The document provides an agenda for a presentation on access management for the Internet of Things. The agenda includes introducing identity for IoT, security challenges for IoT, how Oracle Access Management 11gR2 can secure access for IoT, a customer case study, and a demo. Key topics that will be covered are introducing composite identities for devices, services, and users in IoT; securing communication between people, things, and APIs; and leveraging social networks, mobile access, OAuth, and gateways to manage access and identities for IoT applications and use cases.
3. Program Agenda
Introducing Identity for the Internet Of Things
Security Challenges for the Internet of Things
Oracle Access Management 11gR2- Securing access for the
Internet of Things
Customer Case Study
Demo
Q&A
3
5. Internet Of Things
Internet of Things
• Refers to the general idea of
things, including everyday objects
that are:
• Readable/recognizable
• Locatable/Addressable
• Controllable
• Communicable
5
6. Identity for the Internet Of Things
Composite Identities
• Identity as a communication endpoint:
• User
• Service
• Device
• Software Module
• Sensor
• User identities are tied to Things based on:
• Interaction
• Context
6
7. Identity for the Internet of Things
Social Networks
• Connect, Communicate, Share
• Use public or private social
networks
• Link physical and virtual
Things, services, devices,
APIs
• Allow reacting to events
7
8. Identity for the Internet of Things
Securing the “Smart Toaster”
• Securing Autonomous
Independent Things
• Context Aware Authentication
• Securing Communication
• Person to Thing
Communication
• Thing to Thing
Communication
8
10. Security is a Barrier for Adoption of IoT
“The horizontal evolution of M2M will require
full end-to-end security. Significant efforts
need to be invested into M2M application
security in order for the M2M market to fully
evolve. Whether this is through open source
initiatives or standards development, the
demand for increased M2M application
security will have to be answered, and
sooner rather than later.”
ABI Research, M2M Dream Challenged by Alarming Security
Concerns, Feb 2013
40%
30%
Of embedded systems and
applications developers have
not proactively addressed
security in existing
development projects
Median CAGR growth (2011-2014)
in shipments of security
solutions for industrial
automation, medical devices,
consumer electronics,
automotive and retail
Source: VDC Research
Strategic Insights 2012: Embedded Software & Tools Market,
Security Development & Runtime Solutions
10
11. Challenges in IoT Security
Control
• What protection measures are possible as thousands of
intelligent things cooperate with other real and virtual entities in
random and unpredictable ways?
• How do you ensure security given IoT’s highly distributed
nature and use of fragile technologies, such as limited-function
embedded devices?
• How do you leverage investments in existing internet security
technologies for the highly fragmented IoT networks?
• How can you define and enable trust in a dynamic IoT network
with weak trust links between network nodes?
Access
• Typical challenges for IoT service
providers
11
12. Key IoT Security Requirements
Onboarding &
Enrollment
Authentication &
Authorization
Device Metadata &
Control
Policy & Key
Management
Application
Management &
Provisioning
• Mutual authentication between
devices and server
• Confidentiality of data transfer
over multi-protocol networks
• Device data management
• Governance of trust
relationships in IoT networks
• Device applications provisioning
& management
12
25. Example Login Flow – Native App with OAM
Client
App(Mobile)
1
Mobile and Social
Server(Server)
Security App
(Mobile)
Request Access
Token
2 - If valid token in local credential
store, return token to App, else
continue below.
-
4
Extracts device attributes and ID
contexts
-
Use token to
make calls to
server
application
protected by
OAM
Accept username/password
-
5
Present login page
-
Oracle
SDK
Makes authentication call with
user/password, device attributes
and device tokens
-
-
Registers Device/App if
unregistered
-
Authenticates with OAM Server
-
Publishes ID context to OAM Server
and OES for authorization decisions
-
Invokes OAAM for risk analysis
-
Responds User/Access Tokens
Stores User/Access Token
-
3 - Validates device tokens
Returns token to Client App
25
33. Oracle Fusion Middleware
Business Innovation Platform for the Enterprise and Cloud
Complete and Integrated
Web
Social
Mobile
Best-in-class
User Engagement
Business
Process
Management
Open standards
Content
Management
Service Integration
Business
Intelligence
Data Integration
Identity Management
Development
Tools
Cloud Application
Foundation
On-premise and Cloud
Foundation for Oracle
Fusion Applications and
Oracle Cloud
Enterprise
Management
33
The concept of the Internet of Things includes network-enabling virtually any type of product or machinery so that data about the object can be captured and communicated. In effect, these networked Things become "smart objects" that can become part of the Internet and active participants in business processes. The Internet of Things describes a world where humans are surrounded by machines that communicate with each other and with them. People need an understanding of this multi-device environment and the network needs a representation of “who” the user is.The Internet of Things defines a virtual identity as the endpoint of communication - independent of the device - allowing users to interact with several devices, seamlessly, under one name. The user may have several virtual identities to represent the different personas and aspects of their service usage.
