介绍 json
Are you in control of your IoT devices? Have you invested in their security or will they turn against you?
您是否在控制IoT设备? 您对他们的安全性进行了投资还是他们会反对您?
July 29th, 2020Marcelo Lorenzati
2020年7月29日, 马塞洛·洛伦扎蒂(Marcelo Lorenzati)
介绍 (Introduction)
In this article we will talk about the conception of IoT, its adoption and growth, and how security has been a recurring concern for their use at industry, home, health and IT, mainly due to major security flops seen on the news. We will show the security risks and how the industry has started to invest in mitigating them systematically from edge to cloud with the different platforms and security components.
在本文中,我们将讨论物联网的概念,其应用和增长,以及安全性如何一直引起人们对其在工业,家庭,健康和IT领域的使用的关注,这主要是由于新闻中看到的主要安全性问题所致。 我们将展示安全风险以及该行业如何开始投资,以使用不同的平台和安全组件从边缘到云系统地缓解这些风险。
是否准备就绪,物联网现在就在这里 (Ready or not, IoT is here now)
IoT is an umbrella term for connected digital and physical components coined by Kevin Ashton in 1999. A lot has happened from where it started as an embedded single purpose connected to the internet system to a complex growing network of connected objects that collects and exchanges data, rules and actions coordinated with cloud platforms.
物联网是由凯文·阿什顿(Kevin Ashton)于1999年提出的连接数字和物理组件的统称。从最初的嵌入式单一目的连接到互联网系统到复杂的,不断增长的连接对象网络(收集和交换数据,与云平台协调的规则和行动。
According to Gartner and Leftronic, there are around 20 to 26 billion active IoT devices as of August 2019, and estimates are 41 billion by 2027, with 127 more added every second. Its market size for 2021 is projected to be around $520 billion.
根据Gartner和Leftronic的数据,截至2019年8月,大约有20至260亿台活跃的IoT设备,到2027年估计为410亿,每秒增加127台。 到2021年,其市场规模预计约为5200亿美元。
In addition to that, focus has to be placed in the Hype cycle for the IoT. Since the days of toying with the technology has moved towards adoption, with 65% as of 2020 and an estimation of 90% for enterprises, 80% for manufacturing and a concerning 90% of cars connected.
除此之外,还必须将重点放在物联网的炒作周期中。 自从玩弄这项技术的日子开始走向采用,到2020年,这一比例将达到65%,估计90%的企业,80%的制造业和大约90%的汽车相连。
As seen in Gartner Hype Cycle figure, even though IoT has reached productivity stages, security is in the peak of inflated expectations and Mobile Device Management is yet in innovation stages.
从Gartner炒作周期图中可以看出,即使物联网已达到生产力阶段,安全性仍处于过高预期的高峰,而移动设备管理仍处于创新阶段。
In addition to this, according to Gartner IoT Security Spending is not growing at the same rate as the device Growth, which means less efforts in securing the IoT systems that are being left connected.
除此之外,根据Gartner的说法,物联网安全性支出的增长速度与设备增长的速度不同,这意味着在保护仍处于连接状态的物联网系统方面的工作较少。
These conditions prepare for the scenario of a potential risk that needs to be mitigated or managed.
这些条件为需要缓解或管理的潜在风险场景做准备。
当前物联网的安全风险 (Present security Risks on IoT)
According to OWASP (Open Web Application Security, a nonprofit foundation that works to improve the security of software) the Top 10 Vulnerabilities on IoT haven’t changed much since 2018 and quite little since 2014.
根据OWASP(开放网络应用程序安全性,致力于改善软件安全性的非营利性基金会)的说法,物联网十大漏洞自2018年以来变化不大,而自2014年以来变化不大。
Weak, guessable, or hard coded passwordsMost IoT systems have a default “admin” password that requires to be updated and can be easily brute forced.
弱,可猜测或硬编码的密码大多数IoT系统具有默认的“管理员”密码,该密码需要更新,并且很容易被强制执行。
Insecure or unneeded network servicesIoT providers leave enabled services like “bonjour” that might not be in use and compromise confidentiality and authenticity.
