The Internet of Things presents both a challenge and opportunity for identity management - a challenge because existing mechanisms for authentication & authorization must be extended and adapted for the particular constraints of devices (both legacy and new) and an opportunity because the devices that users more and more carry with them offer new abilities to enable a more seamless authentication experience for those users. Both of these aspects demand a consistent, cohesive and interoperable identity layer across IoT verticals, platforms, and protocols. Critically, we need an identity layer that acknowledges the full continuum of risk (and so appropriate security measures) that the IoT presents. Good security means knowing who entities (both device & user) are and what they should or should not be allowed to do. Good privacy requires that users will be able to control how their devices collect, store and share data. This talk will examine how existing & new tools (like OAuth, UMA, FIDO, and DLTs) may help meet these fundamental requirements for securing the IoT. (Source: RSA Conference USA 2018)

1. #RSAC

5. #RSAC

8. ThingThing

10. ThingThing Edge
Gateway
Edge
Gateway
ThingThing

12. Business Intelligence
Rules / Analytics
Device Management
Directory / Registry
AuthN & AuthZ
Cloud Gateway
Edge Gateway
Thing Identity
Code Protection
Operating System
Comms Module
Embedded Firmware
Silicon Chip
Security Blocks
Processor Architecture

13. Business Intelligence
Business IntelligenceRules / Analytics
Device Management
Cut costs
Create value
Directory / Registry
AuthN & AuthZ
Cloud Gateway
Edge Gateway
Thing Identity
Code Protection
Operating System
Comms Module
Embedded Firmware
Silicon Chip
Security Blocks
Processor Architecture

14. Business Intelligence
Rules / AnalyticsRules / Analytics
Device Management
Find information
in data then act
Directory / Registry
AuthN & AuthZ
Cloud Gateway
Edge Gateway
Thing Identity
Code Protection
Operating System
Comms Module
Embedded Firmware
Silicon Chip
Security Blocks
Processor Architecture

15. Business Intelligence
Device ManagementRules / Analytics
Device Management
Maintain Things
Directory / Registry
AuthN & AuthZ
Cloud Gateway
Edge Gateway
Thing Identity
Code Protection
Operating System
Comms Module
Embedded Firmware
Silicon Chip
Security Blocks
Processor Architecture

16. Business Intelligence
Directory / RegistryRules / Analytics
Device Management
Enrol Authorized
Users & Things
Directory / Registry
AuthN & AuthZ
Cloud Gateway
Edge Gateway
Thing Identity
Code Protection
Operating System
Comms Module
Embedded Firmware
Silicon Chip
Security Blocks
Processor Architecture

17. Business Intelligence
Authentication & AuthorizationRules / Analytics
Device Management
Set and Enforce
Policy
Directory / Registry
AuthN & AuthZ
Cloud Gateway
Edge Gateway
Thing Identity
Code Protection
Operating System
Comms Module
Embedded Firmware
Silicon Chip
Security Blocks
Processor Architecture

18. Business Intelligence
Cloud GatewayRules / Analytics
Device Management
Ingest data
from known sources
Directory / Registry
AuthN & AuthZ
Cloud Gateway
Edge Gateway
Thing Identity
Code Protection
Operating System
Comms Module
Embedded Firmware
Silicon Chip
Security Blocks
Processor Architecture

19. Business Intelligence
Edge GatewayRules / Analytics
Device Management
Connect
Local Things
Directory / Registry
AuthN & AuthZ
Cloud Gateway
Edge Gateway
Thing Identity
Code Protection
Operating System
Comms Module
Embedded Firmware
Silicon Chip
Security Blocks
Processor Architecture

20. Business Intelligence
Thing IdentityRules / Analytics
Device Management
Secure
Thing to Cloud
Relationship
Directory / Registry
AuthN & AuthZ
Cloud Gateway
Edge Gateway
Thing Identity
Code Protection
Operating System
Comms Module
Embedded Firmware
Silicon Chip
Security Blocks
Processor Architecture

21. Business Intelligence
Code ProtectionRules / Analytics
Device Management
Protect
Application
Secrets & Integrity
Directory / Registry
AuthN & AuthZ
Cloud Gateway
Edge Gateway
Thing Identity
Code Protection
Operating System
Comms Module
Embedded Firmware
Silicon Chip
Security Blocks
Processor Architecture

22. Business Intelligence
Operating SystemRules / Analytics
Device Management
Privilege
Separation
Directory / Registry
AuthN & AuthZ
Cloud Gateway
Edge Gateway
Thing Identity
Code Protection
Operating System
Comms Module
Embedded Firmware
Silicon Chip
Security Blocks
Processor Architecture

23. Business Intelligence
Comms ModuleRules / Analytics
Device Management
Secure
Communication
Directory / Registry
AuthN & AuthZ
Cloud Gateway
Edge Gateway
Thing Identity
Code Protection
Operating System
Comms Module
Embedded Firmware
Silicon Chip
Security Blocks
Processor Architecture

