TECHNOLOGY DEVELOPMENT
FIGURE 4 HTTPS is not the answer to IoT data protection.
security controls implemented by all these actors. Therefore, we must adopt a zerotrust strategy, wherein we assume the Cloud is inherently insecure. If our system generates valuable data on the edge, then we must take measures to protect that data, regardless of where it may flow across the Web. For example, a wearable health care device may encrypt information generated locally with a key that is controlled by the device owner and shared out-of-band only with healthcare providers that have a need-to-know.
Preventing the Target Breach with Secure Platform Architecture
The platform architecture principles described above give developers a powerful toolbox with which to build secure IoT systems. To demonstrate, let’s take a look at the Target breach and how it could have been easily prevented. While not all details are currently available regarding how malware was installed into the PoS terminals, we do know that the malware was able to gain full privilege and memory scrape RAM to gather personal information as it was entered into the terminals by shoppers. An evolved PoS architecture would use a de-privileged operating system and a lightweight security-critical application, called the tokenizer, to handle the processing of personal information. The tokenizer executes directly on the Thingvisor and manages the physical USB device used for card swipe. The tokenizer uses a secure connection to a back-end Web service for mapping personal records to tokenized records and then issues a virtual
40
OCTOBER APRIL 20142013 RTCRTC MAGAZINE MAGAZINE
USB swipe, passing the token to the pointof-sale operating environment. While the main PoS OS may be infiltrated with malware, the malware has no personal information to steal. The mapping of tokenized data occurs in the back-end. The Thingvisor may also include a virtual security appliance, such as unified threat management (UTM) system, that sits between the physical network and a de-privileged virtual network interface exposed to the PoS OS. Such an approach gives Things the ability to incorporate server-class network security capabilities without the size, weight, power and cost associated with traditional data center network security hardware.
Hardware Root of Trust
It is also important to note that Things require a hardware root of trust, below even the Thingvisor software root of trust. A hardware root of trust, in its
simplest embodiment, is a tamper-resistant key storage used, at a minimum, for secure boot of the Thingvisor and associated security-critical components like the tokenizer in the preceding example. The boot sequence must utilize the key to signature check these components before launching them. Subsequently, the hardware root of trust can also be used for remote attestation and for higher assurance protection of keys used for both data-in-transit and data-at-rest protection. If an attacker attempts to overwrite the firmware flash memory with malicious code, the secure boot will detect this and can take corrective action. Once securely launched, the Thingvisor can recursively apply measurement checks to other components, including the guest operating system kernels, if desirable. The overall Thingvisor-based pointof-sale architecture is shown in Figure 5 with Windows Embedded as the main PoS OS. This has already been developed and demonstrated at the National Retail Federation (NRF) Big Show. The IoT will enable incredible functionalities and efficiencies that promise to drive new business opportunities for solution providers. But with great power comes great responsibility, and the security and privacy challenges of the IoT demand that developers commit early and often to future-proofing their systems for security. This strategy starts with a platform architecture that utilizes hardware and software roots of trust and proven security principles, such as least privilege, to harden Things and defeat common attack vectors. Green Hills Software Santa Barbara, CA (805) 965-6044 www.ghs.com
FIGURE 5 Thingvisor architecture prevents Target breach.