iotエコ] ]!テムの構築と進化 –ある開発者の話- · effective device management is...
TRANSCRIPT
Copyright © 2018 Arm TechCon, All rights reserved.
IoTエコシステムの構築と進化– ある開発者の話-
アーム株式会社
IoTサービスグループ
セールス & 事業開発ディレクター
春田 篤志
© 2
01
8A
rm L
imit
ed.
Pelion IoT Platform( ぺリオンIoTプラットフォーム)
IoTのコネクティビティ、デバイス、データを包括的かつセキュアに管理するプラットフォーム
• あらゆる規模のIoTデバイスおよびデータを、シームレスかつセキュアに接続、管理
• パブリックおよびプライベートクラウド、オンプレミス、ハイブリッド、いずれの環境でも動作するよう設計
アプリケーション・エコシステム
(アプリケーション開発支援)
デバイス・エコシステムチップやモジュールに組み込まれたMbed OS
コネクティビティ管理サービス
デバイス管理サービス
データ管理サービス
デバイス・データ間セキュリティ
Pelion
エンタープライズ・データ+
他のデータ
3Copyright © 2018 Arm TechCon, All rights reserved. 3
Device Management
4Copyright © 2018 Arm TechCon, All rights reserved.
Effective device management is the key to get value from dataEffective IoT device management ensures data is delivered securely and reliably from the right devices at the right time
• Device provisioning and onboarding
• Device life-cycle management
• Secure software update
• Access control
• Device health monitoring
Device Management
Equipment, process, environment, parts, materials, people
Application
Insightsoptimizations
responses Application
Application
dataApp
dataApp
dataApp
dataApp
dataApp
5Copyright © 2018 Arm TechCon, All rights reserved.
Market opportunity
The commercial and industrial sector, driven by building automation, industrial automation, and lighting, will account for nearly 50% of new connected devices between 2018 and 2030.
Source: IHS Markit
6Copyright © 2018 Arm TechCon, All rights reserved.
Heterogeneity enablers and blockers to scale
Heterogeneity in device classes
Multiple connectivity methods
Heterogeneity in service deployment
WiFi Cellular Ethernet LPWAN ZigbeeBluetooth & Bluetooth low energy
7Copyright © 2018 Arm TechCon, All rights reserved.
Standards in the context of IoT Application layer protocol
Commercial and technical drivers
A seal of approval
Defrag./Interop.
Domain specific challenges
Players’ level of interest
Propriety
Any standard
Specific standard
8Copyright © 2018 Arm TechCon, All rights reserved.
IOT security requires addressing complex challenges
Secure provisioning of cryptographic device identity at untrusted
factories
Managing public key infrastructure used by
device identities at scale
Device protection and security
Renewing device security by remote software updates
Controlling access to devices, services and
data by users and apps
Integration with enterprise IT
infrastructure
Regulation compliance and risk
management
9Copyright © 2018 Arm TechCon, All rights reserved. 9
IoT Scale
10Copyright © 2018 Arm TechCon, All rights reserved.
IoT Device ClassesA landscape of multiple verticals, wide range of use cases and wide variety of devices
11Copyright © 2018 Arm TechCon, All rights reserved.
IoT Device ClassesA landscape of multiple verticals, wide range of use cases and wide variety of devices
12Copyright © 2018 Arm TechCon, All rights reserved.
Solving connection and deployment challenges with standardsAccess to the reliable connectivity portfolio that developers need
IoT connectivity
Developers build applications that use REST APIs
communication
→ Simplified development
→ Hardware portability
→ Products can have multiple connectivity options
Application integration Options for deployment
NB-IoTCloud Architecture
Cloud
On Premises
OpenStack
HW DC IaaS
Other clouds
Using same SW technologies with cloud and on-premises
Identical features and capabilities
13Copyright © 2018 Arm TechCon, All rights reserved.
Gateways critical piece of IoT infrastructure..through 2020, 90 percent of IoT projects will use some form of IoT gateway
Not all devices can connect (directly) to the cloud
• Non-IP devices
• Legacy device with legacy protocols -Brown field devices
Not all data can or needs to go to cloud
• Latency
• Offline operation
• Security and privacy needs
• Data conservation
• Simplification
14Copyright © 2018 Arm TechCon, All rights reserved.
High-Level System Architecture: Cloud-hosted instancesTypical device management topology
Device Management
Cloud
CustomerCloud
GatewayCustomer
application server hosted in Cloud
Traffic to customer Cloud
kWh
139392
kWh
139392
Device + ClientStandard Cloud topology
Enhanced customer applications and services
15Copyright © 2018 Arm TechCon, All rights reserved.
Cloud orchestration
Cloud Components Deployment View
The components and deployment of Device Management services
Kubernetes
Identity & Access Mgmt
Update
Device Catalog
Message Bus
Connector
Billing
AP
I GW
Load
bal
ance
r
Co
ntr
olle
r
App #1
App #2
App #3
Co
ntr
olle
r
Load
bal
ance
r
Zone A Zone B Zone C
Kubernetes
Load balancer
controller controllercontroller
Load balancer Load balancer
Cloud computing HW
Micro services
16Copyright © 2018 Arm TechCon, All rights reserved.
Certain industries require data to be stored in private data centersRegulations
Private deployments may enable data to be stored more securelySecurity
Enterprises need total control of their systems, data and processesFull control
Maintain operation in locations with limited connectivityTechnical limitations
Enabling IoT device management business models for end-customersDifferentiation
Utilities, Smart gridUse cases
Usage regions
Deployment Choice - Public cloud and on-premisesSome use cases and geographies require other deployment options due to:
17Copyright © 2018 Arm TechCon, All rights reserved.
