Microsoft Azure

IoT Connect 2017

¿Risky things? Con la seguridad no se juega

Juan Manuel Servera – IoT evangelist

#IoTconnect

https://bdtechtalks.com/2016/07/12/iot-botnets-might-be-the-cybersecurity-industrys-next-big-worry/

White, Gregory: Security+ Certification All-in-One Exam Guide, McGraw-Hill, 2003, p. 388.

What Securing the Internet of Things Means for CISOs 4/11/2014

• Best Practice: IT and OT engineers collaborate in making “cyberphysical” systems safe and secure.

OT engineers knows how to

make physical things safe

and secure• Standards, Procedures,

Training, Continuous

Improvement

• Physical access management

• Hazard and Risk Analysis

• Monitoring and Maintenance

• Fail Safe and Safety

Equipment

IT engineers know how to

make digital things secure.• Secure Development Lifecycle

• Secure Network Technologies

• Threat & Vulnerability

Mitigation

• Monitoring and Alerting

• Software/Firmware Auto-

Updates

• Privacy Models

Manageable Firmware• Hold while I reboot the elevator!

• Modern Asset Lifecycle• Corporate policies for IT assets do not apply in the same way to IoT devices

• Maintenance plans integrate with operational concerns

• Health and Vulnerability Assessment• Device health includes physical asset assessment

• Analyses must balance risk vs operational performance

Windows 10 Enterprise for IoT devices

Enterprise Manageability and Security

Rich user experience

Win32 & UWP

Windows 10 IoT Enterprise

2GB RAM, 16 GB Storage | X86

Windows 10 Mobile for IoT devices

Handheld devices

Modern Shell & UWP

Lockdown and multi-user support

ARM, UWP

Windows 10 IoT Mobile

1 GB RAM, 4 GB storage | ARM

Windows 10 for IoT devices

Optimized for small & low cost IoT devices

Single UWP App experience

Low cost silicon

Windows 10 IoT Core (Pro)

256MB RAM, 2GB storage | X86 or ARM

WINDOWS 10 IOT EDITIONS

TRUSTEDT R U S T E D P L AT F O R M F O R C L O U D - C O N N E C T E D D E V I C E S

• SECURE BOOT

• TRUSTED BOOT

• WINDOWS DEFENDER ATP

• DEVICE GUARD

• ADVANCED LOCKDOWN

P R O T E C T D E V I C E S

• BITLOCKER

• TPM

• WINDOWS INFORMATION PROTECTION (WIP)

P R O T E C T D A T A P R O T E C T I D E N T I T I E S

• CREDENTIAL GUARD

• WINDOWS HELLO

*Purple highlighted features are available in Windows 10 IoT Core (Pro)

Secure Key handling

• Windows 10 IoT uses TPM 2.0 to handle Azure IoT credentials

• Credential storage is platform independent and SW update

resistant

• Support for discrete TPMs and firmware TPMs

• Access key provisioning tools for rapid prototyping (IoT

Dashboard, Device Portal)

PLAN

PROVISION

CONFIGURE

MONITOR

RETIRE

Group devices and control access

according to your organization's

needs

Securely authenticate devices,

on-board for management

and provision for service

Provide updates, configuration & applications

to assign the purpose of each device

Monitor device inventory,

health & security while

providing proactive

remediation of issues

Replace or decommission devices after failure, upgrade cycle or service lifetime

IoT Device Lifecycle

IoT Hub

Device id

Field GW /

Cloud GW

Device

C2D receive

endpoint

D2C send

endpoint

Device …

Device…

IoT Hub

management

C2D

send endpoint,

receive delivery ack

Event processing

(hot and cold path)

D2C receive

endpoint

Receive file

notification

Device management, device business logic,

Connectivity monitoring

Methods

endpoint

Twin

endpoint

Device Twins

endpoint

Direct Methods

endpoint

File upload

endpoint

Device identity

management

Job

management

Device provisioning

and authorization

Create and delete IoT hubs, and update IoT

hub properties, export device identities

IoT platform – past, present and future

Blockchain Network with Smart Contracts deployed

Machines IoT Device

Machines IoT Device

Users send transactions to smart

contracts associated with machines

Blockchain enabled IoT platform can enhance the functionality of Cloud-based Manufacturing (CBM) platforms, by providing a decentralized, trustless, peer-to-peer

network for manufacturing applications

On-Demand

Manufacturing

Smart Diagnostics &

Machine

Maintenance

Supply Chain

Tracking of both

products & supplier

identity

Consumer-to-

Machine & Machine-

to-Machine

Transactions:

Registry of Assets &

Inventory; Product

Certification

Key use-cases of Blockchain IoT platform:

Blockchain integrated IoT platform

Inversiones enInfraestructura

En sectoresaltamente regulados

Requisitos globalesRequisitos decumplimiento

local y regional

Requisitosfuturos

• Resolución Agencia Española de Protección de Datos (Julio 2014)