不安全或不需要的网络服务 IoT提供商留下了可能无法使用的已启用服务(例如“ bonjour”),并损害了机密性和真实性。
Insecure ecosystem interfacesInsecure backend api, cloud and mobile interfaces in their ecosystem that allows compromising the device.
不安全的生态系统接口生态系统中不安全的后端api,云和移动接口会破坏设备。
Lack of secure update mechanismNo updates to critical widely known issues, insecure or unnotified updates.
缺乏安全的更新机制无法更新关键的广为人知的问题,不安全或未通知的更新。
Use of insecure or outdated componentsOutdated protocols such as FTP compromises privacy and authenticity.
使用不安全或过时的组件 FTP等过时的协议会损害隐私和真实性。
Insufficient privacy protectionUser personal information stored on device or ecosystem used insecurely or improperly without permission.
隐私保护不充分未经授权,不正确或不正确地使用存储在设备或生态系统中的用户个人信息。
Insecure data transfer and storageLack of encryption on transit, when is processed or at rest.
不安全的数据传输和存储在处理或静止时传输过程中缺乏加密。
Lack of device managementLack of asset management for updates, decommission and monitoring.
缺乏设备管理缺乏用于更新,停用和监视的资产管理。
Insecure default settingsDevices shipped with insecure settings, without means to make the system safe.
不安全的默认设置设备附带的安全设置不安全,无法确保系统安全。
Lack of physical hardeningLack of countermeasures to avoid tampering on the device to gain sensitive information or take control of the device.
缺乏物理加固缺乏避免篡改设备以获取敏感信息或控制设备的对策。
一些最新的攻击和漏洞 (Some up to date attacks and vulnerabilities)
The IoT world shows us exciting new opportunities in many market segments such us banking, retail, healthcare, manufacturing, transportation and telecommunications, but it is required to face some of the current security shortcomings that the industry has.
物联网世界向我们展示了银行,零售,医疗保健,制造,运输和电信等许多细分市场中令人兴奋的新机遇,但它需要面对行业目前存在的一些安全缺陷。
There are plenty of examples:
有很多示例:
- The hacked smart gun that can be fired without approval (2017) or the car engine that can be killed remotely (Two clear cases on OWASP IoT #2 / #5/ #7) 可以未经批准就发射的被砍黑的智能枪(2017)或可以被远程杀死的汽车发动机(OWASP IoT#2 /#5 /#7上的两个明显案例)
- The major British NHS Ransomware attack, majorly due to thousands of outdated IoT devices connected to the IT network (OWASP #4 / #5) 英国主要的NHS勒索软件攻击,主要是由于数以千计的过时的IoT设备连接到IT网络(OWASP#4 /#5)
- BotNet of Hundreds of thousands of IP cameras used in to shape a DDoS to major ISP and DNS providers (mainly due to OWASP #1 / #4 / #5) 数十万个IP摄像机的BotNet,用于为主要ISP和DNS提供商塑造DDoS(主要是由于OWASP#1 /#4 /#5)
- The fitness tracking app that exposed sensitive information of a military base location (OWASP #6 / #9) 健身跟踪应用程序,公开了军事基地位置的敏感信息(OWASP#6 /#9)
- Vulnerable smart irrigation systems from the urban water services that can be distributedly activated impersonating the cloud service, potentially leading to water shortage using a Replay Attack (OWASP #2 / #3 / #5) 来自城市供水服务的脆弱的智能灌溉系统,可以通过分布式激活来模拟云服务,并可能通过重播攻击导致水资源短缺(OWASP#2 /#3 /#5)
The reality is that we are still surrounded by IOT devices that might have been at least 4 years from the last firmware update and there are new vulnerabilities discovered every day in the critical components these devices use. A question to the reader: When was the last time you updated your router or wireless printer firmware?
现实情况是,我们可能仍被物联网设备所包围,这些设备距上一次固件更新至少已有四年之久,而且每天在这些设备使用的关键组件中都发现了新的漏洞。 读者的问题:您上一次更新路由器或无线打印机固件是什么时候?
How we address security, leveraging available technology advances, balancing spending on mitigating risk, is what will level the equation to an acceptable level.
