Date   

EdgeX June 1-2 Technical Workshop FINAL - w/ Meeting Notes

Zolfonoon, Riaz
 

Dear EdgeX Security Working Group members,

 

I added few slides to the overall deck as suggested by Brett (see link below). Brett also has identified a google doc workspace for us, but I’m waiting for permission to upload the security requirements document. In the meantime, the document is available on EdgeX doc wiki:

https://wiki.edgexfoundry.org/display/FA/Architecture--Security?preview=/328070/329366/FuseSecurityRequirements-Jan2017.pdf

 

Let’s use this email alias for future communication.

 

Thanks, Riaz

 

 

From: Brett Preston (via Google Slides) [mailto:drive-shares-noreply@...]
Sent: Friday, June 02, 2017 10:41 AM
To: Zolfonoon, Riaz <riaz.zolfonoon@...>
Subject: EdgeX June 1-2 Technical Workshop FINAL - w/ Meeting Notes - Invitation to edit

 

Brett Preston has invited you to edit the following presentation:

This email grants access to this item. Only forward it to people you trust.

 

Google Slides: Create and edit presentations online.
Google Inc. 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
You have received this email because someone shared a presentation with you from Google Slides.

Logo for Google Slides

 


EdgeX Security WG

Gardner, Doug
 

Team,

The Security Working Group (SWG) confluence page has been updated with today’s presentation and newly created meeting notes.

 

Here is a link:

https://wiki.edgexfoundry.org/display/FA/Security+Working+Group

 

 

​​​​​

Thanks

Doug Gardner

 


Comments: FuseSecurityRequirements-Jan2017.docx

espy
 

Here are my comments on the FuseSecurityRequirements-Jan2017.docx as requested at the security working group meeting last week.

Regards,
/tony

---

= General =

"Snappy" was the original name of Ubuntu Core, it's not really used to describe the product. Ubuntu Core 16 is the proper name of the product, which is a long-term-support (LTS) release.

= Constraints =

"The boot process is assumed to be secure, i.e., system is assumed to have come up securely without any exposure or tampering of the Hardware Root of Trust."

Not all systems have a hardware root of trust. Depending on the host OS and hardware, the system may not have support for TPM-based trusted boot. For instance, the Dell Gateways, while including a TPM, don't support trusted boot. That said, they do support (and enforce) UEFI Secure Boot via Ubuntu Core 16.

2) Attacks on Secrets

Is the available weak default password described on the wiki anywhere? How does this password restrict access to sensitive data? Can you give an actual example?

6) Attacks on Embedded Components

"Remediation: By default, disable network-facing inbound TCP ports for all microservices".

If all microservices disable inbound TCP ports, doesn't that prevent incoming REST API requests from being received by the services?

7) Attacks on Excessive Privilege

"Every microservice runs as root in Snappy; there is no other role or permission level identified for Fuse. As such, the solution does not offer adequate protection against, e.g., a rogue administrator, who performs unauthorized functions maliciously or by accident (due to a misconfiguration of the system)."

While it's true that services delivered via snaps run as root on Ubuntu Core 16, it should be noted that services are confined/sandboxed and thus don't have the same privileges they would on a traditional Linux system. Likewise when the microservices are being run inside Docker containers.

8) Attacks on Installation and Patching

"There are no controls in place (e.g., code signing) to prevent an attacker from introducing a malicious installation or patch package during or after deployment. In particular, microservices are not code signed, nor is there any integrity checking of the Manifest used for deploying them to Docker containers."

I'll point out that if a microservice was delivered as snap as opposed to a docker container, the code is signed and verified during installation/update. Also snaps deliver their code via a read-only filesystems, making such attacks more difficult.

= Recommendations =

2) Encrypt sensitive data at rest (i.e., data held in repositories and files by Fuse microservices)

Who defines what data is sensitive, the end customer? I would think encryption of data such as that held by core data would be an optional feature that a customer could choose to enable, but wouldn't be a default (especially given the potential impact on latency and/or performance).


EdgeX Barcelona MVP

White2, James
 

Good morning everyone.  Looking forward to next week’s technical meetings in London.  Really excited how far this community has already come and the energy that seems to be building with regard to EdgeX.

