国际云安全联盟CSA发布物联网安全指南 为物联网设备的安全部署提供建议

国际云安全联盟CSA发布物联网安全指南 为物联网设备的安全部署提供建议

编程入门访客2021-10-11 21:34:007432A+A-

云安全联盟 (CSA) 公布了一份物联网安全指南,《 Future-proofing the Connected World: 13 Steps to Developing Secure IoT Products》,旨在帮助物联网相关的产品和服务的设计师和开发人员,了解整个开发过程必须纳入的基本安全措施。

报告中提到:

物联网推动了消费、 商业、工业生产过程和实践的转变。在2015 年,市场中出现了许多类型的物联网产品,我们进行了一些真实的研究,结果表明对物联网安全的担忧是真实存在的。基于这些研究,我们了解到物联网产品的安全(并非只是做好自身的安全),而存在更高层次的需求,这些需求包括:

  • 需要保护消费者隐私并限制PII及PHI信息的扩散
  • 需要保护商业数据并限制敏感信息泄露
  • 需要防止物联网产品被用于DDoS攻击
  • 需要提防这些产品的折中安全方案所带来的损失和伤害

CSA物联网安全指南 的主要内容

  1. 探讨物联网设备的安全挑战
  2. CSA物联网工作组进行的一份调查报告分析
  3. 探讨物联网部署平台的安全问题
  4. 物联网设备的分类及趋势
  5. 安全设备的建议及部署流程
  6. 给安全工程师一份检查表单,便于遵从于部署流程
  7. 一套物联网产品案例及其所面临的威胁

这里将指南的目录主要内容摘录如下

1.The Need for IoT Security

  • IoT Products Can Compromise Privacy
  • IoT products can lend their computing power to launch DDoS Attacks
  • Medical Devices and Medical Standard Protocols are Vulnerable to Attack
  • Drones Are Approaching Mainstream Status and Being Used as a Platform
  • for Reconnaissance
  • Critical national infrastructure can rely on the IoT ecosystem
  • Cars are becoming connected and autonomous
  • Moving Forward

2.Why Development Organizations Should Care About Securing IoT Products

  • IoT Device Security Challenges
  • IoT products may be deployed in insecure or physically exposed environments
  • Security is new to many manufacturers and there is limited security
  • planning in development methodologies
  • Security is not a business driver and there is limited security sponsorship
  • and management support in development of IoT products
  • There is a lack of defined standards and reference architecture for secure IoT development
  • There are difficulties recruiting and retaining requisite skills for IoT
  • development teams including architects, secure software engineers, hardware security
  • engineers, and security testing staff
  • The low price point increases the potential adversary pool
  • Resource constraints in embedded systems limit security options

3.IoT Security Survey

Guidance for Secure IoT Development

  • 1. Start with a Secure Development Methodology
  • Security Requirements
  • Security Processes
  • Perform Safety Impact Assessment
  • Perform Threat Modeling
  • 2. Implement a Secure Development and Integration Environment
  • Evaluate Programming Languages
  • OWASP Python Security Project Link
  • Integrated Development Environments
  • Continuous Integration Plugins
  • Testing and Code Quality Processes
  • 3. Identify Framework and Platform Security Features
  • Selecting an Integration Framework
  • Evaluate Platform Security Features
  • 4. Establish Privacy Protections
  • Design IoT devices, services and systems to collect only the minimum amount
  • of data necessary
  • Analyze device use cases to support compliance mandates as necessary
  • Design opt-in requirements for IoT device, service and system features
  • Implement Technical Privacy Protections
  • Privacy-enhanced Discovery Features | Rotating Certificates
  • 5. Design in Hardware-based Security Controls
  • The MicroController (MCU)
  • Trusted Platform Modules
  • Use of Memory Protection Units (MPUs)
  • Incorporate Physically Unclonable Functions
  • Use of specialized security chips / coprocessors
  • Use of cryptographic modules
  • Device Physical Protections
  • Tamper Protections
  • Guard the Supply Chain
  • Self-Tests
  • Secure Physical Interfaces
  • 6. Protect Data
  • Security Considerations for Selecting IoT Communication Protocols
  • 7. Secure Associated Applications and Services
  • 8. Protect Logical Interfaces / APIs
  • Implement Certificate Pinning Support
  • 9. Provide a Secure Update Capability
  • 10. Implement Authentication, Authorization and Access Control Features
  • Using Certificates for Authentication
  • Consider Biometrics for Authentication
  • Consider Certificate-Less Authenticated Encryption (CLAE)
  • OAuth 2.0
  • User Managed Access (UMA)
  • 12. Establish a Secure Key Management Capability
  • Design Secure Bootstrap Functions
  • 12. Provide Logging Mechanisms
  • 13. Perform Security Reviews (Internal and External)
点击这里复制本文地址 以上内容由黑资讯整理呈现,请务必在转载分享时注明本文地址!如对内容有疑问,请联系我们,谢谢!
  • 2条评论
  • 只影扶弦2022-06-04 12:05:17
  • d system featuresImplement Technical Privacy ProtectionsPrivacy-enhanced Discovery Features | Rotating Ce
  • 颜于闻枯2022-06-04 06:12:37
  • enticationConsider Certificate-Less Authenticated Encryption (CLAE)OAuth 2.0User Managed Access (UMA)12. Establi

支持Ctrl+Enter提交

黑资讯 © All Rights Reserved.  
Copyright Copyright 2015-2020 黑资讯
滇ICP备19002590号-1
Powered by 黑客资讯 Themes by 如有不合适之处联系我们
网站地图| 发展历程| 留言建议| 网站管理