我们如何解决安全问题,利用可用的技术进步,在降低风险方面平衡支出,这将使方程式达到可接受的水平。
解决安全问题的选择 (Options to tackle security)
Prior to the use of many of the technologies to manage security, it is necessary to understand the Defence in Depth concept, which is a security based on a layered protection that administers and mitigates risk and seeks to reduce the damage by providing more opportunities to contain a threat between layers.
在使用许多技术来管理安全性之前,有必要了解“ 深度防御”概念,它是一种基于分层保护的安全性,可以管理和减轻风险,并通过提供更多的控制机会来减少损害。层之间的威胁。
Many of the security tools will be located in specific locations of the aforementioned layers, focusing on rejecting what is known as the Cyber Kill Chain, which is based on a military definition of the stages of an attack, updated to the cyber warfare. Each of those actions has countermeasures to mitigate it.
许多安全工具将位于上述各层的特定位置,着重于拒绝所谓的“ 网络杀伤链” ,该网络基于对攻击阶段的军事定义,并已更新为网络战。 这些动作中的每一个都有缓解它的对策。
Additionally to this, is important to understand some considerations that affects the security management of these systems:
除此之外,了解影响这些系统安全管理的一些注意事项也很重要:
- IoT interacts with the physical and the digital world in ways conventional IT devices do not (e.g.: public irrigation systems shown above). 物联网以传统IT设备无法实现的方式与物理和数字世界进行交互(例如,上面显示的公共灌溉系统)。
- Many IoT devices lack centralised access, management or monitoring as in IT devices by nature. 本质上,许多物联网设备都缺乏像IT设备一样的集中式访问,管理或监视功能。
- Many IoT devices relegate availability, efficiency and effectiveness for security as a tradeoff to his primary goal 许多物联网设备将安全性的可用性,效率和有效性释放给他的主要目标
- Now with the understanding of the layered approach and the countermeasures for each stage we can focus on the specific solutions from different vendors. 现在,在了解了分层方法和每个阶段的对策之后,我们可以专注于来自不同供应商的特定解决方案。
物联网平台解决方案 (IoT Platform solutions)
These solutions are responsible for managing the whole complexity of connecting hardware, sensors, things and devices into the cloud with multiple services and communication protocols to allow securely collecting and visualising data, executing rules and actions with effects on the targets.
这些解决方案负责管理通过多种服务和通信协议将硬件,传感器,事物和设备连接到云中的整个复杂性,从而可以安全地收集和可视化数据,执行对目标有影响的规则和动作。
The security on these following solutions are managed systemically in each of the parts honouring a defence in depth strategy.
在遵循深度防御策略的每个部分中,系统地管理以下以下解决方案的安全性。
AWS IoT (AWS IoT)
Presented in 2015 re:Invent event, AWS IoT is a managed cloud platform focused on easy and secure things connectivity and interoperability, such as sensors, actuators, embedded systems and smart appliances to the cloud services.
AWS IoT于2015年re:Invent活动中展示,是一个托管云平台,专注于轻松,安全的事物连接和互操作性,例如传感器,执行器,嵌入式系统和云服务中的智能设备。
It’s comprised of several core component such as Device Gateway, Device Shadow, Device Provisioning Service, Device Registry, Device Defender, that will be explained below:
它由几个核心组件组成,例如设备网关,设备影子,设备配置服务,设备注册表,设备防御者,下面将对其进行说明:
Device gatewayThis is a backbone for Access Management effort, by securing the communication of mid to low end connected devices to the cloud capabilities with an edge device allows secure, low-latency, low-overhead, bi-directional communication. Low end devices can connect to the device Gateway with relaxed security protocols.
设备网关这是访问管理工作的骨干,通过使用边缘设备将中低端连接的设备与云功能之间的通信进行保护,从而实现安全,低延迟,低开销的双向通信。 低端设备可以使用宽松的安全协议连接到设备网关。
Additionally it can leverage features like Rule engine to allow local monitoring Vulnerability Management and Device Security Incident Detection.
