6. My
three
rules
for
IoT
security
• 1.
Don’t
be
dumb
• 2.
Think
about
what’s
different
• 3.
Do
be
smart
7. My
three
rules
for
IoT
security
• 1.
Don’t
be
dumb
– The
basics
of
Internet
security
haven’t
gone
away
• 2.
Think
about
what’s
different
– What
are
the
unique
challenges
of
your
device?
• 3.
Do
be
smart
– Use
the
best
pracQce
from
the
Internet
12. So
what
is
different
about
IoT?
• The
fact
there
is
a
device
– Yes
–
its
hardware!
– Ease
of
use
is
almost
always
at
odds
with
security
• The
longevity
of
the
device
– Updates
are
harder
(or
impossible)
• The
size
of
the
device
– CapabiliQes
are
limited
–
especially
around
crypto
• The
data
– OXen
highly
personal
• The
mindset
– Appliance
manufacturers
don’t
always
think
like
security
experts
– Embedded
systems
are
oXen
developed
by
grabbing
exisQng
chips,
designs,
etc
13. Physical
Hacks
A Practical Attack on the MIFARE Classic:
http://www.cs.ru.nl/~flaviog/publications/Attack.MIFARE.pdf
Karsten Nohl and Henryk Plotz. MIFARE, Little Security, Despite Obscurity
22. Crypto
on
small
devices
• PracQcal
ConsideraQons
and
ImplementaQon
Experiences
in
Securing
Smart
Object
Networks
– hAp://tools.ied.org/html/draX-‐aks-‐crypto-‐sensors-‐02
36. Why
Federated
IdenQty
for
Things?
• Enable
a
meaningful
consent
mechanism
for
sharing
of
device
data
• Giving
a
device
a
token
to
use
on
API
calls
beAer
than
giving
it
a
password
– Revokable
– Granular
• May
be
relevant
for
both
– Device
to
cloud
– Cloud
to
app
• “IdenQty
is
the
new
perimeter”
39.
An
Open
Source
IdenQty
and
EnQtlement
Management
Server
Apache
Licensed
LDAP,
JDBC,
AcQve
Directory,
SCIM,
SPML
SAML2,
OpenID
Connect,
WS-‐Trust,
Kerberos
OAuth
1.0/2.0,
XACML
2.0,
XACML
3.0
XDAS,
Web
Console,
SOAP
Admin
MulQ-‐tenant,
Clusterable,
HA,
24x7
support
39
What
is
WSO2
IdenQty
Server?
40. Other
WSO2
technology
to
help
you
• WSO2
BAM
–
monitoring
• WSO2
CEP
–
realQme
fraud
detecQon
• WSO2
API
Manager
–
securing
API
endpoints