[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: oBIX and Security
So we touched on Security today in the meeting. In the last oBIX series, we pretty much skipped right over Security. The security sub-committee, after much though, suggested folks use passwords and that we support HTTPS. This was both good and bad. This week, RSA has been meeting an my news feeds are full of stories like those below. Vint Cerf: 'The internet of things needs to be locked down' RSA Conference: Age of internet of things is upon us RSA 2013: Vint Cerf Issues Challenge To Secure Internet Of Things First, what’s good about what we did with security last time? Well, what’s good is that we didn’t do it. We did not create some absolutely required greatest security of 2005, regularly hacked by script kiddies since 2008, and mandatory on all implementations. Security should be composable, i.e., added into the standard as needed. Some scenarios have large risks, and large sums of money at risk, or put strong implications for privacy, and others do not. Users of the [oBIX] specifications should be able to compose in the appropriate security for their needs. That is the god news, that we did nothing. The bad news is that we did nothing. There is no framework for security in the current oBIX. We do not distinguish between point know only to the integrator, points settable by the tenant, and points visible to the passer-by. And there is no practical way to secure a point. What would it even mean? Secure all points, sure. But if I have 10,000 points, there is no usefull way to apply ACLs to each of them. Groups of points, which somehow sharer something in common can be secured together. Policy-based security, declarative security can be applied to groups of points that are somehow similar. oBIX today has no way to declare similar. Security always requires a context. We have no means to set context. Does an oBIX building have 20 tenants? Is each of these tenants able to view their own energy usage, and set their own thermostats? Is it a school, and the various tenants are competing on energy use, and can see all, but only manage their own space? Is the ability to discover that certain systems are in a building a security risk? (Universities and Research Facilities like to keep quiet about their animal care facilties.) We must have a way to segment oBIX. Even as points get relayed through multiple systems to the cloud. Today we discussed the intersection of BIM and oBIX. Once the building is built, BIM is about space. People and business process inhabit space. Building systems are installed in space. Space is the semantic middleware between the oBIX Points and the services they provide. Perhaps BIM, when known, where present, can provide part of a semantic framework for policy-based security. “Tenants can set all thermostats in space that they lease” can lead to automated unraveling of what space does this tenant lease to what spaces are in the the oBIX server to what points relate to that space. BIM should be part of the security framework we define in oBIX. Actual security details are to be composed later. BIM can provide the hooks. http://www.newdaedalus.com/articles/bouncer-or-prison-guard.html tc "If something is not worth doing, it`s not worth doing well " -- Peter Drucker
|
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]