 

In this post, I would like to provide my take on what I believe is a realistic MVP set for our first release targeted for October and code named Barcelona.  This will be the focus for next week.  I have had discussion with a number of chairs and I want to give my perspective and attempt to set the table for some great discussion and decisions to be made next week.  This perspective comes from what I hear from the community, what I see as the community involvement to date, my knowledge of the current code base, and my estimates on the lift to accomplish the work being proposed.

 

There is a ton of work that could be done and a lot we want to accomplish long term.  The important question for this first release is what must be done and done by early October!!  So it is time reduce our appetites and lock in our focus.

 

I’d like to get your reaction and get a discussion going on these channels (along with Rocket Chat).  The more we can exchange on it now, the quicker and more successful our meeting next week can be.

 

I would like to thank John Walsh, Tony Espy, Janko Isidorovic, Andy Foster and many others that have started to layout their perspective working group goals and outline their MVPs.  My suggestions below are really taking from that work and intersected with my perspective.

Barcelona Goals and MVP as seen by the former Fuse Lead Architect

Barcelona Goals

·         Stabilize the platform

·         Build community understanding of the platform

·         General majority agreement on the architecture

·         General majority agreement on micro services and APIs

·         General majority agreement on the development of an open, platform independent, technology agnostic platform for the IoT/edge

·         General agreement on temporary performance targets

Minimum Viable Product (MVP)

General

·         Review and agree/adjust micro service APIs

·         Review and agree/adjust object models

·         Improve/increase documentation especially for areas of extension (DS SDK, Export Services)

·         Harden/stabilize the platform

o   Works properly for the intended use case (it may not be 100% complete implementations for all use cases or parts of a protocol for example, but it provides enough implementation to sustain the demo use cases for Barcelona and could support extension to the full needs or protocol in the future)

o   Handles errors and exceptions gracefully

o   Contains proper unit and integration tests (lacking in DS, supporting services and others)

o   Follows good coding standards, and is well documented (following some prescribed standard per programming paradigm)

o   Performs within the target measures established for Barcelona

§  Examine Kura in detail and adjust performance targets accordingly

·         Deliver Docker containers that run on Intel chip for Linux, Window, Mac

Stretch goals

·         Deliver Docker containers that run on Arm chip for Linux

Device Service / DS SDK

·         Deliver initial set of 7 Device Services based on Dell contributions (Modbus, BACnet, Bluetooth, SNMP, MQTT, Serial (Fischertechnik), Virtual)

·         Clean up SDK (and DSs)

o   Improve documentation

o   Merge device-sdk into SDK tools

o   Improve tooling (Eclipse Plugin)

o   Cleanup scheduler

Stretch goals

·         Remove redundant code from Device Services/SDK to shared libraries

·         Redo/refactor Bluetooth and BACnet DS to be single micro service

·         Additional DS provided by additional community participation

Core & Supporting Services

·         Clean up some minor issues

o   Logging OOM, Remove Device Manager, etc.

Stretch goals

·         Implement configuration callbacks (allowing for configuration changes dynamically without service restart

·         Provide first Go replacements for Data, MetaData, Command (Dell has a start to these already)

Applications (including Export Services, Rules Engine/Analytics)

·         Pick and provide at least one cloud connector (Azure IoT Hub has been prototyped by Dell)

·         Offer MQTT, REST, ZeroMQ export

·         Offer JSON, XML, CSV (not done yet) formats

·         Improve module for encryption options

·         Deal with potential number of readings, number of client scale problem

Stretch goals

·         Implement 2nd cloud connector (ex: Amazon Greengrass, Watson, ???)

·         Add additional format offering (ex: Haystack, etc.)

·         Add hyperledger export option

Security

·         In general, define the EdgeX security story but postpone a lot of implementation to California

·         WG to agree on requirements

·         WG to agree on what security features are going to be in EdgeX and what’s going to be provided by the platform that EdgeX runs on (example:  the underlying platform must have a keystore)

·         WG to define what EdgeX security service(s) need to be eventually implemented

·         WG to define what security hooks need to be added to the existing micro services

o   How and to which services would APIs communicate with

·         WG to define what standards, protocols, etc. are going to be adhered to and followed by EdgeX (ex:  IIC specs, OAuth tokens, etc.)

