Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
1
IoT betyr nye krav til sikkerhet og personvern
Hva må gjøres?Dr Arnor Solberg
COO, Tellu IoT AS
2
Outline
• Tellu• Security and Privacy in IoT are main concerns for us
• IoT Security and Privacy; state of affairs and what requirements to expect• What to do?
• What we do• How we approach GDPR
Survey by Mobile Ecosystem Forum , published in Computer business review april 2016
3
TelluCloud – An IoT Integration Platform
• IoT platform supporting set of verticals• Solution as a service model (SaaS) Pay as you
Go model
• Cover the IoT, Edge and Cloud space• IoT application innovation and development • library of integrated sensor devices and
gateways
• Integration with new devices and legacy systems (e.g., EPJ)
• White labeling
4
Helsefaglig personale
Responssenterløsning
Hjemmetjenesten
Fagsystem - EPJ
ShepherdIntegrasjonsplattform
Brukeren
Utstyr ute hos bruker:Trygghetsalarm m/sensorerTrygghetsalarm m/GPSMedisindispensereDigitalt tilsynMedisinske sensorerElektroniske låser
Utrykningstjenesten
Responssenter
PårørendeTryggi
AdministrasjonsverktøyKonfigurasjon og testHeartbeat-overvåkingStyring av sensorer
Internett / GSM
Example product: Telenor TelluCloud Solution on welfare Sikkerhet ogPersonvern er et være eller ikke
være
5
The Gartner Hype Cycle
6
Current IoT characteristics• Connectivity• Sensor innovations
• Exponential amount of sensors deployed
• IoT platforms (more than 400)• Register & manage IoT devices• Monitoring• Storing and processing data in the cloud
• Most services are closed vertical silos• A lot of IoT “Gadgets”
6
2017
7
State of affairs in terms of IoT Security
• Attack surface is about to explode• Vertical silos are easier to protect• Current IoT systems security is
mostly about protecting sensitive information and assets
• Severe DDoS attacks such as Miraibotnet
“Gold rush state, where every vendor is hastily seeking to dish out the next innovative connected gadget before competitors do. --> Functionality becomes the main focus and security takes a back seat.”
8
Characteristics of The Emerging IoTDriven by the envisioned digitalized society
• Break the silos, • Open, integrated and massively distributed systems across the IoT, Edge
and Cloud space• Resource sharing
• to be sustainable need to avoid parallel infrastructures
• Fog computing/edge computing • Actuation• …
IoT based systems are becoming a critical backbone of the society impacting the everyday life of the citizens
9
Security and privacy demands in future IoT Systems
• Laws and regulations -> punishment• E.g., GDPR
• Strict requirements from customers• Security and privacy by design• Certification,
• E.g., ISO 27001, ISO 13485
• New security mechanisms and models • Resources constraints
• can not run the most computing/resource demanding security mechanisms
• Need to be usable in the IoT context• Monitoring and Forensics
Our very lives and health can become the target of IoT hack attacks
“Gold Rush” approach will simply not be accepted
10
What can we do?
• Prepare for upcoming requirements
• Implement standards• Provide GDPR functionality• Security and privacy by design• Monitoring and forensics
• Still keep• Short time to market• Agile• Rapid innovation
• Understand opportunities• DevOps• Microservices• Edge computing• Blockchain - IOTA
11
DevOps cycle for Trustworthy IoT systems (H2020 ENACT)
12
ENACT Toolkits – Automation is keyhttp://www.enact-project.eu/
13
Evolving to new standards and models
• Web session based Authentication• Authenticating towards authentication service
• Public services in Norway use IDPorten• Return with access token with limited longevity
• Works OK for web session based user interaction, but what about things?
• How are sensors connected to users in the real world?
14
Data authenticity when things talk
Authenticate Access token
Access tokenHealth data
Authenticate Access token
Access tokenHealth data
Access token
Things without internet Things with Internet Gateway
15
Session Longevity
• Time out • Physically connected sensor
• Attach the sensor physically to the person
• Informed if sensor is removed
16
“Offpad” for securing devices
16
• User managed root-keys
• Offline execution environment
• API access from any client platforms
• Secure user input-output channels
TEE
17
v2
Software based Diversification17
… …
???
MIRAI
18
Two slides about Tellus approach to GDPR
19
LeadSuspectProspect
Customer
Lost ProspectPrevious
Customer
Privacy Data Lifecycle - Rights Managementà Functionality built into TelluCloud
Right to consent
Right to data protection
Right to view data
Right to correct data
Right to get notified
Right to data portability
Right to be forgotten
20
Organisatoriske tiltak
• Privacy by design prosess• E.g.,trussel og Risikovurdering, konsekvensanalyse,
minimalisering• DevOps • Sørg for å ha en klar forståelse for hvilke
persondata som håndteres og begrunnelse for å lagere disse (formål)
• Rutiner• E.g., ved brudd. 72 timers regelen,
• hvem skal varsles (person, personvernombudet, Datatilsynet)
• Samtykkehåndtering• Et samtykke per formal (selv i samme applikasjon)
• Dokumentasjon• Åpenhet• Kontakt/rådgiving med datatilsynet• ISO 27001.
21
Thank You
22