• Certificación Real Decreto medidas Técnicas LOPD (Julio 2016)

Privacidad

Personal

Principales cambios con GDPR

Controles y

notificaciones

Políticas

transparentes

IT, formación y

contratos

Necesidad de invertir en:

• Formación a empleados

sobre privacidad

• Políticas de datos

• Data Protection Officer

(DPO) (si + de 250

empleados)

• Seguridad

• Contratos

Processor/Vendor

• Estrictos requisitos de

Seguridad

• Obligación de reportar

brechas de seguridad

• Consentimiento

apropiado para el

proceso de datos

• Confidencialidad

• Mantenimiento de

registros

Individuos con derechos a:

• Acceso a sus datos

personales

• Corrección de errores en sus

datos personales

• Borrar sus datos personales

• Oponerse al procesamiento

de sus datos personales

• Exportar sus datos

personales

Políticas transpàrentes y de

facil acceso sobre:

• Notificación sobre

recogida de datos

• Notificación sobre

procesamiento

• Detalles del

procesamiento

• Retención y borrado de

datos

Como comienzo?

Identificar que datospersonales tiene y

donde residen.

Administrar el uso y el acceso a los datos

personales

Establecer controles de seguridad para prevenir , detectar y responder a las

vulnerabilidades e incidentes de seguridad de

los datos

Tramitar las solicitudes de

acceso a los datospor parte de los

interesados y conserver la

documentaciónnecesaria

Analizar los datos y Sistemas para asegurar

el cumplimiento y reducer riesgos

1 2 3 4 5

Detección Control Protección Notificación Revisión

Microsoft is meeting customer security needs with the industry's largest compliance portfolio

ISO

27001PCI DSS Level 1 * SOC 2 Type 2

ISO

27018

Cloud Controls

Matrix

Content Delivery and

Security Association *

Shared

AssessmentsSOC 1 Type 2W

orld

wid

e

Mayor portfolio de cumplimiento de la IndustriaG

ove

rnm

ent

FIPS 140-2 DISA Level 2FERPAFedRAMP

JAB P-ATO

FISMACJIS21 CFR

Part 11

IRS 1075Section 508

VPAT

United Kingdom

G-Cloud

NIST 800-

171

Natio

nal

European Union

Model Clauses

Singapore

MTCS Level 3

New Zealand

GCIO

Australian Signals

Directorate

Japan

Financial

Services

Spain ENSENISA

IAFHIPAA /

HITECH

EU-U.S.

Privacy Shield

China MLPS*,

TRUCS*, GB

18030*

https://www.microsoft.com/en-us/trustcenter/compliance/complianceofferings

• GDPR. • https://www.microsoft.com/es-xl/trustcenter/privacy/GDPR

• Secure Development Livecycle• https://www.microsoft.com/en-us/sdl/default.aspx

• IoT Security Architecture• https://docs.microsoft.com/en-us/azure/iot-suite/iot-security-architecture

• Protected Hardware Storage• https://developer.microsoft.com/en-us/windows/iot/win10/tpm

• https://developer.microsoft.com/en-us/windows/iot/Docs/SetupTPM.htm#sTPM

• Azure Trust Center• http://azure.microsoft.com/en-us/support/trust-center/

SECURITY

Security Software:

A

Active Response

Advanced Correlation Engine

Advanced Threat Defense

Application Data Monitor

C

Complete Data Protection

Complete Data Protection —

Advanced

Complete Data Protection —

Essential

Complete Endpoint Protection

— Business

Complete Endpoint Protection

— Enterprise

Configuration Control

D

Database Event Monitor for

SIEM

Data Center Security Suite for

Databases

Device Control

DLP Discover

DLP Endpoint

DLP Monitor

DLP Prevent

E

Endpoint Protection — Advanced

Suite

Endpoint Protection for Mac

Endpoint Protection for SMB

Endpoint Protection Suite

Enterprise Log Manager

Enterprise Security Manager

ePO Deep Command

ePolicy Orchestrator

Event Receiver

G

Global Threat Intelligence for ESM

H

Host Intrusion Prevention for Desktop

Host Intrusion Prevention for Server

I

Integrity Control

Intel Security Controller

M

MOVE AntiVirus

N

Network Security Platform

Network Threat Response

P

Policy Auditor

Public Cloud Server Security Suite

S

SaaS Web Protection

Security for Email Servers

Security for Microsoft SharePoint

Security Scanner for Databases

Security Suite for Virtual Desktop

Infrastructure

Server Security Suite Advanced

Server Security Suite Essentials

SiteAdvisor Enterprise

T

Threat Intelligence Exchange

Total Protection for Data Loss

Prevention

V

VirusScan Enterprise

VirusScan Enterprise for Linux

VirusScan Enterprise for Storage

Vulnerability Manager for

Databases

W

Web Gateway

Web Protection

Microsoft AZURE

IoT Connect 2017

#IoTconnect