·         WG to provide guidance on how security features can/should be tested

Stretch goals

·         Add stubbed hooks into micro service code

System Management

·         In general, define the EdgeX system management story but postpone a lot of implementation to California

·         WG to agree on requirements

·         WG to agree on what features are going to be in EdgeX and what is reserved for OS, 3rd party systems, other open source systems, etc.

·         WG to define what system management services need to be implemented as part of EdgeX (if any)

·         WG to define what system management hooks need to be implemented

·         WG to define any system management standards that will be followed/used in system management implementations (ex:  LWM2M)

Stretch goals

·         Add some simple system manage hooks/capability into BaseService of EdgeX micro services (Dell has already done some POC work with things like start, stop, …)

Testing/QA

·         Insure part of code review/code check is to insure proper unit/integration tests for the code are provided (backed up by code coverage statistics)

·         Create a blackbox testing framework to insure the APIs between services are not broken and to be able to measure performance of a micro service and across multiple micro services to insure targets are achieved

·         Automate blackbox testing on all micro services with each build

Build/CI

·         Agree on a base set of policies and procedures around code check in, code approval, governance, etc.

·         Utilize the existing LF build process with some additions noted below.

·         Create Docker containers and push them to Docker Hub via the build process

·         Anoint a Bug Czar to setup a bug management process and monitor, track, and address incoming bugs (along with general support issues across media channels)

Stretch goals

·         Automate creation of ARM build/containers.

Event Demo

·         Create a working group to define the use case and demo presentation

·         Work with the community to get hardware, sensors, etc. donated for the demo

·         Create a minimal user interface for EdgeX (could be based on Dell Fuse UI)

As we discuss the MVP, we should also capture what items we believe don’t fit within the constraints of Barcelona and gets moved to California.

California Release Goals

·         Implement first security and system management services and tie to existing micro services

·         Improve performance

·         Introduce replacement services as appropriate (ex:  Go Core)

·         Demonstrate EdgeX in real world POC/Test Bed

Looking forward to the discussion.  Safe travels to all attending London meeting in person.

 

Jim White

Distinguished Engineer, Software Architect

Dell | End User Computing, Chief Technology Office (EUC CTO)

Office +1 512-723-6139, mobile/text +1 612-916-6693

james_white2@...

 


EdgeX Security Team F2F?

David Ferriera
 

Hi All,

   I tried to attend some of the London session remotely.  I missed the Security session, but it looks like the following was agreed for Barcelona:

  • No implementation as MVP
  • Build longer term roadmap – the EdgeX security story
  • Agreement on what security features are going to be in EdgeX and what’s going to be provided by the platform that EdgeX runs on (example:  the underlying platform must have a keystore)
  • Agreement on security requirements
  • Define what EdgeX security service(s) need to be eventually implemented
  • Define what security hooks need to be added to the existing micro services
  • Define what standards, protocols, etc. are going to be adhered to and followed by EdgeX (ex:  IIC specs, OAuth tokens, etc.)
  • Provide guidance on how security features can/should be tested

  I think it would be very helpful for the Security wg to have a F2F to jumpstart progress on the above. Forgerock is willing to host at our office in SF assuming the number of attendees is less than 20 (room size limit).  I was thinking late August would be good timing.  Maybe the week of 8/21?

   I know several members of the Security working group have offices in SF, so I thought it would be convenient.  I am open to other suggestions as well.

 John?  Team?  What do you think?

Thanks,
-David


--
David Ferriera | Forgerock
Director, Cloud Technology | Office of the CTO
t +1 408.454.8189 | w forgerock.com


Re: EdgeX Security Team F2F?

Keith Steele <keith@...>
 

Hi David
I'll raise this on the TSC call tomorrow.
best Regards
Keith Steele
TSC Chair

On 25 July 2017 at 20:14, David Ferriera <david.ferriera@...> wrote:
Hi All,

   I tried to attend some of the London session remotely.  I missed the Security session, but it looks like the following was agreed for Barcelona:

  • No implementation as MVP
  • Build longer term roadmap – the EdgeX security story
  • Agreement on what security features are going to be in EdgeX and what’s going to be provided by the platform that EdgeX runs on (example:  the underlying platform must have a keystore)
  • Agreement on security requirements
  • Define what EdgeX security service(s) need to be eventually implemented
  • Define what security hooks need to be added to the existing micro services
  • Define what standards, protocols, etc. are going to be adhered to and followed by EdgeX (ex:  IIC specs, OAuth tokens, etc.)
  • Provide guidance on how security features can/should be tested

  I think it would be very helpful for the Security wg to have a F2F to jumpstart progress on the above. Forgerock is willing to host at our office in SF assuming the number of attendees is less than 20 (room size limit).  I was thinking late August would be good timing.  Maybe the week of 8/21?