On-premises orchestrationOn-Premises perspective to device management
HW
OpenStack
Kubernetes
Identity & Access Mgmt
Update
Device Catalog
Message Bus
Connector
Billing
AP
I GW
Firewall & Load balancer
Co
ntr
olle
r
Core OSDocker registry
jumpbox
Application #1
DNS
HSM
External CA
NTP
SMTP
18Copyright © 2018 Arm TechCon, All rights reserved. 18
IoT Security
19Copyright © 2018 Arm TechCon, All rights reserved.
PSA principles A recipe for building a secure system from analysis to architecture
Identify key common principles
Software architecture
Common principles across multiple use cases
Device identity
Trusted boot sequence
Secure over-the-air
software update
Certificatebased
authentication Hardware requirements
Specifications
Threat models &security analysis
Analyze
Firmware architecture & hardware
specifications
Architect
Implement
Open source code
20Copyright © 2018 Arm TechCon, All rights reserved.
Matching the Vulnerability with the Right Mitigation
PSA Analysis StageAssess the potential vulnerabilities
Software• buffer overflows • interrupts• malware
Physical• non-invasive• invasive
Lifecycle• code downgrade• ownership
changes• unauthorized
overproduction• Debug hacks
Communication• man-in-the-middle • weak RNG• code
vulnerabilities
Physical mitigation Software mitigation
Lifecycle mitigationCommunication mitigation
Arm SecurCore,Arm Cortex-M35P,CryptpCell-312P,CryptoIsland-300P
Arm TrustZone, CMSIS-ZONEArm Keil MDK and Armprocessors with TrustZonesupport
Arm CryptoCell & CryptoIsland,Arm Pelion IoT Platform,Arm CoreLink SDC-600
Arm CryptoCell & CryptoIsland,Arm Pelion IoT Platform
21Copyright © 2018 Arm TechCon, All rights reserved.
Device life-cycle security
Manufacturing
On-boarding
Regular Use
Configuring devices with trusted verifiable unique cryptographic identity (“birth certificate”) at the time of manufacturing
Commissioning – securely configuring network credentials and operational parameters
Bootstrapping –Authenticating and configuring devices with operational keys (“driver’s license”)
Decommissioning
Securely updating device software remotely
Monitoring device health
Controlling access to devices in the field
Removing devices from the network
Security wiping sensitive key material from the device
22Copyright © 2018 Arm TechCon, All rights reserved.
Device access control and security: How, when and who can access devices?
Devices are often installed outside of security perimeter, but are part of an enterprise network
Device passwords are typically used to control access to devices
Device passwords are virtually impossible to manage
• Often shared across devices and people• Create easily-exploited security backdoors
23Copyright © 2018 Arm TechCon, All rights reserved.
Delegated access controlOvercomes inherent vulnerabilities of using passwords for device access control
Solve the problem with implementation of IETF ACE standards
• Authentication of users– Controls permissions of specific users based on
their current status in the company
• Granular authorization– Grant very detailed permissions to specific users
e.g. single configuration parameter
1 2
AuthorizationServer
24Copyright © 2018 Arm TechCon, All rights reserved. 24
Pelion Device Management
25Copyright © 2018 Arm TechCon, All rights reserved.
Pelion Device ManagementでIoT導入・管理を容易に
非IPデバイス
IP接続デバイス
IoTデバイス・アプリケーション
Mbed OS Device Management クラアント
デバイス内蔵のセキュアなroot-of-trust
Zigbee
Bluetooth & Bluetooth low energy
LPWA(Low Power Wide Area) ネットワーク
接続方式
ゲートウェイ接続
WiFi セルラー イーサーネット
エッジコンピューティング
ゲートウェイ管理
マルチプロトコルデバイスとアクセス管理
データプロトコル変換
マネージド・ネットワーク
LPWAN
デバイス管理
アセット/IDのセキュア・ プロビジョニング
高エネルキー効率のコネクティビティ
エンドホイント/ ゲートウェイのデバイス管理
ファームウェアのデプロイ/更新キャンヘーン
エンドホイント/ ゲートウェイコンピューティング/ アクセス管理
•サーバー•ストレージ•ルールエンジ•Web解析•インテグレーション•独自アプリケーション
ユーサー企業のアプリケーション/
サービス
26Copyright © 2018 Arm TechCon, All rights reserved.
Pelionデバイス管理サービス
ネットワークにつながるすべてのIoTデバイスを、そのライフサイクルを通して、安全に管理
すべてのIoTデバイスを一元管理することが可能
どんなデバイスも接続可能
パブリックからオンプレミスまであらゆるクラウドに対応
安全なアセットやIDのプロビジョニ
ング
エネルギー効率の高い通信接続
エンドポイントとゲートウェイ両方に
対応
ファームウエアアップデート
エンドポイント/ゲートウェイアクセス管理
(開発者用管理画面)
© 2
01
8A
rm L
imit
ed.
多様なユースケースを支えるリッチな
プラットフォーム
Pelion: データを活用し新たな収益機会の創出へ
デバイスとコネクティビティの管理がデータサービス採用の増加を促進
データ管理サービス• あらゆるユースケースに対応する、信
頼できる統合・管理されたデータ• 解析のためのリッチなデータセット
デバイス管理サービス• 制約のある環境化でのハイブリッドクラ
ウドへの対応• 分散したデバイスプロファイルのための
統一されたクライアントの抽象化
コネクティビティ管理サービス• さまざまな地域のIoTエコシステム内の
事業者に対応するオールインワンサービス
• 統一されたコネクティビティ管理
Pelion
制御
データ
2828 © 2018 Arm Limited
Thank You!Danke!Merci!谢谢!ありがとう!Gracias!Kiitos!감사합니다धनयवाद