a reference architecture for iot: how to create a resilient, secure iot cloud
DESCRIPTION
Paul Fremantle, CTO & Co-Founder of WSO2 delivered a talk at IoT World Forum in London titled "A Reference Architecture for IoT: How to create a resilient, secure IoT cloud". The talk discussed how the world is moving from thousands of connected clients to millions of connected devices; and how we are moving from a known security perimeter to an almost infinite attack space. Scalable and secure architecture enables IoT to succeed and Paul elaborated what such an architecture should look like, and how major companies have implemented this using best of breed Open Source components.TRANSCRIPT
Paul FremantleCTO, WSO2 ([email protected])PhD researcher, Portsmouth
University([email protected])
@pzfreo #wso2
A reference architecture for IoT: How to create a resilient, secure IoT cloud
Firstly, does security even matter?
My three rules for IoT security
• 1. Don’t be stupid
• 2. Be smart
• 3. Think about what’s different
My three rules for IoT security
• 1. Don’t be stupid
– The basics of Internet security haven’t gone away
• 2. Be smart
– Use the best practice from the Internet
• 3. Think about what’s different
– What are the unique challenges of your device?
http://www.forbes.com/sites/kashmirhill/2013/07/26/smart-homes-hack/
So what is different about IoT?
• The longevity of the device– Updates are harder (or impossible)
• The size of the device– Capabilities are limited – especially around crypto
• The fact there is a device– Usually no UI for entering userids and passwords
• The data– Often highly personal
• The mindset– Appliance manufacturers don’t think like security experts– Embedded systems are often developed by grabbing existing
chips, designs, etc
Physical Hacks
A Practical Attack on the MIFARE Classic: http://www.cs.ru.nl/~flaviog/publications/Attack.MIFARE.pdfKarsten Nohl and Henryk Plotz. MIFARE, Little Security, Despite Obscurity
Or try this at home?http://freo.me/1g15BiG
Hardware recommendations
• Don’t rely on obscurity
Hardware recommendations
• Don’t rely on obscurity
• Don’t rely on obscurity
• Don’t rely on obscurity
• Don’t rely on obscurity
• Don’t rely on obscurity
• Don’t rely on obscurity
• Don’t rely on obscurity
Hardware Recommendation #2
• Unlocking a single device should risk only that device’s data
The Network
Direct network vs Gateway model
Crypto on small devices
• Practical Considerations and Implementation Experiences in Securing Smart Object Networks
– http://tools.ietf.org/html/draft-aks-crypto-sensors-02
Key distribution
Ubertooth
http://ubertooth.sourceforge.net/
https://www.usenix.org/conference/woot13/workshop-program/presentation/ryan
IDENTITY IS THE NEW PERIMETER
Passwords
• Passwords suck for humans
• They suck even more for devices
Why Federated Identity for IoT?
• Can enable a meaningful consent mechanism for sharing of device data
• Giving a device a token to use on API calls better than giving it a password– Revokable
– Granular
• May be relevant for both– Device to cloud
– Cloud to app
More informationhttp://pzf.fremantle.org/2013/11/using-oauth-20-with-mqtt.html
http://siot-workshop.org/
Reference Architecture for the Internet of Things http://freo.me/iotra
Re-active vs Realtime Pro-Active
Web Architecture
• Re-active
• 10k-100k connections
• Pull-based
• Human interactions
• Some APIs
• Creating Big Data
IoT Architecture
• Push-based
• 100k-1m connections
• No human interaction
• Autonomic
• API driven
• Creating even bigger datasets
Real time stream processing
1 million events/s on 4 servers in Amazon EC2
30
Analytics
Identity Management
Device Management (Generally available Q1/2015)
APIs and API Management
eBay handles 6 billion messages a day through WSO2 That is 4 million a minute
*
Public WSO2Cloud
Hybrid/PrivatePaaS
On-Premise
Develop Once – Deploy Everywhere
Managed Cloud
On AWS
DOESN’T EVERYONE SAY “JUST USE MY OPEN PLATFORM”?
Really Actually Open
• 100% Open Source (no bait and switch!)
• Heterogenous
• Polyglot
• Interoperable
• Modular and based on OSGi
• Extensible
• API-driven
https://www.flickr.com/photos/jmarty/
Summary
• Think about security from the start
• Build a federated and secure model of Identity for Things
• Create Autonomic models that deliver value that surprises and delights customers
• Use Big Data Analytics and the Lambda Architecture to understand your customers
• Be Open!