此外,它可以利用规则引擎等功能来允许本地监视漏洞管理和设备安全事件检测。
Device ShadowThis functionality target’s Data Security and Protection allowing access to a cloud representation of the device data so it can be safely accessed having in mind privacy concerns such as PII (Personal Identifiable Information)
设备影子此功能目标的数据安全性和保护功能允许访问设备数据的云表示形式,因此可以在考虑到诸如PII(个人身份信息)之类的隐私问题的情况下安全地访问它
Device Provisioning Service One of the main sources of vulnerability is outdated software, and since vulnerabilities are fixed on a periodic base is fundamental to provide a mechanism to update parts or the full software stack. The device provisioning manages templates of the software resources a device requires, and certificates and policies to apply those templates.
设备配置服务漏洞的主要来源之一是过时的软件,并且由于漏洞是定期固定的,因此对于提供一种更新部件或整个软件堆栈的机制至关重要。 设备供应管理设备所需的软件资源的模板,以及应用这些模板的证书和策略。
The means to execute the policy are OTA (Over the Air) updates that allow sending firmware and application software to the device. The device requires to run an OTA Update Manager Service to receive the payload.
执行策略的方法是OTA(无线)更新,该更新允许将固件和应用程序软件发送到设备。 设备需要运行OTA Update Manager服务以接收有效负载。
Device RegistryIn order to allow policy management in the devices, it’s important to be able to associate each device to a specific inventory. This happens in device registration and association where every device is assigned with an specific ID. This allows the combination of the Fleet Indexing Service to execute batch jobs of policies to a group of devices.
设备注册表为了允许在设备中进行策略管理 ,将每个设备与特定清单相关联非常重要。 这发生在设备注册和关联中,其中为每个设备分配了特定的ID。 这允许Fleet Indexing Service的组合来对一组设备执行策略的批处理作业。
Device DefenderThe main role of this fully managed service is to audit the devices events, identify security issues, alert and respond. It’s known as a Security Information and Event Management (SIEM). It also has a local presence on the target devices firmware such as in FreeRTOS AWS.
设备防御者此完全托管服务的主要作用是审核设备事件,识别安全问题,发出警报并做出响应。 它被称为安全信息和事件管理(SIEM)。 它还在目标设备固件(例如FreeRTOS AWS)中本地存在。
Green Grass Is software that lets run and extend core AWS IoT Services capabilities locally to a device on the Edge. It has multiple security features as Identity and Access Management (IAM) , compliance validation and configuration and vulnerability analysis
绿草是一种软件,可让您在本地运行和扩展核心AWS IoT Services功能到Edge上的设备。 它具有身份和访问管理(IAM) ,合规性验证以及配置和漏洞分析等多种安全功能。
Azure物联网 (Azure IoT)
On February 3, 2016 Microsoft unveiled his strategy to compete in the Iot management unveiling his solution, a collection of Microsoft-managed cloud services that connect, monitor, and control billions of IoT assets.
2016年2月3日,Microsoft宣布了其在物联网管理领域的竞争战略,并发布了其解决方案,该解决方案是一组由Microsoft管理的云服务,用于连接,监视和控制数十亿个IoT资产。
Their main components are the IoT Hub, Azure Sphere and Azure IoT Edge, and Azure Sentinel that will be detailed below.
它们的主要组件是IoT中心,Azure Sphere和Azure IoT Edge以及Azure Sentinel,将在下面进行详细介绍。
IoT HubThis is the cornerstone of the solution, focusing on secure connection, provisioning and monitor and update of the devices.
IoT中心这是该解决方案的基石,重点在于设备的安全连接,供应以及监视和更新。
Some security aspects:
一些安全方面:
- Bidirectional communication between device and backend with extensible protocol support through the
-设备和后端之间的双向通信具有可扩展的协议支持,可通过
Azure IoT Protocol Gateway- Per device mutual authentication with strong credentials (device attestation) through Token base per device and X509 certs.
Azure IoT协议网关-通过每个设备的令牌库和X509证书,具有强大的凭据(设备证明)的每个设备相互身份验证。
- Access right revocation management to allow system sanitisation
-访问权撤销管理,以允许系统清理
- Strong monitoring of device events to identify threats and operational issues (detect & destroy)
-强大的设备事件监控,以识别威胁和操作问题(检测并销毁)
Azure SphereThis is a high level application that allows communication and security features for the interconnected devices. It cover the OS (Azure Sphere OS) for hardware that runs with secured silicon chips such us MediaTek MT3620 that implements the Azure Sphere-certification and also the Azure Sphere Security Service (AS3) which is a cloud-based service that enables maintenance, updates, and control for Azure Sphere-certified chips.
