Review of External Security Models Michael McCool Intel Osaka, W3C - - PowerPoint PPT Presentation

review of external security models
SMART_READER_LITE
LIVE PREVIEW

Review of External Security Models Michael McCool Intel Osaka, W3C - - PowerPoint PPT Presentation

Apr 16, 2023 7 likes •92 views

Review of External Security Models Michael McCool Intel Osaka, W3C Web of Things F2F, 17 May 2017 Purpose WoT charter: The scope of the Working Group is restricted to APIs and security frameworks that are applicable across platforms. We will

slide-1
SLIDE 1

Review of External Security Models

Michael McCool Intel Osaka, W3C Web of Things F2F, 17 May 2017

slide-2
SLIDE 2

Purpose

WoT charter: The scope of the Working Group is restricted to APIs and security frameworks that are applicable across platforms. We will not define new security mechanisms but will use existing mechanisms and best practices.

  • 1. Determine how to gather requirements for external security models and standards
  • 2. Determine how to represent information in a common format

 THEN begin to review external security models and standards…

2/37

slide-3
SLIDE 3

Outline

 List of external sources

 External standards  Security models of important external IoT ecosystems WoT should interoperate with  Anything missing we should add?

 Template for Threat model  Other templates to consider  Standards to review:

 IIC Security Framework

 IETF ACE Model

3/37

slide-4
SLIDE 4

Sources

 See: https://github.com/w3c/wot/pull/319

 Please create issues to suggest new references

 External References:

 Industrial Internet Consortium Security Framework: http://www.iiconsortium.org/IISF.htm  IETF ACE (Authentication and Authorization for Constrained Environments): https://tools.ietf.org/wg/ace/  IETF RFC 7252 (CoAP) Security model: https://tools.ietf.org/html/rfc7252  STRIDE Threat Model  OWASP IoT Attack Vectors

 Liaison References:

 OCF 1.0 Security Specification (Draft): https://openconnectivity.org/draftspecs/OCF_Security_Specification_v1.0.0.pdf  Will discuss this during OCF Review on May 17  oneM2M Security Solutions, TS-0003: http://www.onem2m.org/images/files/deliverables/Release2/TS-0003_Security_Solutions-

v2_4_1.pdf

4/37

slide-5
SLIDE 5

Template for Threat Model

 Stakeholders  Description, Role, Business-driven security goals, Interesting edge cases  Assets  Description, Who should have access (Trust Model), Attack Points  Adversaries  Persona, Motivation, Attacker type  Attack surfaces  System Element, Compromise Type(s), Assets exposed, Attack Method  Threats  Name, Adversary, Asset, Attack method and pre-conditions, priority  Security Objectives and Non-Objectives  Threats, Mitigation (if an objective), Reasoning (if not)

5/37

slide-6
SLIDE 6

Other Templates?

 Protocol security frameworks and link

security

 TLS, DTLS, etc.

 Encryption standards

 AES, RSA, etc.

 Identity, Authentication, and

Authorization

 OAuth, etc.

6/37

 Configuration management  Lifecycle management  Logging and monitoring  Privacy frameworks  Integrity protection

slide-7
SLIDE 7

IIC Security Framework

 See

7/37

slide-8
SLIDE 8

IETF ACE

 See

8/37