A Pattern for Secure Uploads and Downloads in AWS IoT

March 15th, 2018 | Greg Straw | Security

Suppose you have a large fleet of connected sensors, all gathering data and triggering events based on conditional logic within the device. It’s one thing to provide event notifications, but what about all the continuous readings and status data? This data is likely to be much larger than what is selected for triggering an event or notification. This data may be able to provide valuable insights, and is where analytics can provide incredible value.

If we want to leverage this data we first must consider how to ship it to the cloud, which forces us to think about security. Uploading data is not the only consideration when it comes to IoT. We must also consider the secure delivery of large amounts of configuration or firmware data to and from a connected device.

How to secure file transfers in AWS IoT: A Use Case

In the AWS ecosystem where we have a device connected using AWS IoT, you could download or upload a large amount of data by partitioning the data into individual MQTT messages and re-assembling after receipt. Assuming the packetization process also encrypts the data, this would certainly be secure. However, that’s not an efficient use of AWS IoT costs (paid by MQTT Message), and unnecessarily complicated since it requires partitioning and reassembling, and likely some form of acknowledgement or QoS increase to ensure all the data arrives successfully….

Read more

Principle of Least Privilege: An Introduction

March 1st, 2018 | Aaron Day | Security

Every program and every privileged user of the system should operate using the least amount of privilege necessary to complete the job. – Jerome Saltzer

In an effort to better serve our clients, SpinDance is building an internal cross project team which will focus on the security aspects of the applications. This team will review design, implementation, and deployment of customer projects and perform testing to ensure the clients applications and data are as safe and secure as possible. The team will also be providing internal training to the development teams, teaching high level concepts and application of those concepts to spread the skills throughout the engineering side of company. This article is an adaptation of some of the topics that will be covered.

What is the Principle of Least Privilege?

A main tenet of secure system design is layered security. The principle of least privilege is one of the building blocks to layered security. The idea of the principle of least privilege is that a user’s or program’s access is the minimum necessary to complete the intended task. In event of a compromise the damage is limited to elements of the system the original process is able to access. Using the principle of least privilege decreases exposure and damage thereby increasing the security of a system. This adds a layer of security to the system by protecting the remaining components of the system which the process does not have access to affect….

Read more

Blue data with cloud and lock graphic overlays

Internet of Things Security with AWS IoT Core: A Brief Use Case

February 11th, 2018 | Brian Ensink | Security

As the Internet of Things plays a more prominent role in the lives of consumers, you’re likely to use these “things” everywhere. Devices can be found  in your office, car, home, even on your wrist or clipped to your clothing – as such, they have access to your most vital and sensitive information. But how often do you consider the security implications of relying on IoT for your day-to-day life? As engineers, we think about Internet of things security so consumers don’t have to. “How do we secure it?” is one of the most important and required questions to answer for any piece of software, occurring during the design and implementation phase of a product. At SpinDance, we want our solid end-to-end security design to be reinforced by secure tools. This is where AWS IoT Core shines.

What is AWS IoT Core?

At SpinDance we have have invested time and effort into building useful components to better support future IoT projects, which has helped us build expertise in securing the communication between the device and the cloud. One of the solutions we’ve spent a significant amount of time with is AWS IoT Core. AWS IoT Core is Amazon’s foundation to build the Internet of Things. IoT Core supports connecting devices or things to a lightweight message broker to communicate with mobile, web and cloud apps,…

Read more