AWS wellarchitected high security documentation change
Summary
Restructured content to introduce new best practice numbering (IOTSEC10-BP01 to BP03), added prescriptive guidance for encryption, data classification, and compliance controls. Expanded details on device data lifecycle management, encryption requirements, and governance roles.
Security assessment
The changes explicitly add security documentation around encryption requirements (TLS 1.2 enforcement), secure key storage in hardware secure elements, device quarantine processes, and compliance governance. These address concrete security controls for data protection in IoT systems.
Diff
diff --git a/wellarchitected/latest/iot-lens/data-protection.md b/wellarchitected/latest/iot-lens/data-protection.md index ee3a3a030..3f8f265e6 100644 --- a//wellarchitected/latest/iot-lens/data-protection.md +++ b//wellarchitected/latest/iot-lens/data-protection.md @@ -3 +3 @@ -[Documentation](/index.html)[AWS Well-Architected](https://aws.amazon.com/architecture/well-architected/)[AWS Well-Architected Framework](abstract-and-introduction.html) +[Documentation](/index.html)[AWS Well-Architected](https://aws.amazon.com/architecture/well-architected/)[AWS Well-Architected Framework](iot-lens.html) @@ -5,14 +5 @@ -# Data protection - -Before architecting an IoT application, data classification, governance, and controls must be designed and documented to reflect how the data can be persisted in the cloud, and how data should be encrypted, whether on a device or between the devices and the cloud. Unlike traditional cloud applications, data sensitivity and governance extend to the IoT devices that are deployed in remote locations outside of your network boundary. These techniques are important because they support protecting personally identifiable data transmitted from devices and complying with regulatory obligations. - -During the design process, determine how hardware, firmware, and data are handled at device end-of-life. Store long-term historical data in the cloud. Store a portion of current sensor readings locally on a device, namely only the data required to perform local operations. By only storing the minimum data required on the device, the risk of unintended access is limited. - -In addition to reducing data storage locally, there are other mitigations that must be implemented at the end of life of a device. First, the device should offer a reset option which can reset the hardware and firmware to a default factory version. Second, your IoT application can run periodic scans for the last logon time of every device. Devices that have been offline for too long a period of time, or are associated with inactive customer accounts, can be revoked. Third, encrypt sensitive data that must be persisted on the device using a key that is unique to that particular device. - -In IIoT environments, to allow one-way data flow, access controls can be applied at the connectivity layer using security appliances such as firewalls and data diodes. - -IOTSEC 7: How do you ensure that device data is protected at rest and in transit? ---- - -All traffic to and from AWS IoT must be encrypted using Transport Layer Security (TLS). In AWS IoT, security mechanisms protect data as it moves between AWS IoT and other devices or AWS services. In addition to AWS IoT, you must implement device-level security to protect not only the device’s private key but also the data collected and processed on the device. +IOTSEC10-BP01 Use encryption to protect IoT data in transit and at restIOTSEC10-BP02 Use data classification strategies to categorize data access based on levels of sensitivityIOTSEC10-BP03 Protect your IoT data in compliance with regulatory requirements @@ -20 +7 @@ All traffic to and from AWS IoT must be encrypted using Transport Layer Security -For embedded development, AWS has several services that abstract components of the application layer while incorporating AWS security best practices by default on the edge. For microcontrollers, AWS recommends using [FreeRTOS](https://docs.aws.amazon.com/freertos/latest/userguide/freertos-security.html). FreeRTOS has libraries for Bluetooth LE, TCP/IP, and other protocols. In addition, FreeRTOS contains a set of security APIs that allow you to create embedded applications that securely communicate with AWS IoT. +# Data protection @@ -22 +9 @@ For embedded development, AWS has several services that abstract components of t -For Linux-based devices, AWS IoT Greengrass can be used to accelerate the development and operations of connected device software to extend cloud functionality to the edge of your network. AWS IoT Greengrass implements several security features, including mutual X.509 certificate-based authentication with connected devices, AWS IAM policies and roles to manage communication permissions between AWS IoT Greengrass and cloud applications, and subscriptions, which are used to determine how and if data can be routed between connected devices and AWS IoT Greengrass core. +Before architecting an IoT application, data classification, governance, and controls must be designed and documented. These controls should reflect how the data can be persisted in the cloud, and how data should be encrypted. These controls apply to data whether on a device, in transit between the devices and the cloud, processed in cloud-hosted services, or stored in cloud-hosted persistent storage locations. Unlike traditional cloud applications, data sensitivity and governance extend to the IoT devices that are deployed in remote locations outside of your network boundary. Attention to data classification, governance, and controls is important because IoT devices may handle personally