Identities may represent entities of all kinds including persons, devices and software. The internet of Things defines two types of identities: - an Identinet where identities are at the end point of all communications. These identities may represent entities of all kinds including persons, devices and software. - a digital shadow –also called a virtual identity or a composite identity – represents the digital shadow of entities in the digital world. The digital shadow designates the concept of entities using services, nodes, equipment and infrastructure in a specific context which allows users to attach their identity to a Thing- a service, node or infrastructure based on their interaction with that Thing. By attaching a user identity to a Thing based on the user’s usage of the Thing – users attach multiple entry points into the physical Internet without losing a consistent view on that dataUsers have Many/Many relationships with Things. For e.g. Many cars in the family: All family members drive all cars but each has specific privileges with their own individual cars. Other common scenarios include rental car scenarios or where service equipment is shared by several field employees.
In a social network- individuals only connect with thosethey know ANDwith those who are interested in following their activity—without the expectation of reciprocationIn the above description:1) is relevant to the Internet of Things as people not only share relations with friends, but they also have relations toThings - to favoritebooks, movies, gadget, items, products, food, devices, automobiles…2) is very relevant to the Internet of Things as it allows building a technical publish/subscribe type of network where various sensorsand actuators post their state. For e.g. Twitter is a commonly used online social network that allows plugins (publishers/subscribers) topost events from selectedsensors to Twitter and listen for Tweets themselves from devices they are interested in.--the washingmachine twittering when it has done its job, the stereo telling the worldabout the music you are listening to, or the mobile phone announcing the callsyou have made recently.
Most Things on the Internet are : Autonomous Independent Things i.e. 1. don’t require another device (such as a smartphone or web service) to function2. able to sense contextand are able to autonomously interact with other things, sensors, and services.The graphic depicts a WiFi enabled toaster that makes light fun of this. However, consider the “Smart” refrigerator:Stage 1: Non autonomous i.e. provides value to users using interaction with other devices such as smartphones : The refrigerator owner scans cartons of milk with his smartphone, which triggers a reminder when the milk expireStage 2: Partially autonomous: The refrigerator detects the milk on its own and issues reminders across a broader range of connected appsStage3: Autonomous Independent: The refrigerator orders replacement milk just before it’s empty or expires — entirely on its own.
OAM provides an easy framework for applications to connect and integrate with social networks. OAM Social also provides out of the box integration with trust for social logins (use for initial authn, step up for anything else). Built-in integration with Federation provides linking local to social accounts and new capabilities such as Oauth server support provides the ability to build private social networks while allowing for the capability to leverage public OAuth servers such as FaceBook or Twitter and OpenID authentication via Google.
Oracle Adaptive Access ManagerDevice Fingerprinting and Registration DatabaseRisk-Based Authentication that Factors Mobile ContextOracle ApplicationGatewayEnables Mobile Application REST API’s and protects API’s, webservices, and SOA infrastructure from external threats and invalid / suspicious requestsExtends Access Management with authentication, authorization, audit to REST API’s, web servicesOracle Entitlement ServerMake AuthorizationDecisions and Redact Data based on User,Mobile, or any other ContextExternalize AuthorizationPolicies from Application CodeOracle Access Management : Mobile & SocialMobile Identity and Access GatewayAuthentication, Registration, and User Profile Services for MobileOracle Web Services ManagerLast mile security for an organizations backend web services and SOA infrastructure Embedded agentsNative Mobile Security SDKNative Login Screens / Secure Credential StorageEasy Integration w/ SSO and Web Services SecurityNative Mobile Security AppsLogin App for Native and Web Apps Providing Device ContextNative White Pages App Integrated w/ User Profile Services
Consider using OAM,OAM M&S and OAG to validate and secure JWT tokens during various REST invocations for service to service interactions between the apps on the vehicle, dealer, vendor and the user. Several of these services are invoked from native mobile apps on the vehicle or the dealer or the user. The tokens are validated with policies configured on Oracle M&S that include device registration and device fingerprinting.
Uses the Oauth 2.0 client credentials grant flow—the client is also the resource ownerThe client credentials grant uses client credentials as an authorization grant. This grant makes sense when the client is also the resource owner.The following sequence diagram shows the successful process.
Username and PasswordSocial LogonStep up Auth and OTP, can be applied:-first time with this device (device registration)-sensitive application-high risk score-user with high level of access to application
Mobile Application Access SecurityIntegrates native mobile apps, mobile web with corporate systems & informationAccess management, authorizations, API security, and fraud detectionDevice context based fine grained authorizationSupport for iOS Mobile Device Security ElementsDevice security – jailbreak detection at loginDevice lifecycle – white-list/blacklist/lost device managementDevice fingerprinting
With Fusion Middleware, you can extend and maximize your existing technology investment with the same technologies used in Fusion Applications, including embedded analytics and social collaboration, and mobile and cloud computing. Oracle’s complete SOA platform lets your IT organization rapidly design, assemble, deploy, and manage adaptable business applications and—with Oracle’s business process management tools—even bring the task of modeling business processes directly to the business analysts. Oracle Business Intelligence foundation brings together all your enterprise data sources in a single, easy-to-use solution, delivering consistent insights whether it’s through ad hoc queries and analysis, interactive dashboards, scorecards, OLAP, or reporting. And, your existing enterprise applications can leverage the rich social networking capabilities and content sharing that users have come to expect in consumer software. Oracle Fusion Middleware is based on 100 percent open standards, so you aren’t locked into one deployment model when your business requirements change.