Azure Sphere这是一个高级应用程序,允许互连设备的通信和安全功能。 它涵盖了使用安全硅芯片运行的硬件的操作系统( Azure Sphere OS ),例如实现Azure Sphere认证的MediaTek MT3620,以及Azure Sphere安全服务(AS3) ,后者是基于云的服务,可进行维护,更新,并控制Azure Sphere认证的芯片。
This ensures, secure boot, communication between other devices and services. It can cover both greenfield and brownfield implementations.
这样可以确保安全启动,以及其他设备和服务之间的通信。 它可以涵盖未开发的和未开发的实现。
Azure IoT EdgeAllows moving cloud business logic to the edge, locally managing things connectivity and data, reducing bandwidth cost and high data transfers to the cloud.
Azure IoT Edge允许将云业务逻辑移动到边缘,在本地管理事物的连接性和数据,从而降低带宽成本和向云的大量数据传输。
Azure SentinelAs stated by Microsoft, is a scalable, cloud native SIEM and Security Orchestration Automated Respond (SOAR) solution with threat investigation capabilities through AI.
如Microsoft所述, Azure Sentinel是一种可扩展的,云原生SIEM和安全流程自动响应(SOAR)解决方案,具有通过AI进行威胁调查的功能。
It covers the whole requirements for a
它涵盖了一个
Detection and Response Team (DART) detecting and responding to events.
检测和响应团队 (DART)检测并响应事件。
Google Cloud Platform物联网 (Google Cloud Platform IoT)
Google vision of IoT is conformed by an IoT Core and multiple services and components
Google的IoT愿景通过IoT Core和多个服务和组件来实现
The Cloud Pub/Sub system which allows to connect devices into the cloud
云发布/订阅系统,可将设备连接到云
It manages basic security recommendations such as using Certificate based authentication (mTLS) where the device identifies itself with a certificate that was priorly signed by the GCP Cloud Authority. This is an improvement over TLS that ensures only secure data transit, over a secure identification of both ends and revocation of rejected devices but increases the logistics of delivering certificates to each device.
它管理基本的安全建议,例如使用基于证书的身份验证(mTLS),其中设备使用预先由GCP Cloud Authority签名的证书来标识自己。 这是对TLS的改进,它仅确保安全的数据传输,两端的安全标识和被拒绝的设备的撤销,但增加了向每个设备交付证书的后勤时间。
Device Manager lets you create and configure device registries and the devices within them. The device manager can be used through the Cloud Platform Console, gCloud commands, or the REST-style API.
设备管理器允许您创建和配置设备注册表及其中的设备。 可以通过Cloud Platform Console,gCloud命令或REST风格的API使用设备管理器。
The Device Manager is responsible for the identification, configuration, access control and state of the device
设备管理器负责设备的标识,配置,访问控制和状态
Dataflow AI and ML allows data transformation, representation and actions
数据流AI和ML允许数据转换,表示和操作
Android Things is Google’s OS approach for Edge Computing. It provides a Secure OS that runs only on certified Hardware. It bundles applications for On Device Intelligence and connection to all the Cloud IoT Platform
Android Things是Google的边缘计算操作系统。 它提供了仅在经过认证的硬件上运行的安全操作系统。 它捆绑了用于设备上智能和连接到所有Cloud IoT Platform的应用程序
物联网目标解决方案 (IoT Target solutions)
In order to ensure a certain level of security of the whole IoT system, every link on the chain must be secured and the most critical is the security on the device.
为了确保整个物联网系统的一定级别的安全性,必须保护链上的每个链接,而最关键的是设备的安全性。
This will be more exposed to threats like tampering and surface attacks that will require countermeasures to secure the assets on the device.
这将更容易受到威胁,例如篡改和表面攻击,这将需要采取对策来保护设备上的资产。
Crypto Solution A crypto solution allows delegation of trust and authentication separated from the manufacturing process of the device.