identifiable data which is then transmitted from devices. Compliance with regulatory obligations extends across the IoT solution, from initial data capture at the device through handling and usage within the IoT application, and onward to what follow-on usage is allowed. @@ -24 +11 @@ For Linux-based devices, AWS IoT Greengrass can be used to accelerate the develo -Protect your data at rest by defining your requirements and implementing controls, including encryption, to reduce the risk of unauthorized access or loss. Protect your data in transit by defining your requirements and implementing controls, including encryption, reduces the risk of unauthorized access or exposure. By providing the appropriate level of protection for your data in transit, you protect the confidentiality and integrity of your IoT data. +During the design process, determine how hardware, firmware, and data are handled at device end-of-life. Store long-term historical data in the cloud. Store a portion of current sensor readings locally on a device, namely only the data required to perform local operations. By only storing the minimum data required on the device, the risk of unintended access is limited. Actively delete or destroy data stored in the device so that only the minimum amount of sensor readings necessary is stored on the device. @@ -26 +13 @@ Protect your data at rest by defining your requirements and implementing control -Follow these best practices and check if your workload is well architected. +In addition to reducing data storage locally, there are other mitigations that must be implemented at the end of life of a device such as: @@ -28 +15 @@ Follow these best practices and check if your workload is well architected. -**Best practice IOTSEC_7.1 – Use encryption to protect IoT data in transit and at rest** + * The device should offer a reset option which can reset the hardware and firmware to a default factory version. @@ -30 +17 @@ Follow these best practices and check if your workload is well architected. -For data at rest, the Storage Networking Industry Association (SNIA) defines storage security as “Technical controls, which may include integrity, confidentiality and availability controls that protect storage resources and data from unauthorized users and uses.” Thus, it’s required to protect the confidentiality of sensitive data, such as the device identity, secrets, or user data, by encrypting it at rest. For data in transit, use a secure transport mechanism such as TLS to protect the confidentiality and integrity of all data transmitted to and from your devices. + * Your IoT application can run periodic scans for the last logon time of every device. Devices that have been offline for too long a period of time, or are associated with inactive customer accounts, can be isolated or quarantined from the rest of the IoT solution. @@ -32 +19 @@ For data at rest, the Storage Networking Industry Association (SNIA) defines sto -**Recommendation IOTSEC_7.1.1** – _Require the use of device SDKs or client libraries for the device to communicate to cloud_ + * Encrypt sensitive data that must be persisted on the device using a key that is unique to that particular device. Store the key in the device's secure element, or in a format which is encrypted based on key material in the devices' secure element. @@ -34 +20,0 @@ For data at rest, the Storage Networking Industry Association (SNIA) defines sto -Configure the IoT devices to communicate to cloud endpoints only over TLS. For example, use AWS IoT Greengrass or FreeRTOS SDKs to secure connectivity from your devices to AWS IoT Core over TLS 1.2. @@ -36 +21,0 @@ Configure the IoT devices to communicate to cloud endpoints only over TLS. For e -**Recommendation IOTSEC_7.1.2** – _Encrypt data at rest or secrets on IoT devices_ @@ -38 +22,0 @@ Configure the IoT devices to communicate to cloud endpoints only over TLS. For e -As explained previously in section IOTSEC_2.3.3, take advantage of encryption utilities provided by the host operating system to encrypt the data stored at rest in the local filesystem. In addition, take advantage of Secure Elements and TPMs. TEEs can add storage protections as well. @@ -40 +24 @@ As explained previously in section IOTSEC_2.3.3, take advantage of encryption ut -**Best practice IOTSEC_7.2 – Use data classification strategies to categorize data access based on levels of sensitivity** +In IIoT environments, to allow one-way data flow, access controls can be applied at the connectivity layer using security appliances such as firewalls and data diodes. @@ -42 +26,2 @@ As explained previously in section IOTSEC_2.3.3, take advantage of encryption ut -Data classification and governance is the customer’s responsibility. +IOTSEC10: How do you make sure that device data is protected at rest and in transit? +--- @@ -44 +29 @@ Data classification and governance is the customer’s responsibility. - 1. Identify and classify data based on sensitivity collected throughout your IoT workload and learn their corresponding business use case. +All traffic to and from AWS IoT must be encrypted using Transport Layer Security (TLS). In AWS IoT, security mechanisms protect data as it moves between AWS IoT and other devices or AWS services. In addition to AWS IoT, you must implement device-level security to protect not only the device's private key but also the data collected and processed on the device. @@ -46 +31 @@ Data classification and governance is the customer’s responsibility. - 2. Identify and act on opportunities to stop collecting unused data, or adjusting data granularity and retention time. +For embedded development, AWS has several services that abstract components of the application