   I know several members of the Security working group have offices in SF, so I thought it would be convenient.  I am open to other suggestions as well.

 John?  Team?  What do you think?

Thanks,
-David


--
David Ferriera | Forgerock
Director, Cloud Technology | Office of the CTO


Re: EdgeX Security Team F2F?

Walsh, John-J <John-J.Walsh@...>
 

I think that is a great idea - we can certainly also host in Tampa. We really do need folks to complete the assignment agreed to at the last two meetings - to consolidate everyone's input. Have only received limited response to date. Doug is going to assist in arranging another phone call - to follow up and get the members status.

John

On Jul 26, 2017, at 6:02 AM, Keith Steele <keith@...<mailto:keith@...>> wrote:

Hi David
I'll raise this on the TSC call tomorrow.
best Regards
Keith Steele
TSC Chair

On 25 July 2017 at 20:14, David Ferriera <david.ferriera@...<mailto:david.ferriera@...>> wrote:
Hi All,

I tried to attend some of the London session remotely. I missed the Security session, but it looks like the following was agreed for Barcelona:


* No implementation as MVP
* Build longer term roadmap – the EdgeX security story
* Agreement on what security features are going to be in EdgeX and what’s going to be provided by the platform that EdgeX runs on (example: the underlying platform must have a keystore)
* Agreement on security requirements
* Define what EdgeX security service(s) need to be eventually implemented
* Define what security hooks need to be added to the existing micro services
* Define what standards, protocols, etc. are going to be adhered to and followed by EdgeX (ex: IIC specs, OAuth tokens, etc.)
* Provide guidance on how security features can/should be tested

I think it would be very helpful for the Security wg to have a F2F to jumpstart progress on the above. Forgerock is willing to host at our office in SF assuming the number of attendees is less than 20 (room size limit). I was thinking late August would be good timing. Maybe the week of 8/21?

I know several members of the Security working group have offices in SF, so I thought it would be convenient. I am open to other suggestions as well.

John? Team? What do you think?

Thanks,
-David


--
David Ferriera | Forgerock
Director, Cloud Technology | Office of the CTO
t +1 408.454.8189<tel:+1%20408-454-8189> | w forgerock.com<http://forgerock.com>

_______________________________________________
EdgeX-TSC-Security mailing list
EdgeX-TSC-Security@...<mailto:EdgeX-TSC-Security@...>
https://lists.edgexfoundry.org/mailman/listinfo/edgex-tsc-security


EdgeX Working Group 2's Zoom Meeting

Gardner, Doug
 

Hi there,
 
EdgeX Working Group 2 (Security Working Group)  is inviting you to a scheduled Zoom meeting.
 
Join from PC, Mac, Linux, iOS or Android: https://zoom.us/j/377792838
 
Or iPhone one-tap (US Toll):  +14086380968,,377792838# or +16465588656,,377792838#
 
Or Telephone:
    Dial: +1 408 638 0968 (US Toll) or +1 646 558 8656 (US Toll)
    +1 855 880 1246 (US Toll Free)
    +1 877 369 0926 (US Toll Free)
    Meeting ID: 377 792 838
 
 
 


EdgeX Security WG Team: suggestions for next steps (California)

Alain Pulluelo
 

Hi All,

In the same effort to jumpstart progress on the several deliverables that the Security WG team will soon agree/define, you’ll find a PDF file attached to this email. This is a recap of suggestions and discussion starting points in order to formalize ideas, directions, areas of interest and mandatory topics for the next steps. This non exhaustive document should help us to define requirements, and execute subsequent approved tasks to deliver security features for the California release milestone. 

I understand some of you might not have time to review it before our scheduled call tomorrow, but this is food for thoughts for our next meetings (calls and F2F) and we’ll be happy David and me to eventually answer questions and comments to refine this document.

