How to improve security at the edge with AWS IoT services

Introduction

Edge computing, also known as fog computing and mobile computing, is a computing model that brings processing and data closer to the customer. By moving data closer to the customer, organizations need to review, and possibly expand, their security controls to ensure that their data is protected. In this blog I want focus on how AWS IoT Services, specifically AWS IoT Greengrass V2, AWS IoT Core, AWS IoT Device Defender, and AWS IoT Device Manager, can help organizations extend their security controls for encrypting, accessing and governing data that is outside their cloud or on-premises environment.

Understanding AWS IoT Greengrass V2

AWS IoT Greengrass V2 is an open source Internet of Things (IoT) edge runtime and cloud service that helps you build, deploy, and manage IoT applications on your devices. You can use AWS IoT Greengrass to build software that enables your devices to act locally on the data that they generate, run predictions based on machine learning models, and filter and aggregate device data. From an edge security perspective, it addresses data protection, device authentication and authorization, identity and access management, compliance validation, code integrity and configuration and vulnerability analyses. It enables devices to collect and analyze data closer to the source of information, react autonomously to local events, and communicate securely with each other on local networks. IoT devices can also communicate securely with AWS IoT Core, which is a managed service that lets connected devices interact easily and securely with cloud applications and other devices and exports IoT data to AWS.

Figure 1- High level diagram showing the components of an IoT deployment

AWS IoT Greengrass uses X.509 certificates, AWS IoT policies, and IAM policies and roles to secure the applications that run on devices in your local environment.

Figure 2 – How AWS IoT Greengrass communicates with IoT devices

Using AWS IoT Greengrass with AWS IoT Core policies

As businesses use technology to transform their business processes, they may choose to deploy devices outside of traditional datacenters. For example, electrical utilities may install smart meters to provide real time data on electricity consumption. Prior to smart meters, electrical utilities sent crews across their network to manually read electric meters. This data would be hand written on forms, or more recently, input into a mobile device. In either case, the data was validated by a crew member and then sent to the datacenter for processing. With smart meters, electrical utilities need to ensure that the collected data hasn’t been tampered with and that receiving the data doesn’t pose a risk to downstream systems such as billing.

Electrical utilities can use AWS IoT Greengrass to ensure that their data is protected when operating at the edge in 3 ways:

First, AWS IoT Greengrass ensures that the devices accessing the data are trusted by using mutual TLS authentication using X.509 certificates. AWS IoT Greengrass core managed devices use certificates and AWS IoT Core policies to connect to AWS IoT Core for accessing cloud resources. When your device or other client attempts to connect to AWS IoT Core, the AWS IoT Core server will send an X.509 certificate that your device will use to authenticate to the server. Authentication takes place at the TLS layer through validation of the X.509 certificate chain. Client certificates need to be created and installed on the device before it can connect to AWS IoT Core. This ensures that only authorized devices can connect to IoT Core. AWS IoT Core helps customers create both server and client certificates and helps manage the lifecycle of the certificates. As a result, it reduces the security risk when operating at the edge.

Second, AWS IoT Greengrass helps customers create and enforce a least privileged security model for data access when operating at the edge, by using AWS IoT Core polices. AWS IoT Core policies are JSON documents and follow the same conventions as IAM policies. AWS IoT Core policies allow you to control access to the AWS IoT Core services such as AWS IoT Core message broker, send and receive MQTT messages, and get or update a device’s shadow.

Third, AWS IoT Greengrass ensures that when your data leaves the cloud for the edge, it remains secure through encryption in transit and at rest. All data sent to AWS IoT Core is sent over a TLS connection using MQTT, so it is secure by default in transit. AWS IoT Greengrass devices collect data and then send it to other AWS services for further processing. Additionally, electrical utilities can leverage FreeRTOS to ensure that data stored on the thing is encrypted, providing end-to-end encryption.

When operating at the edge, AWS IoT Greengrass allows electrical utilities to create and enforce a more stringent data protection policy using a single platform. Based on this example, customers are able to benefit from AWS’ security investments to ensure that their data is protected when residing outside of the cloud.

Using AWS IoT Greengrass with AWS IoT Device Defender and AWS IoT Device Management

As we look at how technology has become more pervasive in our lives, we realize that there are now a number of devices that are installed in our homes. Everything from smart thermostats to smart speakers, and televisions to gaming consoles, all require connectivity to the cloud. Different device manufacturers may take different approaches to device security. For example, a new company develops a device to monitor fitness. This company needs to deploy its new fitness monitor across different environments with varying network security controls. As a result, the company needs to ensure that its devices aren’t compromised by a network-based attack or the physical introduction of malicious code. The company decides to leverage AWS IoT Greengrass and can use a complementary service called AWS IoT Device Defender to ensure that the IoT devices remain secure when operating at the edge. AWS IoT Device Defender helps the company audit the configuration of its devices, monitor connected devices to detect abnormal behavior, and mitigate security risks. It also helps the company enforce consistent security policies across its AWS IoT device fleet and respond quickly when devices are compromised.

The company can use AWS IoT Device Defender to help ensure its IoT devices maintain an acceptable level of trustworthiness. IoT devices operate in environments that are not all equally protected from malware. As a result, the company might need to audit its devices to ensure that they are not compromised. AWS IoT Device Defender can help the company validate device X509 certificates, determine if devices have been tampered with, and alert customers if a malicious IoT device is using an existing client ID for authentication. Additionally, AWS IoT Device Defender can generate an alert if roles have been modified to allow access to unrelated AWS services or if roles were altered to be overly permissive.

Another complementary service to AWS IoT Greengrass is AWS IoT Device Management, which offers a feature called Secure Tunneling. This feature allows the company to interact with its IoT devices without compromise. It works by creating client access tokens to establish a tunnel between the IoT device and the service. The company can then proxy traffic, such as SSH, over the tunnel to communicate with their IoT devices.

By using AWS IoT Greengrass in conjunction with AWS IoT Device Defender and AWS IoT Device Management, customers can monitor their devices for abnormal behavior while operating at the edge. If a problem is found, customers can use AWS IoT Service features to investigate the anomaly and take corrective action.

Using AWS IoT Greengrass with AWS IoT Core

A smart lighting company that focuses on retail business security risk analysis reveals that additional security controls are needed to ensure the trustworthiness of their IoT devices. AWS IoT Greengrass has features that can mitigate this security concern: first, it enforces the use of the AWS IoT Core registry feature, and second, it integrates with AWS Identity and Access Management (IAM) to limit access to cloud resources. The registry feature of AWS IoT Core allows customers to track device information that helps determine the trustworthiness of the device. For example, registry can keep track of the MAC address and/or MQTT client id. As part of the authorization process, the customer can validate the device against the registry. As an added control, our lighting company can leverage the integration of IAM with AWS IoT polices to create an additional control to establish trustworthiness. IAM can be used to create a least privilege model for IoT devices accessing cloud resources. The lighting company can start with creating basic IAM polices that restrict access to only needed functions such as listing an IoT device’s configuration. Additionally, the lighting company can add conditions that combine data from registry to ensure that only validated MQTT Client IDs can access cloud resources.

This example shows how customers can use the registry feature of AWS IoT Core to help lower the risk of operating at the edge in unmanaged networks by ensuring device identities are credible and that devices only have access to the resources they require.

Conclusion

At AWS, security is job zero. We understand the risks associated with operating at the edge and that customers need additional capabilities to ensure that their data is protected. AWS IoT services can help customers with end-to-end data protection, device security, and device identification to create the foundation of an expanded information security model and confidently operate at the edge. To learn more, please read the whitepaper, Security at the Edge: Core Principles.