose HTTPS only.” – Needs to require TLS 2.0 or higher, down grade to unsecure modes should be flagged as insecure by EdgeX.
“For those subscribers of MQTT data, there is no ability to protect sensitive data in transit” – This statement is in error. Typical protection is provided by a TLS layer that MQTT is tunneled through.
Mangement Use Cases “EdgeX Administrator updates software” – This is only the EdgeX software upgrade and not end devices. Needs to support upgrade of devices from cloud to device in pass through mode to support various vendor methods.
Control Use Cases “EdgeX published all data” – Need to change to allow for smart devices to publishing data directly to cloud.

23. Conclusion – The End Review Face-to-Face Meeting Details
Review action items