IoT Security Use Case Draft AB v0.8

Summary:

The document presents a framework for securing Internet of Things (IoT) applications, emphasizing the importance of securing key components such as an IoT cloud/platform, endpoints, connectivity, edge computing, and sensors/actuators. Potential risks and attack scenarios include rogue endpoints, compromised endpoints, man-in-the-middle attacks, denial-of-service (DoS) attacks, unauthorized access, vulnerable web applications, and targeted attacks. HPE Security offers a suite of solutions including ArcSight for security intelligence, Fortify for application security, Voltage/Atalla for data security, and Aruba for communication security to address these issues in the IoT ecosystem. HPE's solution portfolio includes several products and services designed to secure the entire lifecycle of IoT applications: 1. **IoT Platform Components**: These include Edge Application (EGA), Endpoint Application (EPA), Message Broker Application (MBA), and various scanning mechanisms for security throughout the IoT application lifecycle. 2. **Development Phase**: Utilizes HPE SW Application Development Tools with integration of Fortify SAST for secure source code scanning. 3. **Build/Test Phase**: Implements optional encryption, authentication key management via Atalla ESKM, and includes dynamic analysis on server apps using Fortify DAST (Webinspect) to enhance robustness. 4. **Release/Deploy Phase**: Deploys software using HPE SW Application Development Tools and Secures the server application in operation with Fortify Application Defender. 5. **Operate/Monitor Phase**: Monitors IoT applications and performance with HPE SW Application Development Tools, uses ArcSight SIEM for security information and event management, detects malware with ArcSight DMA, and optionally monitors users with ArcSight UBA. The document also outlines two use cases: one focusing on a business transformation using HPE OMi, featuring the Message Broker Application (MBA) and Connectivity Endpoint Applications, and another demonstrating an IoT platform with secured components such as Edgeline Devices, User Interface, SIM Module, HBM Sensors, and secure P2P connections. In summary, the document provides a comprehensive view of how HPE's tools and processes can be used to develop, secure, and manage IoT applications from inception through operation.

Details:

The document outlines a framework for securing Internet of Things (IoT) applications, focusing on the main components and addressing potential attack scenarios. The main IoT building blocks that need to be secured include an IoT cloud/platform, endpoints, connectivity, edge computing, and sensors/actuators. Potential risks and attack scenarios involve rogue endpoints, compromised endpoints, man-in-the-middle attacks, denial-of-service (DoS) attacks, unauthorized access, vulnerable web applications, and targeted attacks. HPE Security offers a suite of solutions including ArcSight for security intelligence, Fortify for application security, Voltage/Atalla for data security, and Aruba for communication security to address these issues in the IoT ecosystem. HPE's solution portfolio for secure IoT application lifecycle management includes a range of products and services designed to ensure the security, connectivity, and operational efficiency of Internet-of-Things (IoT) applications. Key components include: 1. **HPE ADM (Application Delivery Management)**: Facilitates the deployment of IoT solutions by providing tools for managing the application lifecycle, including versioning and revision control. 2. **HPE Security ArcSight (Security Intelligence)**: Offers security intelligence through SIEM (Security Information and Event Management), log management, correlation, and security analytics to detect threats and anomalies in real-time. 3. **HPE Security Fortify (Application Security)**: Provides static application security testing (SAST) for source code scanning, dynamic application security testing (DAST) including black-box scanning of web applications, and runtime application self-protection (RASP) to secure applications at runtime. 4. **HPE Aruba (Communication Security)**: Ensures secure communication between devices through authentication, authorization, and accounting (AAA), firewalling, and VPN services. 5. **HPE Security – Data Security (Voltage/Atalla)**: Includes Voltage SecureData for data de-identification using methods like format preserving encryption and stateless tokenization, as well as Atalla Enterprise Secure Key Management (ESKM) to manage public key infrastructure securely. 6. **IoT Platform Components**: These include Edge Application (EGA), Endpoint Application (EPA), Message Broker Application (MBA), and various scanning mechanisms to ensure security throughout the IoT application lifecycle. The secure IoT application lifecycle involves several phases, starting from development with Fortify SAST for source code scanning, through testing with optional Build/Test using HPE Application Lifecycle Manager/Quality Center (ALM/QC) and Release/Deploy with Fortify AppDefender. Operate/Monitor is handled by ArcSight SIEM for log management, correlation, security analytics, and other related services. The overall framework aims to create a secure, interconnected ecosystem where IoT devices can be built, deployed, operated, and monitored efficiently while maintaining high levels of data security. This includes the use of DevOps practices with HPE SW DevOps/ALM solutions and open-source tools like Apache Maven and Jenkins for automation. The document outlines a demonstration of HPE's Secure IoT DevOps process, which involves several phases and tools to ensure the development, deployment, operation, and monitoring of secure IoT applications. Key components include: 1. **Development Phase**:

• Use of HPE SW Application Development Tools for app creation.

• Integration of Static Source Code Analysis (using Fortify SAST) to enhance security throughout the lifecycle.

2. **Build/Test Phase**:

• Sensitive data de-identification and protection end-to-end using Voltage SecureData.

• Optional encryption/authentication key management via Atalla ESKM.

3. **Release/Deploy Phase**:

• Deployment of software using HPE SW Application Development Tools.

• Dynamic Analysis on the Server App (using Fortify DAST - Webinspect) to ensure robustness.

• Securing the server application in operation with Fortify Application Defender.

4. **Operate/Monitor Phase**:

• Monitoring of IoT applications and performance with HPE SW Application Development Tools.

• Use of ArcSight SIEM for security information and event management.

• Detection of malware with ArcSight DMA.

• Optional monitoring of users with ArcSight UBA.

The document also details two specific use cases:

• **Use Case 1 – WPM**: Focuses on a business transformation using HPE OMi, featuring the Message Broker Application (MBA) and Connectivity Endpoint Applications for signal processing and secure data exchange.

• **Use Case 2 – Secure & Intelligent Infrastructure**: Demonstrates an IoT platform with secured components such as Edgeline Devices, User Interface, SIM Module, HBM Sensors, and a Secure P2P Connection via CMS. The infrastructure includes ArcSight SIEM for event management, Fortify SAST/DAST for analysis, and Voltage SecureData for data protection.

Overall, the document provides a comprehensive view of how HPE's tools and processes can be used to develop, secure, and manage IoT applications from inception through operation.