Protecting Our Cyber-Identity in a Physical and Virtual World for IoT Ecosystem

Protecting Our Cyber-Identity in a Physical and
Virtual World for IoT Ecosystem
Valmiki Mukherjee
Security
Cognizant
Chief Security Architect
SCX09S
@valmikim
#CAWorld
Gautam Dev
Cognizant
Venture Leader

2 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Abstract
We live and work in a cyber-world where our physical entity and logical identities
are disjointed and vulnerable. We don’t know how our logical identity and data is
being accessed and by who. With the advent of IoT and “Digitization of All Things”
business and the proliferation of data, there is even more exposure of this logical
persona and potential for a breach.
In this presentation we discuss with consideration to IoT:
• What really is at stake in terms of enterprise risk, security and privacy
• What challenges are experienced and what Security Controls can be put in
• What tangible security solutions exist and can be used in an IoT world
Gautam Dev
Cognizant
Venture Leader
Valmiki
Mukherjee
Cognizant
Chief Security Architect

Agenda
INTERNET OF (SECURE/INSECURE) THINGS
WHY IS IOT IMPORTANT AND WHY ACT NOW
OPPORTUNITIES FOR IMPROVING IOT SECURITY
IOT AND SECURITY AT CROSSROADS
BUILDING SECURITY CONTROLS INTO IOT ECOSYSTEM
COMPREHENSIVE AND CONVERGED SECURITY - SMAAS
1
2
3
4
5
6

© 2015 CA. All rights reserved. All trademarks referenced herein belong to their respective companies.
The content provided in this CA World 2015 presentation is intended for informational purposes only and does not form any type
of warranty. The information provided by a CA partner and/or CA customer has not been reviewed for accuracy by CA.
For Informational Purposes Only
Terms of this Presentation

What is Internet of Things
Credit: engineering.com
The Internet of Things (IoT) is
the network of physical
objects or "things" embedded
with electronics, software,
sensors, and network
connectivity, which enables
these objects to collect and
exchange data.

IoT Technical Definition
 Let’s look at how ITU-T Y.2060 defines the IoT
– IoT: a “global infrastructure for the information society, enabling advanced
services by interconnecting (physical and virtual) things based on existing and
evolving interoperable information and communication technologies.”
– Device: ...“a piece of equipment with the mandatory capabilities of
communication and the optional capabilities of sensing, actuation, data
capture, data storage and data processing.”
– Thing: …“an object of the physical world (physical things) or the information
world (virtual things), which is capable of being identified and integrated into
communication networks.”
Source: ITU-T Y.2060

Why do we Care About IoT?
Credit: IDC/McKinsey Analysis, Information Week
If you think you are already
living in a connected world, think
harder…
Chances are that we have
underestimated the size and scale of
the things to come – with IoT!
We are heading towards a
hyperconnected world that we have
never lived in or seen before

IoT was not Made for Security
So we have - Internet of (Insecure) Things?
Constituents of IoT Universe are wildly diverse
ranging from simple to very complex
These devices were not made with security in
mind, or not today’s security in mind
Fixed function devices to perform a specific task
Despite connectivity reaching IoT devices for
anything such as security update is tough
Security was not Made for IoT
Enterprise Security is typically
multilayer/multicomponent
Enterprise security is also oriented towards PCs
and Servers which won’t even run on IoT devices
Basic protective components such as Firewalls
are absolutely absent from Embedded devices
IoT Devices rely on basic authentication
mechanisms & security protocols

Internet of Things – Risks and Rewards
 Major concerns with IoT
– Does not implement
sufficient security
– IT Department is not aware
of IoT at Workplace
– IoT has reduced Privacy
– Cyberattack through hyper
connected IoT devices
Credit: ISACA Survey on Security in IoT
Organizations feel thoroughly underprepared for IoT Security

What is the Risk with IoT Devices?
•Embedded Devices in IoT are not only about the Smart Watches and fitness devices, they manage
and monitor critical infrastructure in the industry and public lifeCritical functionality
•Embedded devices are mass produced and typically similarly configured, hence if a vulnerability is
exploited, it is easy to carry out large scale attacksReplication
•Embedded Device engineers rarely have security background and no one historically has assumed
that they would be targets of a cyberattack - not cool!Security Assumptions
•They are neither easily patched or upgraded, they have in fact very minimal computing and
storage footprint which is designed for efficiency and longevityNot easily patched
•Embedded devices in IoT ecosystem are designed to last, while vulnerabilities associated in the
cyberspace changes everydayLong lifecycle
•Embedded devices often use specialized protocols that are not recognized and protected by
enterprise security tools. Traditional security components are not designed for such.Proprietary/industry specific protocols
•Many embedded devices are mobile or are deployed in the field. As a result, these devices may be
directly connected to the Internet with none of the protections found in a corporate environment.
Deployed outside of enterprise
security perimeter
Understanding the underlying problem with IoT ecosystem