Thanks,
//Alain

-- 

Alain Pulluelo

VP Security & Mobile Innovation

ForgeRock Office of the CTO

email: alain.pulluelo@... || PGP Key ID: 0xA222597C



Invitation: EdgeX: Security Working Group - Weekly Call @ Weekly from 8am to 9am on Wednesday from Wed Aug 16 to Wed Dec 27 (PDT) (edgex-tsc-security@lists.edgexfoundry.org)

Brett Preston
 

EdgeX: Security Working Group - Weekly Call

When
Weekly from 8am to 9am on Wednesday from Wed Aug 16 to Wed Dec 27 Pacific Time
Where
https://zoom.us/j/576218946 (map)
Calendar
edgex-tsc-security@...
Who
(Guest list has been hidden at organizer's request)
Hi there,

EdgeX Working Group 2 is inviting you to a scheduled Zoom meeting.

Join from PC, Mac, Linux, iOS or Android: https://zoom.us/j/576218946

Or iPhone one-tap (US Toll): +14086380968,,576218946# or +16465588656,,576218946#

Or Telephone:
Dial: +1 408 638 0968 (US Toll) or +1 646 558 8656 (US Toll)
+1 855 880 1246 (US Toll Free)
+1 877 369 0926 (US Toll Free)
Meeting ID: 576 218 946
International numbers available: https://zoom.us/zoomconference?m=t6UX5OTIE0SFrIk-9MMnBPbFjE3dZ_xx

Going?   All events in this series:   Yes - Maybe - No    more options »

Invitation from Google Calendar

You are receiving this courtesy email at the account edgex-tsc-security@... because you are an attendee of this event.

To stop receiving future updates for this event, decline this event. Alternatively you can sign up for a Google account at https://www.google.com/calendar/ and control your notification settings for your entire calendar.

Forwarding this invitation could allow any recipient to modify your RSVP response. Learn More.


EdgeX: Security WG - Weekly call

Brett Preston
 

Members of the EdgeX Security WG mail list,

Weekly call has been scheduled and meeting invite sent to the mail list.

If you are unable to easily add to your calendar client, please send me a direct email and I can add you individually to the recurring meeting series.

Thank you,


Brett

--
Brett Preston
The Linux Foundation
+1 (971) 303-9030
bpreston@...

Google Talk: bpreston@...
Skype: bprestoncf


Updated Invitation: EdgeX: Security + Systems Mgmt Working Group - Weekly Call @ Weekly from 8am to 9am on Wednesday from Wed Aug 16 to Wed Dec 27 (PDT) (edgex-tsc-security@lists.edgexfoundry.org)

Brett Preston
 

This event has been changed.

Changed: EdgeX: Security + Systems Mgmt Working Group - Weekly Call

When
Weekly from 8am to 9am on Wednesday from Wed Aug 16 to Wed Dec 27 Pacific Time
Where
https://zoom.us/j/576218946 (map)
Calendar
edgex-tsc-security@...
Who
(Guest list has been hidden at organizer's request)
Hi there,

EdgeX Working Group 2 is inviting you to a scheduled Zoom meeting.

Join from PC, Mac, Linux, iOS or Android: https://zoom.us/j/576218946

Or iPhone one-tap (US Toll): +14086380968,,576218946# or +16465588656,,576218946#

Or Telephone:
Dial: +1 408 638 0968 (US Toll) or +1 646 558 8656 (US Toll)
+1 855 880 1246 (US Toll Free)
+1 877 369 0926 (US Toll Free)
Meeting ID: 576 218 946
International numbers available: https://zoom.us/zoomconference?m=t6UX5OTIE0SFrIk-9MMnBPbFjE3dZ_xx

Going?   All events in this series:   Yes - Maybe - No    more options »

Invitation from Google Calendar

You are receiving this courtesy email at the account edgex-tsc-security@... because you are an attendee of this event.

To stop receiving future updates for this event, decline this event. Alternatively you can sign up for a Google account at https://www.google.com/calendar/ and control your notification settings for your entire calendar.

Forwarding this invitation could allow any recipient to modify your RSVP response. Learn More.


Re: EdgeX: Security WG - Weekly call

Brett Preston
 

+ extending scope of call to the Systems Mgmt Working Group as well

*** A reminder, if anyone is not showing the call on their calendars (starting at 8am PDT today), just send me a direct email and I can add your email address directly to the meeting invitation series.

