Eat-out, put together or cook: Web standards for IoT Security
Are standard web technologies enough to build secure IoT systems? How do we design systems that meet the unique operational requirements of this domain? Are these technologies scalable and reliable? Do we need to re-think conventional technology layers in-order to design a secure IoT system ?
There are unique differences between the security requirements of common web systems and that of an IoT system. These differences determine if the technology stack should be reused, re-engineered or re-invented in the IoT domain . For example, blacklisting, a common practice used to enforce access control in simple web applications runs into many practical limitations in an IoT application. The most important distinction between the former and the latter is that while in a commercial web design the security chain begins with a user, in an IoT system the security chain may begin with a device, at times a headless device. Unlike the fully functional nature of internet devices, nodes in an IoT deployment are defined by the need to enforce security with minimal data and message passing overhead and optimized resource access. In short, when designing for IoT, we are operating inside an efficient web of connected objects.
In this talk, we will go over the main components of the security stack used commonly today to develop web applications and compare it with that required for developing secure IoT systems. We will discuss in detail which parts of the former can be applied to the latter, which ones cannot be and understand why.
We will present a simple use-case to understand the challenges in designing security in an IoT system. Lets take a simple device that keeps changing its location and hence its access privileges. How do we establish the trust chain here? How can a CA be used for key pre-distribution in this case? What should be the duration of a certificate’s validity? How do we manage the CA and the AA that verifies these devices? Why are SAML assertion certificates better suited for IoT designs? These are some of the important questions we will attempt to answer in this talk. As we do so, we will also go over critical terms like PKI and TLS and understand how they can be applied to secure an IoT deployment.
Staff Software Engineer at GE-Digital
Bhuvana Ramkumar is a Staff Software Engineer at GE-Digital, working on the Applications Security team building out security products and services for its critical Predix, IoT platform. Over the past years, she has been a team member at multiple Silicon Valley giants and startups, including Cisco and Aerospike, with a wide variety of hands-on engineering experience starting from device drivers, smart-grids all the way to application security. Prior to that she worked as a Cyber Forensics researcher in academia in projects funded by DoD (Department of Defense) at Iowa State University. She is a published author of multiple papers in important security conferences which include INFOCOM and Wisec.
End-User, Government, Enterprise, Small / Medium Enterprise Expert, Advanced, Intermediate, Beginner, VP / Director, Middle Management, Technical, Security, Software, Threat Prevention, IoT, Cloud, Mobile, Web, Hacks, Exploits VP / Director, Middle Management, Technical, Operations Expert, Advanced, Intermediate, Beginner https://www.linkedin.com/in/bhuvaneswari-ramkumar-6332b610 https://twitter.com/predix Telecom, Industrials, Consumer, Government / Public Sector, Automotive