加密解决方案加密解决方案允许将信任和身份验证的委托与设备的制造过程分开。
Also allows the use of pre-provisioned private keys, HW accelerated cryptography and a secure crypto store. This covers tampering, spoofing and information disclosure protection.
还允许使用预先设置的私钥,硬件加速加密和安全加密存储。 这涵盖了篡改,欺骗和信息泄露保护。
Some examples are the Trust & GO ATECC608A from
一些示例是来自的Trust&GO ATECC608A
Microchip with Secure Element for Google IoT Core Secure Authentication, the Crypto Acceleration Unit present in NxP ColdFire or the TI Sitara AM335x Cortex with hardware based security accelerators
具有用于Google IoT Core安全认证的安全元件的Microchip , NxP ColdFire中的加密加速单元或带有基于硬件的安全加速器的TI Sitara AM335x Cortex
Secure enclaveA secure enclave is a separate MCU or engine that is isolated from the main processor core and peripherals that require a secure communication mechanism based on cryptography, and example of this is the ARM iSIM that defines a secure tamper resistant enclave for a SIM (subscribe Identity module) device, as the heart of a device SoC, to become IoT SAFE standard compliant (IoT SIM Applet For Secure End-2-End Communication), allowing secure transfer, data protection, and spoofing protection.
安全区域安全区域是独立的MCU或引擎,与需要基于密码的安全通信机制的主处理器内核和外围设备隔离, ARM iSIM的示例就是为SIM定义了安全防篡改区域(作为设备SoC的核心,订阅身份模块设备将成为IoT SAFE标准规范(用于安全端到端2端通信的IoT SIM Applet),从而实现安全传输,数据保护和欺骗保护。
Secure BootThe root of trust and a cornerstone of an electronic device’s trustworthiness is starting the OS with a well known condition. For that matter having trusted software that the MCU can validate the signature of the applications is fundamental and also continuously checking the integrity of the software.
安全启动信任的根源和电子设备值得信赖的基石是以众所周知的条件启动OS。 为此,拥有可信赖的软件以使MCU能够验证应用程序的签名是至关重要的,并且还可以连续检查软件的完整性。
Secure BootThe root of trust and a cornerstone of an electronic device’s trustworthiness is starting the OS with a well known condition. For that matter having trusted software that the MCU can validate the signature of the applications is fundamental and also continuously checking the integrity of the software.MAX32590 This MCU bundles OTP memory to perform critical missions, a secure boot loader with Public Key Auth, Crypto acceleration, AES Key Storage, secure keypad controller and Real time external memory encryption to avoid memory tampering.
安全启动信任的根源和电子设备值得信赖的基石是以众所周知的条件启动OS。 为此,拥有可信赖的软件以使MCU能够验证应用程序的签名是至关重要的,并且还可以连续检查软件的完整性。 MAX32590该MCU捆绑了OTP存储器来执行关键任务,具有公共密钥身份验证,加密加速,AES密钥存储,安全键盘控制器和实时外部存储器加密的安全启动加载程序,以避免存储器篡改。
CEC1702This ARM cortex M4 MCU has cryptographic acceleration and firmware validation with digital signature both for internally running programs and externally as a crypto coprocessor that monitors other SoCs that are running trusted software.
CEC1702此ARM cortex M4 MCU具有加密加速和带有数字签名的固件验证,可在内部运行的程序以及在外部作为加密协处理器来监视正在运行受信任软件的其他SoC。
边缘安全解决方案 (Edge Security Solutions)
These are the solutions and practices to secure network nodes that are outside the network core. The edge requires the same fundamental security principles as the core network. All the network must be visible and manageable to administrators, with restriction assurance on access to manipulate data and network resources.There are several aspects that can be covered in edge security, such as:
这些是保护网络核心外部网络节点安全的解决方案和实践。 边缘要求与核心网络相同的基本安全原则。 管理员必须对所有网络可见且可管理,并且要保证访问权限来操纵数据和网络资源。边缘安全性可以涵盖多个方面,例如:
Perimeter securitywhich manages not only a secure communication channel but also adding firewalls and access control. Nowadays it is covered by a category called Secure Access Service Edge (SASE).
