The Internet of Things (IoT) provides extensive connections over the world, helps traditional businesses to digitally transform, creates value while reducing operation costs, and promotes production efficiency to increase business revenue.
On the other hand, however, the security, privacy, ethics, and compliance of the Internet of Things is an unprecedented challenge for businesses around the world. IoT solutions fuses the physical and digital worlds, which means potential attacks and risks can occur simultaneously for both areas. IoT has also brought more concerns about privacy and ethics. Companies must focus on data security, and would need to consider who has the permissions to access to what resources, who has the authority to manage access control policies, and so on.
Therefore, comparing to the cyber security requirements for traditional software development and implementation, a secure IoT solution requires protection, defense, and governance throughout the data journey: secure provisioning of devices, secure communication between devices and cloud, secure data processing and storage in the cloud, secure application development, and so on.
This section introduces how EnOS, a comprehensive IoT operation system with security built in every stage, provides a secure and private IoT solution.
A Glimpse of EnOS Security¶
EnOS manages over 100 Gigawatt of assets for our customers, among which most are giant energy companies in the world. Solid security practices and principles are core to the design of EnOS to ensure that the security, privacy, ethics, and compliance of our customers’ systems and data are maintained at all times.
EnOS takes the advantages of secure infrastructure of leading IaaS vendors to maintain the cloud security and data privacy, such as guest operating system patching, firewall configuration, and disaster recovery. The network of EnOS is secured by world-class network infrastructures, also provided by the IaaS vendors, including Virtual Private Cloud (VPC), limited access points, rule-based network traffic, IPsec VPN, etc. To protect the secure transmission of data, the application must connect to the EnOS REST API interface through HTTPS or Transport Layer Security (TLS), and the device and EnOS Edge can connect to the EnOS cloud through a TLS-protected data channel.
EnOS offers secure edge, secure connectivity, secure data storage and processing, and so on. The rest of this article breaks down the EnOS into four primary security areas.
Each EnOS edge has a unique identity key which can be used by the IoT Hub to communicate with the edge while it is in operation. The key with a user-defined edge ID forms the basis of a token and signature used in the communication between the edge and IoT Hub. These edge IDs can use an existing fixed identity such as the serial number or network MAC address which cannot be changed easily. The edge IDs are managed by the edge device provisioner in the IoT Hub via EnOS Management Console or APIs and the IoT Hub provides the secure storage of edge identities and secret keys.
The EnOS edge has built-in firmware/software upgrade features to ensure that critical patches against security vulnerabilities can be applied manually or automatically. Any changes or firmware/software upgrades applied to edges will be logged at the cloud side for auditing.
Unused USB ports are disabled by default to prevent malicious access. Only network ports used by the necessary applications and services are explicitly enabled by network policies.
Some types of EnOS edges are manufactured with TPM chips. EnOS may utilize this hardware feature to store the customer certificate securely.
EnOS edge and other compatible edge devices communicate with EnOS cloud via the TLS protected data tunnel. The X.509 certificate based bi-directional authentication is enforced for each session. To ensure that each edge has its exclusive customer certificate, the certificate request exchange is performed by the edge during its first power-on procedure. The edge device generates a public certificate request containing the unique device identifier (e.g., serial number, network MAC address) and corresponding private key according to the PKI standard. The certificate request will be forwarded to the EnOS certification service or a public trusted CA for signing. The issued public certificate will then be sent back to the edge device to be stored together with the private key locally.
To ensure secure connections from the devices and end users to the EnOS portal, HTTP over TLS is applied for data transmissions, which uses public-key cryptography to prevent eavesdropping, tampering, and forgery.
Devices and end users can establish secure communication sessions to API endpoints with the services that EnOS provides. HTTPS is used for accessing the REST APIs. For the TLS protected data channel between the devices and EnOS cloud, X.509 certification based bi-directional authentication is adopted, and all data is encrypted during transmission.
Secure Cloud and Data¶
EnOS takes famous IaaS vendors as its cloud infrastructure providers. The IaaS vendors are responsible for protecting the global infrastructure that hosts all services provisioned in the cloud. The infrastructure is comprised of the hardware, software, networking, and facilities that run the cloud services. For these managed cloud services, the IaaS vendor manages basic security operations such as guest operating system patching, firewall configuration, and disaster recovery.
