© 2017 GlobalPlatform
SUPPORTING PRIVACY AND SECURITY OF THE VIRTUAL ENVIRONMENT
Gil Bernabeu, GlobalPlatform
ETSI IoT week
Session 6: Security and Privacy in IoT
2
IoT Market Forecast
2017 will be the first year that IoT endpoints outnumber IoD endpoints (PCs & Digital Home, and Mobile Devices).
© 2017 ABI Research • www.abiresearch.com
3
IoT Security Focus
GlobalPlatform is focused on affordable IoT security for industrial & consumer deployment
• A single security infrastructure should be leveraged in each deployment, enabling all ecosystem stakeholders to confidentially manage their security parameters.
• Stakeholders involved in all layers of a device or infrastructure component (hardware manufacturer, communication provider, application providers) should be able to leverage on a single security component to satisfy all their requirements.
• IoT diversity requires a range of security solutions to address different security requirements, yet they need to be homogeneously managed:
- Protect safety through tamper resistance for unattended devices (SE)
- Protect privacy from remote attackers through integrated hardware features (TEE)
Protection of digital services
• Through security and functional certification programs, GlobalPlatform enables device manufacturers to market their products as meeting the needs of digital service providers.
Certification of secure
components
• It must be possible to remotely add services or service providers to a device after it is deployed in the field. Similarly, a service subscriber must be able to change service providers.
• All security measures must be sufficiently robust and flexible to support a device’s deployed lifetime.
Secure remote management of digital services
4
Answering to Mass Market Volume
GlobalPlatform Specifications, which are regarded as the industry standard for trusted end-to-end secure deployment and management solutions, offer several features that, if properly leveraged, address the privacy and security concerns of the IoT market:
More than 1 billion TEE-
enabled processors are
shipped per quarter
Over 22 billion
GlobalPlatform certified SEs
are already live in the market
5
One Main Difference with the Computing World
It’s internet All things are connectedOthers may not care about
security
Don’t expect the network to filter
Things are connected to anything
Others things are potential attackers
6
Endpoint Security Principals for IoT Systems
• Uniquely identify every device in the system
– Prevents device cloning and the reuse of device credentials across devices
• Device integrity protection
– Platform integrity through secure boot
– Remote attestation of the platform integrity
• Data protection
– Data in rest, data in use, data in motion
• Mutual authentication prior to communications with any device or cloud software
– Enabling proof of origin of data
7
Endpoint Security Principals for IoT Systems cont…
• Transport level security for all communications
– Ensure data integrity from the origin to the receiving endpoint
• Secure management and monitoring of the device and all it’s components throughout the
entire lifecycle
– Initial provisioning and configuration, managed state transitions
• Access control
– Restrict types of operations in a given state
8
• GlobalPlatform defines End-to-End security as having two trusted endpoints, which ensure
security throughout the entirety of the service delivery process
• One endpoint is a secure component within the IoT or consumer device
• The other endpoint is a secure server in the cloud or the service provider’s back-end system
Defining End-to-End Security
+
9
Different Level of Trust Anchors
GlobalPlatform Secure Components offer various security services to protect assets and
digital services
Root of Trust
Device IDSecure Boot
Device Protection
Isolated Application Execution
Service Protection
Secure Update
Serviceand Device Evolution
GlobalPlatform Secure Components
target different levels of protection
10
Introduction to Network Functions Virtualization (NFV)
The Goal: elimination of specialized network appliancesThe Standards Landscape
https://wikibon.com/network-function-virtualization-or-nfv-explained/
11
Root of Trust (RoT) and NFV
12
YES: RoT Services for IoT and NFV
• RoT services should be deployed in conjunction with NFV to minimize the security risk and threats posed by rogue devices
• VF should detect and use RoT services (device ID, device status, ..)
• RoT is needed in all IoT endpoints and gateways
– Security and privacy
– Connectivity and communication
– Provisioning and management
– Identity verification
• Assurance level
– Discusses the measurements defined to assure the identity that a gateway or endpoint claims
– Supplied by ISO/IEC 29115:2011
Level Description Controls for identity proofing Method of processing1 – Low Little or no confidence in the
claimed or asserted identitySelf-claimed or self-asserted Local or remote
2 – Medium Some confidence in the claimed or asserted identity
Proof of identity through use of identity information from an authoritative source
Local or remote
3 – High High confidence in the claimed or asserted identity
Same as for LoA2 + identity information verification
Local or remote
4 – Very High Very high confidence in the claimed or asserted identity
Proof of identity through use of identity information from multiple authoritative sources + identity information verification + entity witnessed in-person
Local only
THANK YOU