First steps: Framework

Hi, I'm Matthew Clark. And this is Module 3: Secure by Design. Congratulations. We've completed Module 2. This slide shows our progress towards our certificate of completion. Let's begin our new module with Lesson 3.1: First steps, the Framework. In this lesson, we'll look at secure by design. We will discuss frameworks in general and introduce the IoT foundation framework. So let's get started. So what is secure by design? A good answer might be that it's building in security capabilities that will cover the lifetime of the device. The next question is, well, how do you do that when there's so many different standards out there like ISO and Nest and INSA and their rapidly evolving legal landscape like GDPR and CCPA and the California IoT law. And the industry has very specific regulations like HIPAA and FISMA and all of that we have to consider. At the same time, the business is continuing to move forward designing and manufacturing IoT products and they're not waiting. In fact, no one's waiting to stop until everything is perfect before moving forward. So what do you do? Well, you can be dramatic like this picture here. Have you ever heard the phrase, "You can't boil the ocean?" Well, if you ever really tried to and were successful, which is highly doubtful, then all the steam from boiling the ocean would end up covering your vision and you wouldn't be able to see whether you were successful or not. And, of course, you'd probably end life as we know it as well. But this saying makes more sense when you have to implement something and the train is already left the station or may be better yet, the boat has left the harbor, so to speak. You do what you can. You start a little and you plan your activities. But the important thing is that you act. The important thing is that when we act, we act with a purpose and frameworks help us to define what to focus on. There are many different types of frameworks and standards and requirements out there from industry and non-profit organizations and government regulators. And this is really just a shortlist. We have the CSA IoT Security Controls Framework, the UK Code of Practice for Consumer IoT Security, the GSMA IoT Security Guidelines, and various guidelines from NIST and ISO and the IEEE organization. So let's introduce the IoT Security Foundation. And this information is pulled directly from their "About Us" page. They are a non-profit organization which are dedicated to driving secure IoT. They're collaborative and vendor-neutral and member-driven. And they have an ongoing program that's designed to propagate good security practice, increase adopter knowledge, and raise user confidence. Well, I'm just, you know, I don't have any personal connection with the foundation. The company I currently work with is a member, and so I'm very familiar with the framework, but I don't have any personal affiliation with them. So this information is directly from their mission. The IoT Security Foundation composes and maintains a comprehensive compliance framework of recommended steps for securing IoT products and services. And we're going to take a look at that framework, learn how to use them, and we're going to take examples from it and apply it to the lessons as we learn them. They also promote the adoption of the compliance framework to IoT service and product providers, IoT System specifiers, purchasers, and policymakers. And the IoT Security Foundation composes and promotes security best practice guidance. We're going to take a look at that pretty deeply in Module 6. The IoT Security Foundation helps to arrange security assurance processes to demonstrate how products and services meet requirements. Let's discuss the IoT security compliance framework. This leads a practitioner through a structured process of questioning and evidence-gathering and ensures suitable security mechanisms and practices are implemented. This compliance framework includes very comprehensive checklist and points out evidence that can be used to declare conformance with those best practices. And the IoT Security Foundation has a best practice user mark that companies can put on their products and services that state that they comply, that they sell certified with the IoT security compliance framework. So how do you use the compliance framework? Well, there's a worksheet that you can download that walks you through the process, but it's very simple. This is it in a nutshell. First, you conduct a risk analysis on the product in the target environment. The IoTSF points out that this is a prerequisite for using their framework because context is everything. You then create a risk register and determine the CIA triad security objectives. Next, you determine the compliance class for each product, and we'll discuss these in the next slide. But the compliance class is based on the confidentiality, integrity, and availability of each product. The target areas of the framework that match the specific products compliance class are then determined. So you complete the checklist and you gather evidence for the compliance purposes. The IoT Security Foundation framework defines five compliance classes, and these classes are from Class 0 through Class 4, with Class 0 having the least impact and Class 4 having the greatest impact and also includes up to personal injury. Class 0 is where compromise to the data generated or loss of control is likely to result in little discernible impact on an individual or organization. And Class 4 is inclusive of all the controls in the lower classes, plus additional controls where compromise to the data generated or loss of control have the potential to affect critical infrastructure or cause personal injury. So on the right-hand side, you'll see an example set of criteria from the IoTSF compliance questionnaire spreadsheet. So this slide lists the high-level sections of the IoTSF compliance questionnaire, and we're not going to read each one of these. You can look at them, but you can see how they're tailored toward IoT device security. In this course, we're going to touch on the majority of these topics, really with the exception just a few of them. We'll talk less about web user interfaces and mobile application security and a lot of the more intricate cloud configuration security parts. A link to the IoT Security Foundation is included in the reference materials. And additionally, the foundation has many different guides and policies that are helpful in different areas of IoT, and this just represents a few of them. We will, as I said earlier, in Module 6, we're going to go over the secure design best practices. In this video, we discussed security by design. We identified frameworks to achieve security by design goals. We took a deep dive into the unknown world of IoTSF compliance framework. Specifically, we looked at the mission and framework, the organization, process, compliance classes, and compliance questionnaire.