Читать книгу Service Level Management in Emerging Environments - Nader Mbarek - Страница 21

The security of information systems is made up of all technical, organizational, legal and human resources required to prevent the unauthorized use, misuse, modification or hijacking of the information system. At present, security is a major challenge in the information world and the goal of security in this context is to maintain the trust of the users and the consistency of the entire information system. Several norms have arisen around concepts related to security, for example the X800 recommendation by ITU-T (1991), which emphasizes the role played by different security services and their applicability.

The IoT is characterized by an environment that is subject to constraints across several levels, which makes it difficult to adopt security mechanisms that were designed for conventional systems. An IoT environment includes objects with low memory resources and limited computational power. Further, the techniques normally used in conventional networks were designed for systems that contained powerful microprocessors and had high storage capacities (Hanna 2015). Existing security techniques must thus be adapted. Further, the large number of objects in an IoT environment makes it a difficult and onerous task to adapt existing security algorithms. For example, methods and algorithms for identification and controlling access to objects become more and more complex as the number of objects in the environment keeps increasing.

Before a device or a user can access IoT services, mutual authentication and authorization between the device/user and the IoT system must be established in accordance with predefined security policies. Security policies must be drawn up with great precision in order to comprehensively cover all possible use cases and must also follow standardized models in order to respond to the requirements of the IoT. It is, therefore, important to standardize security policies for the IoT environment. Further, access to data or services must be entirely transparent, traceable and reproducible. This results in an enormous volume of trace files created in the IoT environment given the large number of connected objects. Thus, the mechanisms to optimize traceability must be designed for the context of the IoT. In this kind of an IoT environment, a variety of operating systems with different architectures are available for IoT objects. We can cite here, among others, the example of Google’s Android Things (formerly called Brillo) (Google’s Internet of Things Solutions 2018), Huawei’s LiteOS (2018) and Windows 10’s IoT Core (2018). This diversity can make it even more difficult to standardize security mechanisms and measures.

As concerns user privacy, data can be collected in IoT systems without involving the users. In this context, this data feedback must be secured and the user’s privacy must be ensured during the collection, transmission, aggregation, storage, extraction and processing of the data. In order to meet these requirements, the appropriate mechanisms for data confidentiality, data authentication and data integrity must be included within the IoT, while respecting the needs of this kind of environment (ITU-T 2012).

A number of international organizations have worked on concepts related to security and privacy in the IoT, either by offering appropriate security mechanisms or by offering methodologies that can be applied across the layers of their IoT architectures. We thus have the ITU-T Y.2060 recommendation (ITU-T, 2012) that aims to secure the IoT environment by starting with an analysis of the threats that are specific to the IoT application. Then, specific security services and mechanisms will be supported at every layer of the IoT architecture to ensure global security within this environment. In terms of the application layer of the ITU-T reference model, different security services will be considered, such as authorization, authentication, privacy and integrity of application data, and also the protection of privacy. As concerns the network layer, the security services include authentication, confidentiality of the application data and the signaling data (configurations and commands) and the protection of the integrity of the network management techniques. For the lowest level of ITU-T IoT architecture, namely the device layer, the main services and mechanisms offered to guarantee security are authentication, authorization, validation of the device integrity, access control, confidentiality of data and the protection of integrity. Following the recommendation (ITU-T, 2014), several specific security abilities must be considered in the IoT environment: the ability to ensure secured communications to guarantee the confidentiality and integrity of the data during transmission and during storage. Further, the recommendation specifies an ability to provide a secure service that guarantees that fraudulent services will be forbidden and an ability for authentication and mutual authorization between objects and users in accordance with predefined policies to guarantee the security of information access. They are closely tied to the specific needs of IoT applications and depend on their field of application. Recommendation Y.2060 (ITU-T 2012) also emphasizes the need for security functions and mechanisms to be supported by IoT gateways interconnecting the different components of the different layers of the IoT architecture specified by ITU-T. In the following section, we will describe the different security services that must be considered in the IoT environment.