Presentation is loading. Please wait.

Presentation is loading. Please wait.

Platform Architecture

Published byEgbert Gibson Modified over 5 years ago

Similar presentations

Presentation on theme: "Platform Architecture"— Presentation transcript:

1 Platform Architecture
REQUIRED INTEROPERABILITY FOUNDATION Platform Architecture REPLACEABLE REFERENCE SERVICES “NORTHBOUND” INFRASTRUCTURE AND APPLICATIONS LOOSELY-COUPLED MICROSERVICES FRAMEWORK CHOICE OF PROTOCOL SECURITY EXPORT SERVICES DEVICE + SYSTEM MANAGEMENT ADDITIONAL SERVICES CLIENT REGISTRATION DISTRIBUTION ADDITIONAL SERVICES SUPPORTING SERVICES In the beginning /dev/null ADDITIONAL SERVICES RULES ENGINE SCHEDULING ALERTS & NOTIFICATIONS LOGGING DEPLOYMENT CONTAINER LOCAL MGMT CONSOLE METADATA CORE DATA COMMAND CORE SERVICES REGISTRY & CONFIG ALL MICROSERVICES INTERCOMMUNICATE VIA APIs DEVICE SERVICES (ANY COMBINATION OF STANDARD OR PROPRIETARY PROTOCOLS VIA SDK) REST OPC-UA MODBUS BACNET ZIGBEE BLE MQTT SNMP VIRTUAL ADD’L DEVICE SERVICES SDK “SOUTHBOUND” DEVICES, SENSORS AND ACTUATORS

2 IIC Endpoint Security Best Practices and EdgeX
EdgeX will begin here

3 DEVICE + SYSTEM MANAGEMENT ALERTS & NOTIFICATIONS
Start with the Basics: Protect Perimeter Ingress TLS (Server Side) API Gateway W/AuthN Ingress Port Blocking EXPORT SERVICES DEVICE + SYSTEM MANAGEMENT ADDITIONAL SERVICES CLIENT REGISTRATION DISTRIBUTION ADDITIONAL SERVICES SUPPORTING SERVICES ADDITIONAL SERVICES RULES ENGINE SCHEDULING ALERTS & NOTIFICATIONS LOGGING DEPLOYMENT CONTAINER LOCAL MGMT CONSOLE METADATA CORE DATA COMMAND CORE SERVICES REGISTRY & CONFIG ALL MICROSERVICES INTERCOMMUNICATE VIA APIs DEVICE SERVICES (ANY COMBINATION OF STANDARD OR PROPRIETARY PROTOCOLS VIA SDK) REST OPC-UA MODBUS BACNET ZIGBEE BLE MQTT SNMP VIRTUAL ADD’L DEVICE SERVICES

4 Protect Perimeter Ingress: Details and Roadmap
Feature California Delhi Edinburgh Beyond API Gateway Single Ingress Point for ALL HTTPS traffic (no HTTP) using Kong X TBD Authentication Simple JWT based authentication (via kong plugin) Oauth based AuthN (Client Credentials, Bearer Token Flow) Identity Management Features (User Lifecycle Management, password change, revoke) Authorization None Via Kong ACL plugin that enables group based AuthZ TLS Server Side Only Primary Cert stored in Vault Mutual Certificates Service to Service Enabled via one of (mutual certs or Token based AuthN) Secure service registration (Considering Consul Connect) IIC Endpoint Security Best Practices Reference: Secure Communications

5 ALL MICROSERVICES INTERCOMMUNICATE VIA APIs
California Security Architecture TLS (Server Side) API Gateway W/ JWT AuthN Ingress Port Blocking 2 3 1 User Store Consul (Service Discovery) 4 PostgresDB ALL MICROSERVICES INTERCOMMUNICATE VIA APIs METADATA CORE DATA COMMAND CORE SERVICES Vault (Secret Store) 5 Vault Init Kong DB Init Kong Init

6 Secrets/Key Management
Feature California Delhi Edinburgh Beyond Vault Init and store primary Kong Cert Non-root token and namespace Initial Services use of Vault for secrets System wide usage of vault for secrets Certificate Management Generate certs for Vault and API gateway X Generate certs for service to service communication Initial Power Up Secrets Design pluggable abstraction Layer for HW based secure storage Deliver abstraction layer Use abstraction layer to encrypt Initial Power up secrets Service to Service Communication Enabled via one of (mutual certs or Token based AuthN) Secure service registration IIC Endpoint Security Best Practices Reference: Secure Communications, Endpoint Identity, Cryptographic Services

7 Cryptographic Services
Feature California Delhi Edinburgh Beyond X.509 v3 Certs RSA: 1024 bits 2048 bits  4096 bits << recommended >> Elliptic Curve secp224r1 NIST P-224 secp256v1 NIST P-256 secp384r1 NIST P-384 << recommended >> secp521r1 NIST P-521 X Vault Encryption AES256 W/ GCM mode using 96-bit nonces for IV File System Encryption TBD TLS Server Side Mutual Certs IIC Endpoint Security Best Practices Reference: Cryptographic Services

