A Cloud Security Alliance (CSA) lançou recentemente um guia sobre segurança em IoT, batizado de “Future-proofing the Connected World: 13 Steps to Developing Secure IoT Products”.
O guia tem 76 páginas e identifica 13 recomendações principais:
Start with a Secure Development Methodology
Implement a Secure Development and Integration Environment
Identify Framework and Platform Security Features
Establish Privacy Protections
Design in Hardware-based Security Controls
Protect Data
Secure Associated Applications and Services
Protect Logical Interfaces / APIs
Provide a Secure Update Capability
Implement Authentication, Authorization and Access Control Features
Establish a Secure Key Management Capability
Provide Logging Mechanisms
Perform Security Reviews (Internal and External)
O documento é bem completo, pois além de descrever as recomendações acima, ele também inclui um capítulo sobre as necessidades e sobre os desafios relacionados a adoção de dispositivos IoT.
Esta é a iniciativa mais madura que eu conheço para discutir detalhadamente como tratar segurança no mundo IoT. Há um ano atrás, eles já tinham publicado um relatório inicial sobre este tema.
O relatório pode ser baixado gratuitamente do site da CSA.
1. Start with a Secure Development Methodology Security Requirements Security Processes Perform Safety Impact Assessment Perform Threat Modeling
2. Implement a Secure Development and Integration Environment Evaluate Programming Languages OWASP Python Security Project Link Integrated Development Environments Continuous Integration Plugins Testing and Code Quality Processes
3. Identify Framework and Platform Security Features Selecting an Integration Framework Evaluate Platform Security Features
4. Establish Privacy Protections Design IoT devices, services and systems to collect only the minimum amount of data necessary Analyze device use cases to support compliance mandates as necessary Design opt-in requirements for IoT device, service and system features Implement Technical Privacy Protections Privacy-enhanced Discovery Features | Rotating Certificates Table of Contents IoT Working Group | Future-proofing the Connected World © Copyright 2016, Cloud Security Alliance. All rights reserved 2
5. Design in Hardware-based Security Controls The MicroController (MCU) Trusted Platform Modules Use of Memory Protection Units (MPUs) Incorporate Physically Unclonable Functions Use of specialized security chips / coprocessors Use of cryptographic modules Device Physical Protections Tamper Protections Guard the Supply Chain Self-Tests Secure Physical Interfaces
6. Protect Data Security Considerations for Selecting IoT Communication Protocols
7. Secure Associated Applications and Services
8. Protect Logical Interfaces / APIs Implement Certificate Pinning Support
9. Provide a Secure Update Capability
10. Implement Authentication, Authorization and Access Control Features Using Certificates for Authentication Consider Biometrics for Authentication Consider Certificate-Less Authenticated Encryption (CLAE) OAuth 2.0 User Managed Access (UMA)
11. Establish a Secure Key Management Capability Design Secure Bootstrap Functions
12. Provide Logging Mechanisms
13. Perform Security Reviews (Internal and External)
Appendix
A – Categorizing IoT Devices Consumer IoT Devices Smart Health Devices Industrial IoT Devices Smart Cities Appendix
B – References Appendix
C – IoT Standards and Guidance Organizations Appendix
D – Other Guidance Documents
Fonte: AnchisesLandia- Brazilian Security Blogger