外围安全性不仅可以管理安全的通信通道,还可以添加防火墙和访问控制。 如今,它已被称为安全访问服务边缘 (SASE)的类别所涵盖。
Application securityEdge applications must be controlled on its integrity, validity and change prevention, to mention one McAfee offers SolidCore solution that integrates to the OS to monitor file integrity, change and reconciliation.
应用程序安全性必须对Edge应用程序的完整性,有效性和更改预防进行控制,其中一个是McAfee提供的SolidCore解决方案,该解决方案集成到操作系统中以监视文件的完整性,更改和对账。
Threat detectionThreat intelligence tools use global security intelligence to detect malicious activity inside a private edge network.
威胁检测威胁情报工具使用全局安全情报来检测专用边缘网络内部的恶意活动。
Vulnerability managementThis is the practice of identifying known and unknown (zero day) vulnerabilities and actuating them to mitigate them.
漏洞管理这是识别已知和未知(零日)漏洞并激活它们以缓解它们的一种做法。
Automatic patching cycleThis involves software inventory management, monitoring of versioning on the devices connected to the edge device.
自动修补周期涉及软件清单管理,监视连接到边缘设备的设备上的版本控制。
Some companies to worth mentions on IoT Edge Security are:IBM, Akamai, Cisco, Cloudflare, Fortinet, Palo Alto Networks, Cato Networks, VMware, Zscaler, McAfee
在IoT Edge安全方面值得一提的公司包括:IBM,Akamai,Cisco,Cloudflare,Fortinet,Palo Alto Networks,Cato Networks,VMware,Zscaler,McAfee
最后的想法 (Final Thoughts)
In this article we tried to show a glimpse of how different tools, platforms and services can collaborate together in order to fulfil the vision of the Internet of Things without relegating or compromising security.
在本文中,我们试图展示出不同的工具,平台和服务可以如何协作以实现物联网的愿景,而又不会降低或降低安全性。
We covered with some examples the full stack with:
我们用一些示例介绍了完整的堆栈:
- Platform solutions: AWS, Azure and GCP IoT 平台解决方案:AWS,Azure和GCP IoT
- Edge Solutions with SIEM and AI 具有SIEM和AI的边缘解决方案
- Target Solutions with crypto, enclaves and boot security implementations 具有加密,飞地和启动安全性实施的目标解决方案
We showed that IT security falls short in the needs of IOT, it has to include OT Security (Operation Technology) to cover it adequately.
我们表明,IT安全性无法满足IOT的需求,它必须包含OT安全性(运营技术)以充分覆盖它。
Also that a defence approach is necessary but not sufficient, is important to actively Identify, Protect, Detect, Respond and Recover (NIST 5) from any attack, and this has to be represented in their IoT System components.
同样,防御方法是必需的但还不够,对于主动识别,保护,检测,响应和恢复免受任何攻击很重要,并且必须在其物联网系统组件中加以体现。
IT security works on Corporate networks, related assets (printers, computers), software and their management and focuses on privacy, OT security works on industrial networks (SCADA, MQTT, AMQP) and their embedded firmware management and focuses on reliability. Both worlds have to coexist to avoid operation disruption and ensure an optimum level of security.
IT安全性适用于公司网络,相关资产(打印机,计算机),软件及其管理,并专注于隐私; OT安全适用于工业网络(SCADA,MQTT,AMQP)及其嵌入式固件管理,并专注于可靠性。 这两个世界必须共存以避免操作中断并确保最佳安全级别。
Each IoT solution provider will have to define which set of security components would fit best depending on the use cases and scenarios of the business, but is certain that is a fundamental and unavoidable cornerstone of any future IoT solution to include them.
每个物联网解决方案提供商都必须根据业务的用例和场景定义最适合的安全组件集,但是可以确定,这是将来任何物联网解决方案包含这些组件的基本且不可避免的基石。
Connected devices had outnumbered any capable effort of attending security management, it is critical to allow the system itself to fight threats back by providing them the means in a systemic way.
连接的设备胜过参与安全管理的任何有力工作,因此至关重要的是,允许系统本身通过系统地提供手段来抵抗威胁。
翻译自: https://medium.com/globant/managing-security-in-the-iot-space-de908653dd7
介绍 json
8096
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
