Defending the Internet of Things

Transcription

1 Defending the Internet of Things Identity at the Core of Security entrust.com

2 Table of contents Introduction Page 3 Challenge: protecting & managing identity Page 4 Founders of identity security Page 5 Standardizing PKI Page 6 Secure mobile, leverage mobile Page 6 Identity management Page 7 Trusted advisor for critical architectures Page 7

3 Introduction More system complexity means that there is more threat surface that needs to be defended. It also means that there is more potential to make mistakes and introduce vulnerabilities. Attacks on traditional IT systems have resulted in massive loss of money, privacy and intellectual property. Even worse, attacks on the Internet of Things (IoT) potentially threaten our safety. This threat landscape exists alongside the ever-increasing demand for more technology to be embedded into coordinated devices used in healthcare, automobiles, aviation, critical infrastructure and smart city initiatives. More system complexity means that there is more threat surface that needs to be defended. It also means that there is more potential to make mistakes and introduce vulnerabilities. The opportunity to create a safe and secure system occurs when we realize that perimeter defenses are insufficient and that we must engineer comprehensive security throughout system processes. In highly automated systems, connected devices must assure trust by assuring authenticity. Too often, devices in automated and coordinated systems do not challenge the authenticity of the source of the commands that they act upon. In an ideal world, the identity of each system component would be authenticated, but system constraints demand that we optimize an architecture that achieves security and assures performance. 3

4 Challenge: protecting & managing identity What s at Risk? Critical infrastructure programmable logic units Automobile electronic control units Medical devices Smart city, including intelligent transportation Utilities and industrial control Building automation Securing identity is a central concept in reducing attack surfaces. Every attack we have studied requires an attack against identity in order to accomplish its malicious goals. The chain of trust shows us how system parts sitting directly in the sequence of a process must question each other s identity. Wherever an identity can be compromised, an attacker will find it and use it against the system. Authenticity of Parts This approach is suitable for parts that include firmware components. It also has the potential to allow secure in service upgrades because of the code-signing confirmation that authenticate the identity of the firmware source. Receiving Commands Identity of Source All networks should be considered unsafe. Any device that receives a valid command on a network should not blindly trust the source s identity. The authenticity of command is not enough, but the identity s authenticity of the command source is the key to reducing threat surface. These concepts are at the heart of what public key infrastructure (PKI) can accomplish. Sending Commands Identity of Destination Vulnerabilities and failures occur. Therefore, not all devices on a network should be trusted to hear commands sent on the network. An attacker who can read legitimate commands moving across a network can learn which commands to replay at a later time for malicious intent. The need for encrypted communications within an enclosed network of embedded devices is important to reduce attack surface. Authentication IoT is synonymous with remote connectivity, which is a fast-growing technology area. Without authentication, critical devices are at risk of attack. Too often, critical IoT devices and their networks are considered to be secure because of the perceived lack of physical access or the complexity of the communication protocol. Attacks have shown us that security by obscurity is insufficient. Secure elements and higher processing power in IoT devices have created opportunities to embed cryptographic capabilities enabling strong authentication. Security Culture As traditional vendors transition to solve IoT challenges, there will be struggles to manage, secure and authenticate 4 devices. Security that stands the test of implementation requires expertise that is forged through experience.

5 Founders of identity security Entrust has a long history of protecting identities and architecting systems that assure chains of trust. Entrust s core competencies such as PKI are highly applicable to security for the Internet of Things. This security expertise specifically protects identities. Entrust is a founder and editor of the underlying standards community, as well as the one of the primary architects for identity security within complex projects. Today, this leadership is further augmented by the strategic integration between Entrust and Datacard Group. As a single company, this partnership provides identity-based technologies that enable highly secure anywhere-anytime access for workforces of all sizes. Our solutions help consolidate identity information that is typically scattered through numerous databases. We create unified and trusted identities that provide enterprises with a single point of control and much greater security. Whether people are entering secure facilities, logging onto desktop computers or accessing networks remotely with mobile devices, Datacard Group and Entrust provide security and convenience for authorized users and strong lines of defense against unauthorized access. These high-assurance credential solutions, strong authentication platforms, encryption technologies, mobile security, managed PKI services and SSL certificates meet the needs of organizations with advanced requirements and complex ecosystems, including IoT. Our wide range of credential issuance solutions also meets the needs of enterprises looking to protect smaller populations and control access to a limited number of facilities. 5