24. Business Intelligence
Embedded FirmwareRules / Analytics
Device Management
Secure Boot
Runtime Integrity
Directory / Registry
AuthN & AuthZ
Cloud Gateway
Edge Gateway
Thing Identity
Code Protection
Operating System
Comms Module
Embedded Firmware
Silicon Chip
Security Blocks
Processor Architecture

25. Business Intelligence
Silicon ChipRules / Analytics
Device Management
Resist Tampering
Directory / Registry
AuthN & AuthZ
Cloud Gateway
Edge Gateway
Thing Identity
Code Protection
Operating System
Comms Module
Embedded Firmware
Silicon Chip
Security Blocks
Processor Architecture

26. Business Intelligence
Security BlocksRules / Analytics
Device Management
Embedded
Cryptography
Directory / Registry
AuthN & AuthZ
Cloud Gateway
Edge Gateway
Thing Identity
Code Protection
Operating System
Comms Module
Embedded Firmware
Silicon Chip
Security Blocks
Processor Architecture

27. Business Intelligence
Processor ArchitectureRules / Analytics
Device Management
Isolate
Sensitive Assets
Directory / Registry
AuthN & AuthZ
Cloud Gateway
Edge Gateway
Thing Identity
Code Protection
Operating System
Comms Module
Embedded Firmware
Silicon Chip
Security Blocks
Processor Architecture

28. #RSAC#RSAC

29. Business Intelligence
Rules / Analytics
Device Management
Directory / Registry
AuthN & AuthZ
Cloud Gateway
Edge Gateway
Thing Identity
Code Protection
Operating System
Comms Module
Embedded Firmware
Silicon Chip
Security Blocks
Processor Architecture
Social
Traffic
Hack

30. Business Intelligence
Rules / Analytics
Device Management
Directory / Registry
AuthN & AuthZ
Cloud Gateway
Edge Gateway
Thing Identity
Code Protection
Operating System
Comms Module
Embedded Firmware
Silicon Chip
Security Blocks
Processor Architecture
Thermostat

31. Business Intelligence
Rules / Analytics
Device Management
Directory / Registry
AuthN & AuthZ
Cloud Gateway
Edge Gateway
Thing Identity
Code Protection
Operating System
Comms Module
Embedded Firmware
Silicon Chip
Security Blocks
Processor Architecture
Stranded
Driver

32. Business Intelligence
Rules / Analytics
Device Management
Directory / Registry
AuthN & AuthZ
Cloud Gateway
Edge Gateway
Thing Identity
Code Protection
Operating System
Comms Module
Embedded Firmware
Silicon Chip
Security Blocks
Processor Architecture
Mirai botnet
Open ports

33. Business Intelligence
Rules / Analytics
Device Management
Directory / Registry
AuthN & AuthZ
Cloud Gateway
Edge Gateway
Thing Identity
Code Protection
Operating System
Comms Module
Embedded Firmware
Silicon Chip
Security Blocks
Processor Architecture
ZLL shared
signing key

34. Business Intelligence
Rules / Analytics
Device Management
Directory / Registry
AuthN & AuthZ
Cloud Gateway
Edge Gateway
Thing Identity
Code Protection
Operating System
Comms Module
Embedded Firmware
Silicon Chip
Security Blocks
Processor Architecture
KRACK

35. Business Intelligence
Rules / Analytics
Device Management
Directory / Registry
AuthN & AuthZ
Cloud Gateway
Edge Gateway
Thing Identity
Code Protection
Operating System
Comms Module
Embedded Firmware
Silicon Chip
Security Blocks
Processor Architecture
Debug

36. Business Intelligence
Rules / Analytics
Device Management
Directory / Registry
AuthN & AuthZ
Cloud Gateway
Edge Gateway
Thing Identity
Code Protection
Operating System
Comms Module
Embedded Firmware
Silicon Chip
Security Blocks
Processor Architecture
ROCA

37. Business Intelligence
Rules / Analytics
Device Management
Directory / Registry
AuthN & AuthZ
Cloud Gateway
Edge Gateway
Thing Identity
Code Protection
Operating System
Comms Module
Embedded Firmware
Silicon Chip
Security Blocks
Processor Architecture CLKSCREW, SPECTRE
Side channel analysis or fault injection

38. secure
“Things are only impossible
until they are not”

40. Safety = Safety(Security)

42. Business Intelligence
Rules / Analytics
Device Management
Directory / Registry
AuthN & AuthZ
Cloud Gateway
Edge Gateway
Thing Identity
Code Protection
Operating System
Comms Module
Embedded Firmware
Silicon Chip
Security Blocks
Processor Architecture
Social
Traffic Hack
Thermostat
Stranded
Driver
Mirai botnet
ZLL shared
signing key
Open ports
KRACK
ROCA
CLKSCREW
Debug

43. #RSAC
Worried?