8 Hardware Based Security
Feature California Delhi Edinburgh Beyond Secure Boot X Information Sessions with HW Vendors Recommendations and Guidelines Root of Trust Secure Secrets Storage Design pluggable abstraction Layer Deliver pluggable Abstraction layer Add 3rd party plugins IIC Endpoint Security Best Practices Reference: Secure Boot, Root of Trust, Cryptographic Services

9 Future Security Features
Data Protection Identity and Access Operational Security DAR Encrypted Storage Data Protection Policy Administration Local and Remote Security Monitoring Audit Guidelines SW Update Management Attestation Privacy Secure Auto-configuration Operational Security Policy

Download ppt "Platform Architecture"

Similar presentations

Creating HIPAA-Compliant Medical Data Applications with Amazon Web Services Presented by, Tulika Srivastava Purdue University.

Creating HIPAA-Compliant Medical Data Applications with Amazon Web Services Presented by, Tulika Srivastava Purdue University.
1.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
A Java Architecture for the Internet of Things Noel Poore, Architect Pete St. Pierre, Product Manager Java Platform Group, Internet of Things September.

A Java Architecture for the Internet of Things Noel Poore, Architect Pete St. Pierre, Product Manager Java Platform Group, Internet of Things September.
Session-based Security Model for SNMPv3 (SNMPv3/SBSM) David T. Perkins Wes Hardaker IETF November 12, 2003.

Session-based Security Model for SNMPv3 (SNMPv3/SBSM) David T. Perkins Wes Hardaker IETF November 12, 2003.
Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.

Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.
Matt Steele Senior Program Manager Microsoft Corporation SESSION CODE: SIA326.

Matt Steele Senior Program Manager Microsoft Corporation SESSION CODE: SIA326.
Automated Backup, Recovery, Inventory and Management for Security and Networking Devices.

Automated Backup, Recovery, Inventory and Management for Security and Networking Devices.
Copyright 2007, Information Builders. Slide 1 WebFOCUS Authentication Mark Nesson, Vashti Ragoonath Information Builders Summit 2008 User Conference June.

Copyright 2007, Information Builders. Slide 1 WebFOCUS Authentication Mark Nesson, Vashti Ragoonath Information Builders Summit 2008 User Conference June.
KMIP - Hardware Security Modules Meta-Data-Only (MDO) Keys Saikat Saha & Denis Pochuev Feb 2012.

KMIP - Hardware Security Modules Meta-Data-Only (MDO) Keys Saikat Saha & Denis Pochuev Feb 2012.
1 School of Computer, National University of Defense Technology A Profile on the Grid Data Engine (GridDaEn) Xiao Nong

1 School of Computer, National University of Defense Technology A Profile on the Grid Data Engine (GridDaEn) Xiao Nong
Production Data Grids SRB - iRODS Storage Resource Broker Reagan W. Moore

Production Data Grids SRB - iRODS Storage Resource Broker Reagan W. Moore
TWSd - Security Workshop Part I of III T302 Tuesday, 4/20/2010 TWS Distributed & Mainframe User Education April 18-21, 2010  Carefree Resort  Carefree,

TWSd - Security Workshop Part I of III T302 Tuesday, 4/20/2010 TWS Distributed & Mainframe User Education April 18-21, 2010  Carefree Resort  Carefree,
DirectProject Reference Implementation 4.0 Greg Director, Distinguished Engineer, Cerner Corp.

DirectProject Reference Implementation 4.0 Greg Director, Distinguished Engineer, Cerner Corp.
NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.

NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.
KMIP - Hardware Security Modules Meta-Data-Only (MDO) Keys Saikat Saha & Denis Pochuev Feb 2012.

KMIP - Hardware Security Modules Meta-Data-Only (MDO) Keys Saikat Saha & Denis Pochuev Feb 2012.
Security and Privacy for the Smart Grid James Bryce Clark, OASIS Robert Griffin, RSA Hal Lockhart, Oracle.

Security and Privacy for the Smart Grid James Bryce Clark, OASIS Robert Griffin, RSA Hal Lockhart, Oracle.
Secure Mobile Development with NetIQ Access Manager

Secure Mobile Development with NetIQ Access Manager
Security in OPC Unified Architecture (UA) Dick Oyen IndustrialSysDev, Inc.

Security in OPC Unified Architecture (UA) Dick Oyen IndustrialSysDev, Inc.
Best-in-class enterprise backup for the mobile enterprise Prepared for [Insert customer name] [Date}

Best-in-class enterprise backup for the mobile enterprise Prepared for [Insert customer name] [Date}
Protect your data Enable your users Desktop Virtualization Information protection Mobile device & application management Identity and Access Management.

Protect your data Enable your users Desktop Virtualization Information protection Mobile device & application management Identity and Access Management.

Similar presentations

Ads by Google