6 Standardizing PKI From its early days (as a division of Northern Telecom) to the present, Entrust has played a strong leadership role in the standardization, implementation and deployment of PKI. In 1992, Entrust supplied one of the world s first PKI implementations to the Canadian Department of National Defence. The system, Packet Data Security Overlay (PDSO), provided end-to-end security for X.25 data communication systems. Development of the base PKI standard, commonly referred to as X.509 began in 1985 and was completed in Entrust was one of the primary technical contributors to that first edition and also played a leadership role as ITU-T and ISO/ IEC editor for the project. Since that first edition, Entrust has continued participation in the development of new architectures and features to the present time and have, at various times, chaired the X.509 committee and provided project editorship. In addition to these primary PKI standards activities, Entrust has also participated and in some cases played leadership roles in numerous industry forums, regional standards initiatives and application-specific initiatives. Some of these include the CA/Browser Forum, Electronic Messaging Association, ICAO, ETSI, American Bar Association and others. Secure mobile, leverage mobile Entrust both secures and leverages mobile devices. Device certificates ensure that authorized devices securely connect to a network. Entrust Mobile Smart Credentials enable strong authentication and transaction-signing. The isolation of mobile operating system applications provides greater security than desktop environments. Future devices will even enable credentials to be stored in secure elements. Entrust s mobile SDK provides authentication/ credential functionality that can work within a custom mobile application. Many of the advances in mobile security technologies such as Trusted Execution Environments and secure elements are models that should be leveraged by IoT technologies. Easy-to-use mobile user interfaces, along with the high levels of security functionality, are a combination in security rarely seen. If security requires the input and/or decision-making of a human, security is likely to fail. Mobile is an opportunity for success. 6

7 Identity management Entrust s flagship authentication solution, Entrust IdentityGuard is one of the most robust authentication and identity-assurance platforms in the market. It delivers an unmatched breadth of capabilities and flexibility to meet the most demanding security environments. Identity management is a challenge for most organizations. Authentication vendors often do not have an identity management platform to match customer needs. Existing point authentication solutions are no longer up to the task of thwarting advances that exploit vulnerabilities in a variety of channels or mediums. Whether the root threats originate from internal or external sources, critical information, data and identities are at constant risk. SOFTWARE AUTHENTICATION PLATFORM SMS Mobile Soft Token Transaction Verification Mobile Device Certificates Mobile Smart Credential Password Device Authentication IP-Geolocation Digital Certificates Grid / egrid OTP Tokens Knowledge Based Smartcards and USB Transaction Signing Mutual Authentication Biometrics Trusted advisor for critical architectures As a trusted PKI advisor, Entrust has served a key role assisting with the design of PKI architectures for specific projects. One of these, the U.S. Federal PKI (FPKI) working group, included design, development and deployment of the first bridge CA. This concept enabled different agencies to operate their own PKI infrastructures in a relatively autonomous environment, supporting common policies and enabling secure communications among a variety of agencies. Another example, the design of Extended Access Control (EAC) for the European Union epassport application. This included the design of a Single Point of Contact (SPOC) supporting certificate management between EU member states and delegation of authorization and access control permissions from a passport issuer to foreign border control. EAC, and its associated PKI architecture, are becoming more widely adopted for other applications as well, including ISO/IEC standards for driver s licenses and national ID cards (e.g., Germany). 7

8 Entrust and you More than ever, Entrust understands your organization s security pain points. Entrust offers software authentication platforms that strengthen security in a wide range of identity and transaction ecosystems. Government agencies, financial institutions and other enterprises rely on Entrust solutions to strengthen trust and reduce complexity for consumers, citizens and employees. Now, as part of Datacard Group, Entrust offers an expanded portfolio of solutions across more than 150 countries. Together, Datacard Group and Entrust issue more than 10 million secure identities every day, manage billions of secure transactions annually and issue a majority of the world s financial cards. For more information about Entrust solutions, call , [email protected] or visit Company Facts Website: entrust.com Employees: 359 Customers: 5,000 Offices: 10 globally Headquarters Three Lincoln Centre 5430 LBJ Freeway, Suite 1250 Dallas, TX USA Sales North America: EMEA: +44 (0) [email protected] Entrust is a registered trademark of Entrust, Inc. in the United States and certain other countries. Entrust is a registered trademark of Entrust Limited in Canada. All other company and product names are trademarks or registered trademarks of their respective owners. The material provided in this document is for information purposes only. It is not intended to be advice. You should not act or abstain from acting based upon such information without first consulting a professional. ENTRUST DOES NOT WARRANT THE QUALITY, ACCURACY OR COMPLETENESS OF THE INFORMATION CONTAINED IN THIS ARTICLE. SUCH INFORMATION IS PROVIDED AS IS WITHOUT ANY REPRESENTATIONS AND/OR WARRANTIES OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY, BY USAGE OF TRADE, OR OTHERWISE, AND ENTRUST SPECIFICALLY DISCLAIMS ANY AND ALL REPRESENTATIONS, AND/OR WARRANTIES OF MERCHANTABILITY, SATISFACTORY QUALITY, NON-INFRINGEMENT, OR FITNESS FOR A SPECIFIC PURPOSE