44. #RSAC#RSAC

45. Business Intelligence
Rules / Analytics
Device Management
Directory / Registry
AuthN & AuthZ
Cloud Gateway
Edge Gateway
Thing Identity
Code Protection
Operating System
Comms Module
Embedded Firmware
Silicon Chip
Security Blocks
Processor Architecture
Strong ID
Secure
by
Design
Chipset

46. Business Intelligence
Rules / Analytics
Device Management
Directory / Registry
AuthN & AuthZ
Cloud Gateway
Edge Gateway
Thing Identity
Code Protection
Operating System
Comms Module
Embedded Firmware
Silicon Chip
Security Blocks
Processor Architecture
Strong ID
Secure
by
Design
Chipset
Granular
Updates

47. Business Intelligence
Rules / Analytics
Device Management
Directory / Registry
AuthN & AuthZ
Cloud Gateway
Edge Gateway
Thing Identity
Code Protection
Operating System
Comms Module
Embedded Firmware
Silicon Chip
Security Blocks
Processor Architecture
Strong ID
Secure
by
Design
Chipset
Hybrid
Identity
Access
Mgmt
Granular
Updates

48. Business Intelligence
Rules / Analytics
Device Management
Directory / Registry
AuthN & AuthZ
Cloud Gateway
Edge Gateway
Thing Identity
Code Protection
Operating System
Comms Module
Embedded Firmware
Silicon Chip
Security Blocks
Processor Architecture
Assured
Intelligence
Strong ID
Secure
by
Design
Chipset
Hybrid
Identity
Access
Mgmt
Granular
Updates
Clean data will:
“restore […] a democratic system based on knowledge, based on facts and truth”

49. Business Intelligence
Rules / Analytics
Device Management
Directory / Registry
AuthN & AuthZ
Cloud Gateway
Edge Gateway
Thing Identity
Code Protection
Operating System
Comms Module
Embedded Firmware
Silicon Chip
Security Blocks
Processor Architecture
Identity
Access
Management
Thing
Security
IoT
Platform
Device
Mgmt
ARM
mbed cloud
mbed uVisor
mbed OS
mbed cloud
provision
mbed cloud
Certificate
Authority
eSIM
&
Trusted
Platform
Modules
Thing
Platform

50. #RSAC
IoT Client Application(s)
Sensor
Digital
Conversion
Physical property Identity
Crypto &
Keys
Tamper-
proof store
Data
Microcontroller Bus
Microcontroller + ROM, RAM and FLASH
OS
Network
Interface
Antenna /
Cable

51. #RSAC
Secure Key Store
Secure JTAG
Secure Flash Storage
Thing Manufacturer Thing User
Hardware Architecture
Identity toolkits
Trusted Environments
Secure Boot Loaders
Software Development
Design RFIs
Vendor Selection
Plan / Prototype

52. #RSAC
Secure Key Store
Secure JTAG
Secure Flash Storage
Thing Manufacturer Thing User
Hardware Architecture
Identity toolkits
Trusted Environments
Secure Boot Loaders
Software Development
Encrypted software
HSM Certificate creation
Secure Manufacturing
Provenance checking
Applying Updates
Installation
Attestation
Registration
Authentication
Enrol
Design
Deploy
RFIs
Vendor Selection
Plan / Prototype

53. #RSAC
Secure Key Store
Secure JTAG
Secure Flash Storage
Thing Manufacturer Thing User
Hardware Architecture
Identity toolkits
Trusted Environments
Secure Boot Loaders
Software Development
Encrypted software
HSM Certificate creation
Secure Manufacturing
Vulnerability tracking
Firmware signing
Authorized updates
Secure Updates
Provenance checking
Applying Updates
Installation
Attestation
Registration
Authentication
Enrol
Authorization
Session Establishment
Token Binding
Operation
Availability assessment
Authorized patching
Secure Updates
Design
Deploy
Operate and Maintain
RFIs
Vendor Selection
Plan / Prototype

54. #RSAC
Secure Key Store
Secure JTAG
Secure Flash Storage
Thing Manufacturer Thing User
Hardware Architecture
Identity toolkits
Trusted Environments
Secure Boot Loaders
Software Development
Encrypted software
HSM Certificate creation
Secure Manufacturing
Vulnerability tracking
Firmware signing
Authorized updates
Secure Updates
Provenance checking
Applying Updates
Installation
Attestation
Registration
Authentication
Enrol
Authorization
Session Establishment
Token Binding
Operation
Availability assessment
Authorized patching
Secure Updates
Design
Deploy
Operate and Maintain
Retire Revoke Certificates
Notice to Users
End-of-Life / Recall
Deauthorize
Deactivate
Destroy Identities
Decommission
RFIs
Vendor Selection
Plan / Prototype

55. #RSAC
Device Shadows
IoT Platform
Gateway
Device Registry
User Directory
Data stream processing
IoT Application
Gateway
Edge
Gateway
Internet Thing
Networked
Thing
Device Management
Storage
Analytics
Machine Learning
IoT Application
IoT Client
IoT Client
API Token
Inspection
API Token
Inspection
Data Governance
Authentication
Authorization
Accounting
Connectivity Management Application
Identity
Federation

56. #RSAC

57. #RSAC

58. Internet of Things wants
YOU

59. #RSAC

60. #RSAC

61. #RSAC#RSAC