layer while incorporating AWS security best practices by default on the edge. For microcontrollers, AWS recommends using [FreeRTOS](https://docs.aws.amazon.com/freertos/latest/userguide/freertos-security.html). FreeRTOS extends the FreeRTOS kernel with libraries for Bluetooth LE, TCP/IP, and other protocols. In addition, FreeRTOS contains a set of security APIs that allow you to create embedded applications that securely communicate with AWS IoT. @@ -48 +33 @@ Data classification and governance is the customer’s responsibility. - 3. Consider a defense in depth approach and reduce human access to device data. +For Linux-based devices, AWS IoT Greengrass can be used to accelerate the development and operations of connected device software to extend cloud functionality to the edge of your network. AWS IoT Greengrass implements several security features, including mutual X.509 certificate-based authentication with connected devices, AWS IAM policies and roles to manage communication permissions between AWS IoT Greengrass and cloud applications, and subscriptions, which are used to determine how and if data can be routed between connected devices and AWS IoT Greengrass core. @@ -49,0 +35 @@ Data classification and governance is the customer’s responsibility. +Protect your data at rest by defining your requirements and implementing controls, including encryption, to reduce the risk of unauthorized access or loss. Protect your data in transit by defining your requirements and implementing controls, including encryption. Defining and implementing these controls reduces the risk of unauthorized data access or exposure. By providing the appropriate level of protection for your data in transit, you protect the confidentiality and integrity of your IoT data. @@ -50,0 +37 @@ Data classification and governance is the customer’s responsibility. +## IOTSEC10-BP01 Use encryption to protect IoT data in transit and at rest @@ -51,0 +39 @@ Data classification and governance is the customer’s responsibility. +For data at rest, the Storage Networking Industry Association (SNIA) defines storage security as technical controls, which may include integrity, confidentiality and availability controls that protect storage resources and data from unauthorized users and uses. Thus, it is required to protect the confidentiality of sensitive data, such as the device identity, secrets, or user data by encrypting it at rest. For data in transit, use a secure transport mechanism such as TLS to protect the confidentiality and integrity of data transmitted to and from your devices. Both MQTT and HTTP communications can be protected using TLS-protected forms of those protocols. @@ -53 +41 @@ Data classification and governance is the customer’s responsibility. -See the following for more details: +**Level of risk exposed if this best practice is not established:** High @@ -55 +43 @@ See the following for more details: - * [AWS IoT Greengrass Developer Guide: Manage data streams on the AWS IoT Greengrass core](https://docs.aws.amazon.com/greengrass/v1/developerguide/stream-manager.html) +**Prescriptive guidance IOTSEC10-BP01-01** _Require the use of device SDKs or client libraries for the device to communicate to cloud._ @@ -57 +45 @@ See the following for more details: - * [The Internet of Things on AWS – Official Blog: Designing dataflows for multi-schema messages in AWS IoT Analytics](https://aws.amazon.com/blogs/iot/designing-dataflows-for-multi-schema-messages-in-aws-iot-analytics/) +Configure the IoT devices to communicate only over TLS to cloud endpoints. For example, use AWS IoT Greengrass or Amazon FreeRTOS SDKs to secure connectivity from your devices to AWS IoT Core over TLS 1.2. The AWS IoT Device SDK also enables the use of TLS-protected secure communications over TLS 1.2. @@ -58,0 +47 @@ See the following for more details: +**Prescriptive guidance IOTSEC10-BP01-02** _Encrypt data and secrets at rest on IoT devices._ @@ -59,0 +49 @@ See the following for more details: +As explained earlier in section IOTSEC02-BP03-03, take advantage of encryption utilities provided by the host operating system to encrypt the data stored at rest in the local filesystem. In addition, take advantage of Secure Elements (SEs) and TPMs. Trusted execution environments (TEEs) can add storage protections as well. @@ -60,0 +51 @@ See the following for more details: +## IOTSEC10-BP02 Use data classification strategies to categorize data access based on levels of sensitivity @@ -62 +53 @@ See the following for more details: -**Recommendation IOTSEC_7.2.1** – _Implement data classification strategies for all data stored on devices or in the cloud, as well as all data sent over the network. Process data based on the level of sensitivity (for example, highly classified, or personally identifiable data.)_ +Data classification and governance is the customer's responsibility. @@ -64 +55 @@ See the following for more details: -Before architecting an IoT application, data classification, governance, and controls must be designed and documented to reflect how the data can be persisted on the edge or in the cloud, and how data should be encrypted throughout its lifecycle. For example: + 1. Identify and classify data based on sensitivity collected throughout your IoT workload and learn their corresponding business use-case. @@ -66 +57 @@ Before architecting an IoT application, data classification, governance, and con - * By using AWS IoT Greengrass stream manager, you can define policies for storage type, size, and data retention on a per-stream basis. For highly classified data, you can define a separate data stream. + 2. Identify and act on opportunities to stop collecting unused data, or adjusting