Device Registration Pub/SubDevice Bootstrapping
Understanding the IoT Ecosystem Security Protocols
Mapping Enterprise Security Components to IoT – Device Identity Interaction
Device Registration
Device Access
Owner Device
AuthN/AuthZ
Device Management
Data/Policy Check
LWM2M / COAP /
CREDENTIALS / ATTRIBUTES /
CERTS / JWTs
OAUTH2 / JWT /
CERT AUTHN / SCOPE /
TOKEN VALIDITY
Data Application and Management
USER
REGISTRATION
REST / JSON
3RD PARTY
REGISTRATION
OAUTH2 / OIDC
3RD PARTY
DATA SHARING
OAUTH2 / OIDC
APIs/OAUTH2
APIs REST /
JSON

Risks Associated with IoT
Enterprise Users as Consumers
Enterprise Users as Employees
Enterprise Users as
Admins/Privileged Users
Consumer IoT User Privacy Risk
Enterprise/Industrial IoT Enterprise Risk
IoT Administration Infrastructure Risk
Identity
Activity
Access
Activity
Access
Activity
Access
PII Exposure
Malicious Access
to personal data
Malicious
usage of
sensor and
information
Unintended
Malicious use
of Admin
Access
How identity could be the key thread

Integrated View of IoT Security Controls
IoT security controls need to span the
device itself as well as the environment
that the device operates within
Also this should be included in the overall
cybersecurity program with a converged
view of all domains interacting with the
IoT Devices
CSA Proposed IoT Controls
Guidance
Credit: CSA IoT Workgroup

Top Recommendations for IoT Security Controls
1. Analyze privacy impacts to stakeholders and adopt a Privacy-by-Design
approach to IoT development and deployment
2. Apply a Secure Systems Engineering approach to architecting and
deploying a new IoT System
3. Implement layered security protections to defend IoT assets
4. Implement data protection best-practices to protect sensitive
information
5. Define lifecycle controls for IoT devices
6. Define and implement an authentication/authorization framework for
the organization’s IoT Deployments
7. Define and implement a logging/audit framework for the organization’s
IoT ecosystem

Security Solution Framework for Recommended Controls
Control Solution Infrastructure ProtectionIdentity and Access Control
From Controls to a Practical Solution
Integrate IoT into existing
IAM and GRC platforms
Change Default passwords for
administrative access
AAA schemes based on
system-level threat models
Utilize Smart Phones for
Multifactor Authentication
Reference Architecture with ITU-T Y.2060
PKI Updates with rollout of
Device Certificates
Provide Consumer preference
and Consent Management
Integrate Physical Access
Control Systems with IAM
Restrictive Controls for
devices transactions
Implement Privileged Access
Mgmt. for administrators
Develop a well articulated Incident Response Plan
Establish People and Device
Relationships
Monitor devices and their
usage behavior
Develop context based AAA
for sensor nodes
Leverage IoT Std/protocols
for security controls
Use entity analytics to fine
tune control measures
build secure default
configuration
Enable kill switches to take
rogue devices off n/w
A comprehensive and converged view of security solution for the IoT ecosystem
Common Data Exchange Interface

IAM
Data Protection
Application Security
Audit & Logging Management
Integrated Threat & Vulnerability Management
Cognizant’s Answer to Today’s Risk Landscape
Help Current Technologies Run Better
Entity, Access and Activity Warehouse
User & Resource
Behavior Profiling
Anomaly Detection
And Self Learning
Integrated Threat
Engine
Identity Centric
Access Analytics
Enterprise Policy
Enforcement
Governance Risk and Compliance
Actionable Risk Prevention and Remediation
Real time Activity
Monitoring
Risk Based Decision Support and 360o Validation

