© 2017 GlobalPlatform

SUPPORTING PRIVACY AND SECURITY OF THE VIRTUAL ENVIRONMENT

Gil Bernabeu, GlobalPlatform

ETSI IoT week

Session 6: Security and Privacy in IoT

2

IoT Market Forecast

2017 will be the first year that IoT endpoints outnumber IoD endpoints (PCs & Digital Home, and Mobile Devices).

© 2017 ABI Research • www.abiresearch.com

3

IoT Security Focus

GlobalPlatform is focused on affordable IoT security for industrial & consumer deployment

• A single security infrastructure should be leveraged in each deployment, enabling all ecosystem stakeholders to confidentially manage their security parameters.

• Stakeholders involved in all layers of a device or infrastructure component (hardware manufacturer, communication provider, application providers) should be able to leverage on a single security component to satisfy all their requirements.

• IoT diversity requires a range of security solutions to address different security requirements, yet they need to be homogeneously managed:

- Protect safety through tamper resistance for unattended devices (SE)

- Protect privacy from remote attackers through integrated hardware features (TEE)

Protection of digital services

• Through security and functional certification programs, GlobalPlatform enables device manufacturers to market their products as meeting the needs of digital service providers.

Certification of secure

components

• It must be possible to remotely add services or service providers to a device after it is deployed in the field. Similarly, a service subscriber must be able to change service providers.

• All security measures must be sufficiently robust and flexible to support a device’s deployed lifetime.

Secure remote management of digital services

4

Answering to Mass Market Volume

GlobalPlatform Specifications, which are regarded as the industry standard for trusted end-to-end secure deployment and management solutions, offer several features that, if properly leveraged, address the privacy and security concerns of the IoT market:

More than 1 billion TEE-

enabled processors are

shipped per quarter

Over 22 billion

GlobalPlatform certified SEs

are already live in the market

5

One Main Difference with the Computing World

It’s internet All things are connectedOthers may not care about

security

Don’t expect the network to filter

Things are connected to anything

Others things are potential attackers

6

Endpoint Security Principals for IoT Systems

• Uniquely identify every device in the system

– Prevents device cloning and the reuse of device credentials across devices

• Device integrity protection

– Platform integrity through secure boot

– Remote attestation of the platform integrity

• Data protection

– Data in rest, data in use, data in motion

• Mutual authentication prior to communications with any device or cloud software

– Enabling proof of origin of data

7

Endpoint Security Principals for IoT Systems cont…

• Transport level security for all communications

– Ensure data integrity from the origin to the receiving endpoint

• Secure management and monitoring of the device and all it’s components throughout the

entire lifecycle

– Initial provisioning and configuration, managed state transitions

• Access control

– Restrict types of operations in a given state

8

• GlobalPlatform defines End-to-End security as having two trusted endpoints, which ensure

security throughout the entirety of the service delivery process

• One endpoint is a secure component within the IoT or consumer device

• The other endpoint is a secure server in the cloud or the service provider’s back-end system

Defining End-to-End Security

+

9

Different Level of Trust Anchors

GlobalPlatform Secure Components offer various security services to protect assets and

digital services

Root of Trust

Device IDSecure Boot

Device Protection

Isolated Application Execution

Service Protection

Secure Update

Serviceand Device Evolution

GlobalPlatform Secure Components

target different levels of protection

10

Introduction to Network Functions Virtualization (NFV)

The Goal: elimination of specialized network appliancesThe Standards Landscape

https://wikibon.com/network-function-virtualization-or-nfv-explained/

11

Root of Trust (RoT) and NFV

12

YES: RoT Services for IoT and NFV

• RoT services should be deployed in conjunction with NFV to minimize the security risk and threats posed by rogue devices

• VF should detect and use RoT services (device ID, device status, ..)

• RoT is needed in all IoT endpoints and gateways

– Security and privacy

– Connectivity and communication

– Provisioning and management

– Identity verification

• Assurance level

– Discusses the measurements defined to assure the identity that a gateway or endpoint claims

– Supplied by ISO/IEC 29115:2011

Level Description Controls for identity proofing Method of processing1 – Low Little or no confidence in the

claimed or asserted identitySelf-claimed or self-asserted Local or remote

2 – Medium Some confidence in the claimed or asserted identity

Proof of identity through use of identity information from an authoritative source

Local or remote

3 – High High confidence in the claimed or asserted identity

Same as for LoA2 + identity information verification

Local or remote

4 – Very High Very high confidence in the claimed or asserted identity

Proof of identity through use of identity information from multiple authoritative sources + identity information verification + entity witnessed in-person

Local only

THANK YOU