What is the right way to authenticate IoT devices? What is Security-First software design? What design patterns can comply as HIPAA? Those questions and more will be answered in my presentation.
2. Million-user scale, 10000s devices
◦ AWS & Google GCP partner
Secure IoT clouds for device vendors
◦ Device vendors - focus on your core
◦ Customers - global $Bn companies to start-ups
Your trusted advisor - IoT, security, and clouds
About Me and Softimize
7. Company-level standards
ISO 27001 - Information security
◦ ISO 27799 – Health guidelines
ISO 9001 – Quality management
◦ ISO 13485 – Health guidelines
Certification
◦ ~4 months (SMB), ~40 hours overhead
◦ Post overhead - ~10 hours/month
◦ Yearly audit
◦ Consulting companies. ~ILS 30K
The ISOs
8. Health care
◦ Medical devices and much more
American
◦ EU: Data Protection Directive 1995/46/EC
PHI – Protected Health Information
BAA - Business associate agreement
Self declaratory
◦ Audit comes later
HIPAA – a Product-level Standard
9. ◦ DB - RDS (MySQL), DynamoDB, Redshift
◦ Files - EBS, S3, Glacier
◦ Process – EC2, ELB, EMR
◦ Utils – KMS, CloudWatch
◦ DB – CloudSQL, BigQuery, Genomics
◦ Files – Cloud Storage
◦ Process – Compute Engine
◦ Utils – Logging (Beta)
◦ Active Directory, API Management, Automation, Backup, Batch, BizTalk Services, Cloud Services,
DocumentDB, Express Route, HDInsight, Key Vault, Machine Learning, Management Portal, Media
Services, Mobile Services, Multi-Factor Authentication, Notification Hub, Operational Insights, Redis
Cache, RemoteApp, Rights Management Service, Scheduler, Service Bus, Site Recovery, SQL
Database, Storage, StorSimple, Stream Analytics, Traffic Manager, Virtual Machines, Virtual Network,
Visual Studio Team Services, Web Sites, and Workflow Manager.
◦ Compute - SoftLayer
HIPAA & Clouds Architecture
10. REST
Zoom on IoT - What to Secure?
HTTP | MQTT | CoAP | XMPP
IoT
Backend Service
GW
11. Cloud – the ideal
◦ Protects IP
◦ Data Privacy
GW knows only raw signal
No processed info = less risk
Caching on GW is a risk
GW ("fog") – the reality
◦ Offline – Get security policy from cloud and
execute
Zoom on IoT – Where to put Data/Logic
13. Security Users/Devices
Data Streaming Vendor Services
Management
Things Building Blocks (TBBTM)
Push notificationsDevice Interaction
Access Control – laas, SaaS
Vendor and cloud provider protection
Encryption, Tenant isolation
Site management – Multi device
Licensing – per Tenant. Trial license
Bulk versioned FW updates
Complex event processing
Real-time, sub second latency
Users | Devices and hierarchies
Back-office, Audit
Analytics – Failures, Usage patterns
Prediction – Churn, Upsell
Discover & Config – w/o wifi | Real time streaming | FW update
Security – Encrypt, Auth | Reduce energy & bandwidth
On Premise
MQTT, HTTP
Cloud Abstraction
Multi Cloud
Abstraction Layers for managed services
NO DevOps-hungry open sources
14. Cloud
◦ Physical
◦ Access control - Policy / role based
System – Cloud & GW
◦ Dedicated servers
◦ Micro services separation based on purpose
◦ App/Data access - User / group / role based
User interface
◦ “Need to know” basis
◦ Re-require password for export/sensitive
Security-First Design
15. Authentication and authenticity
◦ Temporary tokens when possible
Encryption
Validation
Security-First Design - Data in Transit
16. “Need to know” basis
◦ Microservices
◦ DB access Policy
◦ Fully identifiable, pseudonymized anonymized,
fully anonymized
Per-tenant encryption
◦ Key management
◦ DB query of indexed data
Purge when expires (7 years / user request)
Routine integrity checks
Security-First Design - Data at Rest