data granularity and retention time. @@ -68 +59 @@ Before architecting an IoT application, data classification, governance, and con - * By using AWS IoT Analytics, you can create different workflows for storing classified data. For highly classified data, you can define a separate pipeline and data store. + 3. Consider a defense in depth approach and reduce human access to device data. @@ -73 +64 @@ Before architecting an IoT application, data classification, governance, and con -**Best practice IOTSEC_7.3 – Protect your IoT data in compliance with regulatory requirements** +For more information, see [Manage data streams on the AWS IoT Greengrass core](https://docs.aws.amazon.com/greengrass/v1/developerguide/stream-manager.html). @@ -75 +66 @@ Before architecting an IoT application, data classification, governance, and con -Data governance is the rules, processes, and behavior that affect the way in which data is used, particularly as it regards openness, participation, accountability, effectiveness, and coherence. Data governance practices for IoT is important as it enables protecting classified data and complying with regulatory obligations. It helps to determine what data needs protection, or which data needs access control. +**Level of risk exposed if this best practice is not established:** Low @@ -77 +68 @@ Data governance is the rules, processes, and behavior that affect the way in whi -See the following for more information: +**Prescriptive guidance IOTSEC10-BP02-01** _Implement data classification strategies for all data stored on devices or in the cloud, as well as all data sent over the network. Process data based on the level of sensitivity (for example, highly classified, or personally identifiable data)._ @@ -79 +70 @@ See the following for more information: - * [AWS Cloud Enterprise Strategy Blog: Using a Cloud Center of Excellence (CCOE) to Transform the Entire Enterprise](https://aws.amazon.com/blogs/enterprise-strategy/using-a-cloud-center-of-excellence-ccoe-to-transform-the-entire-enterprise/) +Before architecting an IoT application, data classification, governance, and controls must be designed and documented to reflect how the data can be persisted on the edge or in the cloud, and how data should be encrypted throughout its lifecycle. For example, by using AWS IoT Greengrass stream manager, you can define policies for storage type, size, and data retention on a per-stream basis. For highly classified data, you can define a separate data stream. @@ -80,0 +72 @@ See the following for more information: +## IOTSEC10-BP03 Protect your IoT data in compliance with regulatory requirements @@ -81,0 +74 @@ See the following for more information: +Data governance is the rules, processes, and behavior that affect the way in which data is used, particularly as it regards openness, participation, accountability, effectiveness, and coherence. Data governance practices for IoT is important as it enables protecting classified data and complying with regulatory obligations. It helps to determine what data needs protection, or which data needs access control. For more information, see [AWS Cloud Enterprise Strategy Blog: Using a Cloud Center of Excellence (CCOE) to Transform the Entire Enterprise](https://aws.amazon.com/blogs/enterprise-strategy/using-a-cloud-center-of-excellence-ccoe-to-transform-the-entire-enterprise/). @@ -82,0 +76 @@ See the following for more information: +**Level of risk exposed if this best practice is not established:** Medium @@ -84 +78 @@ See the following for more information: -**Recommendation IOTSEC_7.3.1** – _Define specific roles for personnel responsible for implementing IoT data governance_ +**Prescriptive guidance IOTSEC10-BP03-01** _Define specific roles for personnel responsible for implementing IoT data governance._ @@ -88 +82 @@ For example, there might be a need for new roles to monitor security, from both -**Recommendation IOTSEC_7.3.2** – _Define data governance policies to monitor compliance with approved standards_ +**Prescriptive guidance IOTSEC10-BP03-02** _Define data governance policies to monitor compliance with approved standards._ @@ -90 +84 @@ For example, there might be a need for new roles to monitor security, from both -For example, you might define a policy that requires security credentials to never be hardcoded, even on edge devices. Thus, only services such as AWS Secrets Manager can retrieve secrets in an encrypted manner. +For example, you might define a policy that requires security credentials to never be hardcoded, even on edge devices. Thus, use only services like AWS Secrets Manager to retrieve secrets in an encrypted manner. @@ -92 +86 @@ For example, you might define a policy that requires security credentials to nev -**Recommendation IOTSEC_7.3.3** – _Define clear responsibilities to drive the IoT data governance process_ +**Prescriptive guidance IOTSEC10-BP03-03** _Define clear responsibilities to drive the IoT data governance process._ @@ -94 +88 @@ For example, you might define a policy that requires security credentials to nev -Multiple administrative roles can exist for a single system. For instance, you might define roles for users who can replace defective devices, and separate roles for users who can apply security patches and upgrade device firmware. Note that roles and responsibilities might change over the lifecycle of your IoT systems. +Multiple administrative roles can exist for a single system. For instance, you may define roles for users who can replace defective devices, and separate roles for users who can apply security patches and upgrade device firmware. Note that roles and responsibilities might change over the lifecycle of your IoT systems.