A Pattern for Secure Uploads and Downloads in AWS IoT

March 15th, 2018 | Greg Straw | Security

Suppose you have a large fleet of connected sensors, all gathering data and triggering events based on conditional logic within the device. It’s one thing to provide event notifications, but what about all the continuous readings and status data? This data is likely to be much larger than what is selected for triggering an event or notification. This data may be able to provide valuable insights, and is where analytics can provide incredible value.

If we want to leverage this data we first must consider how to ship it to the cloud, which forces us to think about security. Uploading data is not the only consideration when it comes to IoT. We must also consider the secure delivery of large amounts of configuration or firmware data to and from a connected device.

How to secure file transfers in AWS IoT: A Use Case

In the AWS ecosystem where we have a device connected using AWS IoT, you could download or upload a large amount of data by partitioning the data into individual MQTT messages and re-assembling after receipt. Assuming the packetization process also encrypts the data, this would certainly be secure. However, that’s not an efficient use of AWS IoT costs (paid by MQTT Message), and unnecessarily complicated since it requires partitioning and reassembling, and likely some form of acknowledgement or QoS increase to ensure all the data arrives successfully….

Read more

Principle of Least Privilege: An Introduction

March 1st, 2018 | Aaron Day | Security

Every program and every privileged user of the system should operate using the least amount of privilege necessary to complete the job. – Jerome Saltzer

In an effort to better serve our clients, SpinDance is building an internal cross project team which will focus on the security aspects of the applications. This team will review design, implementation, and deployment of customer projects and perform testing to ensure the clients applications and data are as safe and secure as possible. The team will also be providing internal training to the development teams, teaching high level concepts and application of those concepts to spread the skills throughout the engineering side of company. This article is an adaptation of some of the topics that will be covered.

What is the Principle of Least Privilege?

A main tenet of secure system design is layered security. The principle of least privilege is one of the building blocks to layered security. The idea of the principle of least privilege is that a user’s or program’s access is the minimum necessary to complete the intended task. In event of a compromise the damage is limited to elements of the system the original process is able to access. Using the principle of least privilege decreases exposure and damage thereby increasing the security of a system. This adds a layer of security to the system by protecting the remaining components of the system which the process does not have access to affect….

Read more