SMaaS Suite Technology Components
Critical Packs Powered by CA Security Solutions
Id Intelligence Pack Access Pack Federation Pack Control Pack
Actionable Risk Intelligence Risk Based Fine-grained
Access Mgmt.
Industry Wide Trusted
IdP & SP Services
Bottom Up GRC Policy
Enforcement
Anomaly Detection
Behavioral Patterns
Predictive Self Learning
Threat Intelligence
Enterprise Policies
Certified User Access
Dynamic Access
Policies
Finegrained
Authorization Policy
SMaaRT Role Based
Access Control
Risk Based Access
Control
Identity Proofed Users
SP and IdP Services
Standards based
Federated SSO
Cloud and on Premise
integration
Multifactor and Risk
based AuthN/AuthZ
Pre-packaged
Compliance Standards
Integrated Policy
Management
Framework
Bottom up Policy
mapping
and enforcement
Actionable GRC Index
Identity Activity and
Access Warehouse
Certified and Trusted
Users and Entitlements
Certified and Trusted
Users and Entitlements
Controls and Policy
Repository
Data Pack
Risk based Data Protection
Data at rest Protection
(obfuscation &
encryption)
Realtime and Runtime
data protection
Data desensitization
and redaction
Application based data
solutions
Data Controls and
Access Policy
Repository
End Point Pack
Risk based End Point
Protection
Cyber Threat
Intelligence
Asset Inventory and
Policy Repository
Endpoint System
Management
Advanced Threat
Prevention
Endpoint Remediation
Endpoint Incident
Response

Next Generation MSSP Follows Assurance
Traditional MSSP Model Follow
Operations
Supported by Cognizant Security Assurance Center Model
Security Operations
Center
Security Assurance Center
Focus on
Assurance based
on Prevention and
Remediation
IT Security Assurance Services
Data Assurance Service
NextGen SOC Services
GRC Assurance Services
Application Security Maturity
Center
Risk Prevention and Information Security Platforms
SMaaS Data Obscure
Realtime Assurance Dashboards
C-Level
Dashboard
Operational
Dashboard
Investigative
Dashboard
Analyst
Dashboard
Customer IT and Security Operations Data
Authoritative
Sources
Application
Data
Security Data IT Infra Data

IoT Security needs
comprehensive support
IoT is an ecosystem and there
needs to be a conscious and
concerted support towards
convergence of security
protocols and approaches
Cognizant and CA combined
have a comprehensive solution
IoT Security is Key Issue
and real Challenge
IoT devices and ecosystem was
not build with Security in mind
Enterprise security needs to be
adapted to embrace IoT
IoT Security can be
Improved significantly
IoT Security can be significantly
improved by partnering with
device engineers and
supporting the ecosystem with
adopting converged security
view with identity at center
Summary
A Few Words to Review

About Cognizant

Who we are
Founded in 1994
(CTSH, Nasdaq)
………………………..
Headquarters
Teaneck, NJ
……………….…….
………………….…………..….….. 75+ Global Delivery
Centers
20,000+ Projects in
40 countries
……………….…....……………………
Revenue
$10.26b in 2014 (up 20.4% YOY)
Q2 2014 – $2.52b
25+ Regional
sales offices
…………….…...
Revenue Mix (H1 2014)
NA: 76.2%, Europe:19%,
RoW: 4.8%
. . . .…………………..
……………………….220,000+
employees (Sep 2015)
.……………………….. 1,242
active customers
.

Security Service Lines
10+
1300+
300+
Avg. Years Experience
Security Consultants
Project Executed
SMaaS
ASMC
Data Obscure 300+ CISA, CISM, CISSP, CEH and vendor certified associates
250+ Network Security trained associates
80+ Data Security Analysis, Architects and Consultants
100+ GRC Vendor Certified Security Analysts, Architects and Consultants
Enterprise
Partnerships
Service
Partnerships
Enterprise Risk and Security Solutions (ERSS) Venture is the EBA
Business Unit focused on delivering Security and Risk Management
solutions at Cognizant
Data SecuritySecurity Assessment
Integrated Threat
Management
Identity and Access
Management
GRC
UMaaS
ACCERT

SMaaS
Accreditation
Event
PresenceAnalyst
Briefing
Endorsements
Credentials in the Market

Recommended Sessions
SESSION # TITLE DATE/TIME
SCT31T Tech Talk: Knock, Knock – the IoT wants to come in? 11/18/2015 at 03:45 pm
SCT05S
Roadmap: CA Advanced Authentication and CA Single Sign-
On
11/18/2015 at 04:30pm
SCT02S Keynote: Looking Beyond the Threat 11/19/2015 at 10:30 am

Must See Demos
Security
Innovations
Security Theater
Enable a Secure
Digital Workspace
CA SSO, APIM
Security Theater
Engage
Customers
CA SSO
Security Theater
Protect Against
Fraud & Breaches
CA Advanced Auth
Security Theater

Q & A

For More Information
To learn more, please visit:
http://cainc.to/Nv2VOe
CA World ’15

Protecting Our Cyber-Identity in a Physical and Virtual World for IoT Ecosystem

More Related Content

What's hot (20)

Viewers also liked (20)

Similar to Protecting Our Cyber-Identity in a Physical and Virtual World for IoT Ecosystem (20)

More from CA Technologies (20)

Recently uploaded (20)

Protecting Our Cyber-Identity in a Physical and Virtual World for IoT Ecosystem