Thank you,


Brett

On Thu, Aug 10, 2017 at 3:57 PM, Brett Preston <bpreston@...> wrote:
Members of the EdgeX Security WG mail list,

Weekly call has been scheduled and meeting invite sent to the mail list.

If you are unable to easily add to your calendar client, please send me a direct email and I can add you individually to the recurring meeting series.

Thank you,


Brett

--
Brett Preston
The Linux Foundation

Skype: bprestoncf



--
Brett Preston
The Linux Foundation
+1 (971) 303-9030
bpreston@...

Google Talk: bpreston@...
Skype: bprestoncf


Invitation: EdgeX: Security + Systems Management WGs Face-to-Face Mee... @ Tue Aug 29, 2017 1pm - 5pm (PDT) (edgex-tsc-security@lists.edgexfoundry.org)

Brett Preston
 

EdgeX: Security + Systems Management WGs Face-to-Face Meeting - Day 1

When
Tue Aug 29, 2017 1pm – 5pm Pacific Time
Where
https://zoom.us/j/149670643 + VMware Campus, 3401 Hillview Ave, Palo Alto, CA 94304 (map)
Calendar
edgex-tsc-security@...
Who
(Guest list has been hidden at organizer's request)
Meeting Location:
VMware Campus, 3401 Hillview Ave, Palo Alto, CA 94304

*** Those attending in person are requested to RSVP to info@... by Tuesday, August 22

---

Dial-in information:

EdgeX Working Group 2 is inviting you to a scheduled Zoom meeting.

Join from PC, Mac, Linux, iOS or Android: https://zoom.us/j/149670643

Or iPhone one-tap (US Toll): +16465588656,,149670643# or +16468769923,,149670643#

Or Telephone:
Dial: +1 646 558 8656 (US Toll) or +1 646 876 9923 (US Toll)
+1 877 369 0926 (US Toll Free)
+1 877 853 5247 (US Toll Free)
Meeting ID: 149 670 643
International numbers available: https://zoom.us/zoomconference?m=jO01DqEGq35hMoUYoos-UgD2jb9se5Bi

-----

Agenda (will be kept up to date on https://wiki.edgexfoundry.org/display/FA/29+and+30+August+2017%3A+Palo+Alto%2C+CA)

Tuesday Aug 29
•Noon (PDT): Arrival and Check-in. Lunch is available in the VMWare cafeteria in the building
•1:00 PM (PDT): Meeting Start
•3:00 PM (PDT: Coffee/Dessert break
•5:00 PM (PDT): Meeting End
•6:30 PM (PDT): Security Team Dinner (location TBD)

Wednesday Aug 30
•8:00 AM (PDT): Arrival with Breakfast and Coffee
•8:30 AM (PDT): Meeting Start
•Noon (PDT): Lunch at the VMWare cafeteria
•3:00 PM (PDT): Coffee/Dessert break
•5:00 PM (PDT): Meeting End
•6:30 PM (PDT): Optional Security Team Dinner (location TBD)

Going?   Yes - Maybe - No    more options »

Invitation from Google Calendar

You are receiving this courtesy email at the account edgex-tsc-security@... because you are an attendee of this event.

To stop receiving future updates for this event, decline this event. Alternatively you can sign up for a Google account at https://www.google.com/calendar/ and control your notification settings for your entire calendar.

Forwarding this invitation could allow any recipient to modify your RSVP response. Learn More.


Invitation: EdgeX: Security + Systems Management WGs Face-to-Face Mee... @ Wed Aug 30, 2017 8:30am - 5pm (PDT) (edgex-tsc-security@lists.edgexfoundry.org)

Brett Preston
 

EdgeX: Security + Systems Management WGs Face-to-Face Meeting - Day 2

When
Wed Aug 30, 2017 8:30am – 5pm Pacific Time
Where
https://zoom.us/j/952399945 + VMware Campus, 3401 Hillview Ave, Palo Alto, CA 94304 (map)
Calendar
edgex-tsc-security@...
Who
(Guest list has been hidden at organizer's request)
Meeting Location:
VMware Campus, 3401 Hillview Ave, Palo Alto, CA 94304

*** Those attending in person are requested to RSVP to info@... by Tuesday, August 22

---

Dial-in information:

EdgeX Working Group 2 is inviting you to a scheduled Zoom meeting.