From a security perspective, adopting an IaaS vendor brings the following benefits:
- Industry-standard security compliance.
- State-of-the-art physical and environmental security solutions.
- High availability, which promotes business continuity.
- World-class secure network infrastructure with focus on manageability and monitoring.
- Mature change management process.
The data centers where EnOS is hosted are state of the art, and secured by innovative architectural and engineering approaches:
- The data centers are housed in non-descript facilities.
- Physical access is strictly controlled at both the perimeter and the building ingress points by professional security staff who utilizes video surveillance, intrusion detection systems, and other electronic means to enforce security.
- An authorized staff must pass a two-factor authentication for a minimum of two times to access the data center.
EnOS adopts a very strict mechanism for protecting data at rest. Sensitive data, defined by built-in and custom rules, is encrypted before putting into files or databases. Data is encrypted with keys exclusive to the customers, generated by EnOS or provided by the customers. Decryption happens automatically when data is retrieved through the EnOS API. Therefore, no intruders or platform operators will have access to the data even when they have access to the underlying file system or database systems.
Within EnOS, data (such as files and databases) belonging to different customers (the “OU”) are stored separately or segmentally. Logical data segmentation is established in all underlying components of EnOS. In the EnOS big data storage system, all files, tables, and other types of data are secured by access control, although data from different customers are stored physically in a single cluster. Only authorized users may access the data with audit-enabled API calls or command tools. This mechanism not only promotes the security of data, but also makes it possible to share data among different customers without extra storage cost.
In addition, EnOS also has the capability of providing dedicated storage for those customers with highly sensitive data to meet the requirements of some special scenarios.
While the underlying IaaS secures the physical venues, network, operating systems, and managed services, EnOS secures the applications that are hosted on the platform, including applications that manage massive IoT assets.
EnOS secures applications through the following means:
- Identity and Access Management
- Network Protection
- Data Encryption
- Logging and Monitoring
- Security Auditing
Identity and Access Management¶
The Identity and Access Management (IAM) enables you to create and manage permissions for EnOS resources. The IAM unifies access control for Cloud Platform services into a single system and presents a consistent set of operations. EnOS applies the IAM scheme to support multi-tenancy, where each tenant in EnOS is managed as an organizational unit. Data that belongs to different organizations are securely segregated and can only be accessed by users that are registered to the organization.
EnOS’s built-in IAM provides customers with capabilities for identity management, authentication, authorization, and auditing.
EnOS hosts several automated monitoring tools to detect abnormal and unauthorized activities and situations at ingress and egress points. These tools monitor the server and network usage, port scanning activities, application usage, and unauthorized intrusion attempts. The tools allow custom performance metric thresholds to be set for abnormal activities.
Sensitive data, defined by built-in and custom rules, is encrypted before being put into files or databases. Decryption happens automatically when data is retrieved through the EnOS API.
Logging and Monitoring¶
The centralized logging service in EnOS is configured to aggregate activity logs and show security related metrics at real-time.
EnOS logs all user activities to the portal. The activity log contains details about each access request including the request type, requested resource, requestor’s IP, and the date and time of the request. Alerts are triggered when defined thresholds are exceeded.
Accounts with proper privileges may access authorized resources via the EnOS service APIs and portal. Access validation is performed for each access attempt. Success or failure attempts are recorded in IAM logs for auditing and abnormality detection purposes.
Security is integrated into every aspect of EnOS. EnOS offers you unique security advantages derived from protection, governance and defense of the IoT security, privacy, ethics, and compliance.
Modern applications are continuously moving to the cloud because the cloud not only provides scalability, high performance, and reliability, but also provides very high security standards.
Compared to the traditional application hosted in the customers’ own data center, where its security relies completely on the customers, the security responsibilities of the cloud applications are shared across the cloud infrastructure provider, the cloud application platform, and the customers.
The IaaS vendor is responsible for the industrial compliance, the physical and environmental security, the network security, the operating system security, and the storage security. EnOS, as the IoT PaaS, is responsible for adopting the best security practices for authentication, access control, network protection, data encrypting, activity logging, and auditing to secure customers’ data and applications.
EnOS takes security seriously and carefully considers all security aspects with vast experiences in web application security to continue to help our customers make a sound decision on the IoT platform to protect the confidentiality, integrity, and availability of their devices and data.