This is my third blog under the series of Internet of Everything (IoE) Security having written the Introduction, and having proposed proposed an architectural view.
To address the highly diverse IoE environment and the related security challenges, a flexible security framework is required.
Our framework is comprised of three generalized components:
- Authorization and Access Control
- Network Enforced Policy
Surrounding all three components, we specify a fourth, Secure Intelligence Operations including Visibility and Control.
The components are summarized below:
Authentication encompasses the elements that initiate the determination of access by first identifying the IoT/M2M devices (e.g. embedded sensors and actuators or endpoints). Note that while in typical enterprise networks, these endpoints may be identified by a human credential (e.g. username and password or token), the IoT/M2M endpoints must be fingerprinted by means that do not require human interaction.
Such identifiers include RFID, x.509 certificates or the MAC address of the endpoint.
The Internet Thing (e.g. endpoint) may comprise of varying operating systems, CPU types, memory footprint, and form factors. Many of these, will be very low-cost, single-function devices, for example, a temperature or pressure sensor that has rudimentary network connectivity.
In addition, these devices could be in a remote or inaccessible location where human intervention is infeasible.
This creates new challenges, as the means of IP connectivity may only exist after the installation teams have left the site. Considerations must be taken to ensure that the initial installation/configuration of the device and its eventual presence on the IoT/M2M infrastructure cannot be compromised.
This is fundamentally different than current network-attached devices as they typically establish the IP connectivity prior or as part of its installation and configuration process.
Current authentication mechanisms rely on the binding of an identity to a pre-shared secret (e.g. a password or generated random value), a RSA key pair and its associated X.509 certificate or one-time token passwords.
Such credentials may be prohibitive as they may be unmanned or the devices have such a small footprint lacking in memory required to host the X.509 certificate and/or lacking in the CPU power to execute the cryptographic operations to validate the X.509 certificates (or any type of Public Key operation).
Existing identity footprints such as IEEE 802.1AR and authentication protocols as defined by IEEE 802.1X can be leveraged for those devices that can manage both the CPU load and memory to store strong credentials. However, the challenges of the new form factors as well as new modalities creates the opportunity for further research in defining smaller footprint credential types, less-compute intensive cryptographic constructs and authentication protocols.
Authorization and Access Control are the elements that define and control policy (e.g. the Policy Administration [PAP], Policy Information [PIP] and Policy Decision [PDP]) points by which the network infrastructure may (and should be guided) to provide service (beyond classical “network access”) to the endpoints throughout the network fabric. These elements have tight affinity with the authentication elements since the identity is what seeds the control policies.
Fortunately, current policy mechanisms to both manage and access control for consumer and enterprise networks map extremely well to the IoT/M2M needs. The subtle adaptations needed, goes to the delivering the appropriate scale and performance to handle the billions of IoT/M2M devices and the need to allow for the policies to account for the plethora of these endpoints, their device and behavioral characteristics that will also require finer grained segmentation of the network.
Network Enforced Policy encompasses all elements that route and transport endpoint traffic (either through the control, management or data planes) and thus invokes a policy on that traffic (e.g. Policy Enforcement [PEP]). As such, these elements are configured to adhere to the cryptographic configuration and access controls as driven by the Policies as defined in the elements that drive the authorization and (network) access controls.
Like the Access Control and Authorization layer, there are already established protocols and mechanisms to secure the network infrastructure and affect policy that are well suited to the IoT/M2M use cases.
Secure Intelligence Operations, Visibility and Control: Defines the services by which all elements (endpoints, network infrastructure inclusive of data centers) may participate to provide telemetry for the purpose of providing visibility and thus control of the IoT/M2M ecosystem. Further, it includes all elements that, beyond telemetry, aggregate and correlate the information to provide the reconnaissance and threat detection. With network infrastructures becoming more complex as they have topologies that include either or both public and private clouds, the threat intelligence and defense capabilities must also be cloud-based.
Orchestration of the visibility, context and control is required to drive the Secure Intelligence Operations (SIO).
Components of SIO include:
- The actual IoT/M2M infrastructure from which telemetry and reconnaissance data is acquired and gathered.
- The core set of functions to coalesce, analyze the data for the purposes of providing Visibility, Contextual-awareness and Control
- The delivery of the actual SIO that builds upon the specific contexts developed by the second component listed above.
While the IoT/M2M may afford some simplifications, such as known set patterns given that the embedded systems, actuators and sensors are to be assigned to simple, dedicated tasks.
The overall IoT/M2M architecture must still service and account for operators using manned devices (e.g. laptops, handheld scanners, etc) that subsume all the threats applicable to classical IT. In addition, new challenges are raised:
- Provisioning and configuration systems to facilitate the zero-touch as required by the unmanned endpoints will present some new risks; especially as there will be a plethora of sensors, actuators and embedded systems that will not adhere to one single common standard.
- Cryptographic Capabilities at the endpoint may be limited as they may be constrained by their CPU, memory and power requirements
- The scalability of an IoT/M2M brings new challenges as deployments must now serve millions of endpoints. Serving a rich multi-service edge along with all the required policies to serve the different millions endpoints forces larger and more distributed scale deployments than the classical IT. Such a reality teaches us that a “perfect” secure solution is unlikely to be achieved at any level. A real-time intelligent security and risk management capability provides a complementary solution to address the security gaps and threats.
SIO can provide, but not limited to:
- Adaptive Fraud Detection with non-repudiation
- Actionable Risk Monitoring and Defenses
- Dynamical Reputation Management
- Resilient Control
Realizing that it is difficult (probably impossible) to design a perfect secure solution for any IoT system, this security framework provides the foundation upon which appropriate security services can be selected.
Finally, as specific contexts and verticals are considered, gaps can also be identified and addressed. While the security implications to IoT/M2M constructs are vast; deconstructing a viable IoT/M2M Security Framework can be the foundation to the execution of security in production environments. I will be providing periodic updates to IoE Security in my forthcoming blogs so stay tuned!