Join from PC, Mac, Linux, iOS or Android: https://zoom.us/j/952399945

Or iPhone one-tap (US Toll): +16699006833,,952399945# or +14086380968,,952399945#

Or Telephone:
Dial: +1 669 900 6833 (US Toll) or +1 408 638 0968 (US Toll)
+1 877 369 0926 (US Toll Free)
+1 877 853 5247 (US Toll Free)
Meeting ID: 952 399 945
International numbers available: https://zoom.us/zoomconference?m=yxE3KCUn8FfqFQS4r375TS2mrjjwalqx

-----

Agenda (will be kept up to date on https://wiki.edgexfoundry.org/display/FA/29+and+30+August+2017%3A+Palo+Alto%2C+CA)

Tuesday Aug 29
•Noon (PDT): Arrival and Check-in. Lunch is available in the VMWare cafeteria in the building
•1:00 PM (PDT): Meeting Start
•3:00 PM (PDT: Coffee/Dessert break
•5:00 PM (PDT): Meeting End
•6:30 PM (PDT): Security Team Dinner (location TBD)

Wednesday Aug 30
•8:00 AM (PDT): Arrival with Breakfast and Coffee
•8:30 AM (PDT): Meeting Start
•Noon (PDT): Lunch at the VMWare cafeteria
•3:00 PM (PDT): Coffee/Dessert break
•5:00 PM (PDT): Meeting End
•6:30 PM (PDT): Optional Security Team Dinner (location TBD)

Going?   Yes - Maybe - No    more options »

Invitation from Google Calendar

You are receiving this courtesy email at the account edgex-tsc-security@... because you are an attendee of this event.

To stop receiving future updates for this event, decline this event. Alternatively you can sign up for a Google account at https://www.google.com/calendar/ and control your notification settings for your entire calendar.

Forwarding this invitation could allow any recipient to modify your RSVP response. Learn More.


OS and platform security

Stuart Yoder
 

All,

To follow up in writing with my comments on the call today...

In addition to the northbound and southbound interfaces there should be a statement about what assumptions and/or requirements there are with respect to the OS and hardware platform security.

The hardware platform is the system hardware, firmware, bootloaders.  The hardware platform security would include things like hardware root-of-trust, secure boot, secure storage for secrets, and hardware-based attestation mechanisms.  The OS would provide security interfaces based on those mechanisms.

What assumptions, if any, will EdgeX have about the underlying OS and system it is running on?

Potential places where EdgeX may intersect with hardware platform security:
  • How will the EdgeX stack know if it is running on a system with a compromised OS or firmware?
  • Will there be attestation requests from the northbound direction that the EdgeX system must reply to?  How will that be done and what OS and hardware platform security support is needed?
  • Is there data that EdgeX must sign?  If so, where are the keys kept?  Is secure storage needed?
Last week Tony pointed out that there will be systems running EdgeX without a hardware root of trust.  It may be that some kind of differentiation is needed between systems that are fully secure (with a hardware root of trust) and ones that are not.  Perhaps there should be 'secure' and 'non-secure' profiles.

In the end the security of the software stack is only going to be as good as the security of the platform it is running on.

Thanks,
Stuart Yoder
System Architect, ARM


EdgeX: Security + Systems Mgmt F2F Meeting in Palo Alto [RSVP requested]

Brett Preston
 

Members of the EdgeX Security + Systems Management mail lists,

As discussed over email and during last call(s), the group will be meeting face-to-face in Palo Alto on August 29 + August 30 at the VMware campus.

Those planning to attend in person are required to RSVP in advance of the meeting.

So that we may accurately gage participation both in-person, as well as dial-in, please reply directly to me indicating if you will be attending (and planned in-person or dial-in).

Responses requested by EOD Wednesday, August 23.


Thank you,


Brett

--
Brett Preston
The Linux Foundation
+1 (971) 303-9030
bpreston@...

Google Talk: bpreston@...
Skype: bprestoncf


Canceled Event: EdgeX: Security + Systems Mgmt Working Group - Weekly Call @ Wed Aug 30, 2017 8am - 9am (PDT) (edgex-tsc-security@lists.edgexfoundry.org)

Brett Preston
 

This event has been canceled and removed from your calendar.

