introduction & overview to fog computing - tmcnet · introduction & overview to fog...
TRANSCRIPT
Introduction & Overview to Fog Computing
Lynne CanavanExecutive Director, OpenFog [email protected]
Panelists
Don BanksSenior Principal Engineer/ System [email protected]
Chuck ByersArchitecture Co-Chair, OpenFog Consortium & Principal Engineer,
Moderator
Ken HosacVP Business Development
Cradlepoint
Fog Computing: A Panel Discussion
Yuta EndoVP/GM of APAC Operation,
Product MarketingFogHorn Systems
Lynne CanavanExecutive Director
OpenFog [email protected]
2
OpenFog Security
Don BanksSenior Principal Engineer,
System Architect, Architecture & TechnologyARM
Security Challenges• As intelligence, local data storage, analytics, and other compute moves
towards the edge, many devices will be located in unsecured/low security locations– The cost of a breach can be enormous– Protecting both the device and its data is critical for many deployments
• OpenFog needs to provide a rich and flexible set of security features that enable sufficient security for each circumstance– Not every security mechanism will need to be implemented on every node or for
every communication• It will always be a threat vs. cost evaluation• Use discovery and publishing mechanisms to enumerate available services
– Policy-based amelioration
• Approach needs to be “global”• Implementations need to accommodate regional standards and requirements
– e.g., cryptographic algorithms
• Architecture needs to be vendor neutral
• No such thing as absolute security
3 3
Security ScopeSecurity must be end-to-end
• It starts with each Node
• Includes the Network (Communication)– Between end points and across the network
– Cryptography +
• Includes Data Protection– Data-in-Motion (between vms/containers and between end-point systems & applications
– Data-at-Rest (on disk or other non-volatile storage media including SCM)
– Cryptography +
• Management & Orchestration– Command, Control, Configuration
– Software Upgrade
• Physical Security– Tamper Resistance, Detection, and Remediation
5 5
Security as a Service• Security is a cross-cutting function
– It provides services to all of the other vertical and horizontal functions
– It may provide services through any combination of trusted hardware, firmware, and/or software
6 6
Security Scope• If the node is not secure, no amount of network security or encryption
will make it secure
• Starts with a Trusted hardware component receiving control at power-on
– This is called the [Hardware] Root-of-Trust
• Uses h/w-based virtualization as a security mechanism
– Supports multi-tenant with isolation & QoS guarantees
7 7
vCorenvCore2vCore1Core0
h/w ROT
Security Engine
mmu + iommu
Processor & i/o virualization
(Hypervisor mode)
Trusted
Execution
Mgmt
Hardware
Security Scope• Extends the Chain-of-Trust
– Trusted hardware executes immutable firmware stored on-chip (trusted)• Starts the root-of-trust extension
– Secure Boot (Verified)/Trusted Boot (Measured)
• Continues the root-of-trust extension
– Secure/Trusted Boot secure OS / bare metal OS / Hypervisor
8 8
vSE
RTIC
vCorenvCore2vCore1vCore0
vCorenvCore2vCore1Core0
h/w ROT
Security Engine
mmu + iommu
Processor & i/o virualization
(Hypervisor mode)
Trusted
Execution
Mgmt
DiskDiskvDisk
DiskDisk
Disk
NIC
NICNIC
NICNIC
NIC
NIC
NICNIC
NICNIC
vNIC
Hypervisor
Hardware
Firmware/Option ROMs/Platform NVRAM
Trusted Boot
Static
ROT
Data at RestData in Motion
(encrypted)
(encrypted)
vSoC
acceleratorvSoC
acceleratorvSoC
accelerator
SoC
acceleratorSoC
acceleratorSoC
accelerator
Security Scope• Secure/Trusted Boot VMs and apps/containers
9 9
VM1 (TEE)
App1
App2
VNF0
OS
Dynamic
ROT
Trusted Loader
vSE
Trusted Boot
vSE
VM2 (TEE)
VNF1
Linux
Dynamic
ROT
Trusted Loader
vSE
Trusted BootRTIC
Container0
VNF3
VMn
VNF4
OS
Loader
Boot
Container0
App7
vCorenvCore2vCore1vCore0
vCorenvCore2vCore1Core0
h/w ROT
Security Engine
mmu + iommu
Processor & i/o virualization
(Hypervisor mode)
Trusted
Execution
Mgmt
DiskDiskvDisk
DiskDisk
Disk
NIC
NICNIC
NICNIC
NIC
NIC
NICNIC
NICNIC
vNIC
Hypervisor
Hardware
Firmware/Option ROMs/Platform NVRAM
Trusted Boot
Static
ROT
Data at RestData in Motion
(encrypted)
(encrypted)
Tamper Protection
SoC
acceleratorSoC
acceleratorSoC
accelerator
vSoC
acceleratorvSoC
acceleratorvSoC
accelerator
10 10
A Fog Network View
Network (Communication) Security• Fog Node Communication
– Node-to-Node, Node-to-Cloud, Node-to-thing/device
– Includes both physical and virtual end points
– Cryptography +
• Provides CIA + Nonrepudiation
– Confidentiality
• Connection and Connectionless Data Confidentiality, Traffic Flow Confidentiality
– Integrity
• Connection Integrity with Recovery, Connectionless Integrity with Detection, Anti-replay Protection
– Authentication
• Data Origin Authentication for Connectionless Communications, Peer Entity Authentication for Connection-based Communications, Authenticated Channel Access Control
– Nonrepudiation (optional)
• Nonrepudiation of Origin and Destination
11 11
12 12
Cloud
OT
DMZ
IT
OT Partners & services
Enterprise Network
Demilitarized Zone
Process, Supervisory
Control, Automation
Cloud-based threat ProtectionNetwork-wide Policy EnforcementSecurity Information & Event Management (SIEM)
Enterprise Edge (VPN, IPS NGFW)Anti-Virus, Malware DetectionCorporate Directory, Web & Email Security
Plant Edge (VPN, IPS & Remote Access)Stateful Firewall, NGFWAccess Control
SIEM, Remote Services PlatformOT Policy Mgmt, SW, Config, AV & Asset Mgmt.Cyber & Physical Access Control System
Ruggedized FirewallRuggedized IDS/IPSSegmentation: VLANs, VRFs, ACLs
Internet
An Example OpenFog Network Security Architecture
After Complete Option02
Access ControlThreat Detection
Data PrivacyDevice Integrity