EdgeX: Security + Systems Mgmt Working Group - Weekly Call

When
Wed Aug 30, 2017 8am – 9am Pacific Time
Where
https://zoom.us/j/576218946 (map)
Calendar
edgex-tsc-security@...
Who
(Guest list has been hidden at organizer's request)
Hi there,

EdgeX Working Group 2 is inviting you to a scheduled Zoom meeting.

Join from PC, Mac, Linux, iOS or Android: https://zoom.us/j/576218946

Or iPhone one-tap (US Toll): +14086380968,,576218946# or +16465588656,,576218946#

Or Telephone:
Dial: +1 408 638 0968 (US Toll) or +1 646 558 8656 (US Toll)
+1 855 880 1246 (US Toll Free)
+1 877 369 0926 (US Toll Free)
Meeting ID: 576 218 946
International numbers available: https://zoom.us/zoomconference?m=t6UX5OTIE0SFrIk-9MMnBPbFjE3dZ_xx

Invitation from Google Calendar

You are receiving this courtesy email at the account edgex-tsc-security@... because you are an attendee of this event.

To stop receiving future updates for this event, decline this event. Alternatively you can sign up for a Google account at https://www.google.com/calendar/ and control your notification settings for your entire calendar.

Forwarding this invitation could allow any recipient to modify your RSVP response. Learn More.


Re: EdgeX: Security + Systems Mgmt F2F Meeting in Palo Alto [RSVP requested]

Brett Preston
 

A reminder to please let us know if you plan on participating in the Security/Systems Mgmt WG F2F meeting next week.

Would also be good to capture those who plan on dialing in, so we can gage projected participation both in-person as well as on-line.

Thank you,


Brett


On Mon, Aug 21, 2017 at 9:07 AM, Brett Preston <bpreston@...> wrote:
Members of the EdgeX Security + Systems Management mail lists,

As discussed over email and during last call(s), the group will be meeting face-to-face in Palo Alto on August 29 + August 30 at the VMware campus.

Those planning to attend in person are required to RSVP in advance of the meeting.

So that we may accurately gage participation both in-person, as well as dial-in, please reply directly to me indicating if you will be attending (and planned in-person or dial-in).

Responses requested by EOD Wednesday, August 23.


Thank you,


Brett

--
Brett Preston
The Linux Foundation

Skype: bprestoncf



--
Brett Preston
The Linux Foundation

Skype: bprestoncf


Re: EdgeX: Security + Systems Mgmt F2F Meeting in Palo Alto [RSVP requested]

Gabriella Poczo
 

Hi Brett,

I will be there in person.

Looking forward to meeting everyone.

Best,
-gabriella

________________________
Gabriella Poczo
Chief Product Officer
Sixgill, LLC
312 Arizona Ave
Santa Monica, CA 90401
gpoczo@...
Mobile: 424.291.2264
www.sixgill.com




On Aug 24, 2017, at 7:34 AM, Brett Preston <bpreston@...> wrote:

A reminder to please let us know if you plan on participating in the Security/Systems Mgmt WG F2F meeting next week.

Would also be good to capture those who plan on dialing in, so we can gage projected participation both in-person as well as on-line.

Thank you,


Brett


On Mon, Aug 21, 2017 at 9:07 AM, Brett Preston <bpreston@...> wrote:
Members of the EdgeX Security + Systems Management mail lists,

As discussed over email and during last call(s), the group will be meeting face-to-face in Palo Alto on August 29 + August 30 at the VMware campus.

Those planning to attend in person are required to RSVP in advance of the meeting.

So that we may accurately gage participation both in-person, as well as dial-in, please reply directly to me indicating if you will be attending (and planned in-person or dial-in).

Responses requested by EOD Wednesday, August 23.


Thank you,


Brett

--
Brett Preston
The Linux Foundation

Skype: bprestoncf



--
Brett Preston
The Linux Foundation

Skype: bprestoncf
_______________________________________________
EdgeX-TSC-Security mailing list
EdgeX-TSC-Security@...
https://lists.edgexfoundry.org/mailman/listinfo/edgex-tsc-security