Cloud-based solutions have changed the way we conduct business, fully mobilizing workforces, expanding the global reach of organizations, and lowering costs. The cloud enables organizations to streamline and improve business processes, such as customer service and the supply chain, with anytime, anywhere access to applications and data. And now businesses find themselves at the doorstep of the next level of cloud-based connectivity: the Internet of Things (IoT), where internet-enabled devices — such as cars, compressors, turbines, and household appliances — communicate with one another (either directly or via the cloud) and deliver data-driven intelligence that enables organizations to optimize their products, services, and operations, and support new and enhanced processes.
And make no mistake, IoT is more than just a concept; it is a reality and a significant opportunity across a variety of business sectors — from manufacturing to utilities to healthcare to retail — to access unprecedented insight into customers, products, and operations. Gartner estimates that there will be 25 billion internet-connected things by 2020, and that IoT will produce close to $2 trillion of economic benefit globally.1 With significant opportunity often comes significant risk, however, and IoT is no different: The exponential growth of connected devices translates into an exponential increase in potential attack surface — a surface that goes beyond servers and applications to individual devices, each with their own protocols and varying levels of security in their makeup.
The combination of rapidly changing technologies, a growing number and variety of devices, and an increasingly interconnected landscape means that security teams are faced with a daunting challenge, and that the implications of a security failure can have disastrous effects that ripple far and wide. This article takes a closer look at the security aspects that are crucial for IoT, and demonstrates how SAP ensures that the IoT solutions its customers use protect against these risks.
The Rewards and Risks of IoT
Imagine you are a car manufacturer. In your production line, you need to produce the roof for a particular car model. To do this, you use a press to form the metal of the roof, which in turn requires a compressor to create the pressure. If this compressor fails, the production line comes to a halt, which can translate into an enormous financial loss for the business. IoT can help you avoid this scenario by enabling you to use sensors in combination with a solution, such as SAP Predictive Maintenance and Service, to monitor the compressor and predict when it will wear out so that you can ship and replace the compressor with minimum downtime before it fails. (For more on SAP’s IoT-enabled offerings, see the sidebar “SAP Solutions for the Internet of Things.”)
But what happens if the sensors deliver the wrong data, such as the wrong temperature, or if the wrong service life statistics for the compressor components are delivered? Imagine what might happen with a faulty temperature reading or component failure with an oil pipeline. The damage inflicted by faulty data from devices can be considerable — and in some cases, it can be catastrophic — and this could happen if an attacker gains access to a company’s system and manipulates the data being sent from devices to the IoT solutions monitoring those devices.
This is just one example of why security plays a crucial role in IoT scenarios to prevent manipulation of reported sensor or telemetry data, or data leaks, or denial of services attacks, for instance. While a device might seem to be only a little thing, it can cause significant losses for your business, and it is critical to ensure the protection of the data it transmits. Two items are essential to this protection:
- Strong authentication to ensure that a device is the one it claims to be
- The use of encryption and digital signatures to ensure the authenticity of the data source and privacy for the transmitted data
So how does SAP address these essential items for IoT solutions? It starts at the very foundation.
A Secure Foundation with SAP HANA Cloud Platform
To truly pave the way to a secure IoT landscape, security needs to be built in at the foundational level. Through SAP HANA Cloud Platform — SAP’s platform-as-a-service (PaaS) offering for building and extending cloud-based business applications — SAP provides an infrastructure that enables businesses to securely tap into a network of millions of connected devices: SAP HANA Cloud Platform for the Internet of Things (see Figure 1).
Introduced at SAPPHIRE NOW in May 2015, SAP HANA Cloud Platform for the Internet of Things is a solution portfolio that enables the collection, integration, and analysis of data from devices and from business systems such as SAP ERP and SAP Customer Relationship Management (SAP CRM). Connectivity to back-end systems to access business data is provided by SAP HANA Cloud Integration via SAP Process Integration; access to machine data is provided by a set of IoT services. While there are three options for connecting the IoT services to networked devices — via an IoT connector included with SAP HANA Cloud Platform for the Internet of Things, via a third-party gateway solution, or directly through the device’s built-in connectivity — the IoT connector offers several advantages, including protocol translation between various devices and SAP HANA Cloud Platform, and automated, secure onboarding of devices that paves the way to edge computing and device management.
The IoT services for SAP HANA Cloud Platform are key to facilitating the management, administration, and processing of IoT data. These services support the implementation of IoT applications — including SAP applications, partner applications, and custom-developed applications — on SAP HANA Cloud Platform, and provide secure interfaces for:
- Registering devices and their specific data types
- Sending data to a database running on SAP HANA Cloud Platform
- Storing and accessing data on SAP HANA Cloud Platform
The IoT services are enabled via the services tab in the SAP HANA Cloud Platform cockpit, which is the central tool for managing applications deployed on SAP HANA Cloud Platform.2 Subscribing to the IoT services provides access to the Internet of Things Services cockpit (see Figure 2), which you use to securely register devices, specify the supported message types for sending data from these devices to SAP HANA Cloud Platform, and manage the IoT connector.
So how do the IoT services ensure that IoT applications deployed on SAP HANA Cloud Platform provide the two items — strong authentication for devices and the secure transfer of data — that are essential to a secure IoT landscape? By using trusted security standards.
Standards-Based Authentication and Authorization
The IoT services use the Open Authorization (OAuth) Framework (version 2.0) and X.509 certificates to secure communication between IoT devices and SAP HANA Cloud Platform via the Transport Layer Security (TLS) protocol (see Figure 3). With OAuth-based communication, you generate an individual OAuth authorization token for each IoT device using the Internet of Things Services cockpit and then transfer that token to the corresponding device. With X.509-based authentication, an X.509 certificate must be issued for each device. The IoT connector included with SAP HANA Cloud Platform for the Internet of Things facilitates the generation of these tokens and certificates as part of a secure onboarding process for devices. The authentication method is specified as part of the device type configuration using the Internet of Things Services cockpit.
OAuth is the de facto standard for protecting APIs based on the Representational State Transfer (REST) architectural standard, commonly used for providing synchronous access to back-end SAP systems from cloud-based systems via the TLS protocol. To secure this access, OAuth authorizes the application that calls the API, known as the API consumer. The API consumer uses a credential — the OAuth access token — for the authentication. This token represents an authorization issued to the API consumer by SAP HANA Cloud Platform. OAuth uses various mechanisms for obtaining OAuth access tokens, including authorization grants, which are supported by SAP HANA Cloud Platform (specifically, SAP HANA Cloud Platform supports the authorization code grant and client credentials grant types). OAuth is a lightweight but secure credential for authenticating devices in an IoT scenario.
X.509 certificates enable secure authentication between web applications and back-end SAP systems. Based on the X.509 public key infrastructure (PKI) standard, these certificates use a public/private key pairing to establish trust and allow access, where a digital certificate containing identity information in a public key is validated against a stored private key. The main components of the PKI are the registration authority (RA) for verifying the identity of the certificate’s owner and the certificate authority (CA) for issuing the certificates, maintaining revocation lists, and so on. With the automated, secure onboarding process for devices provided by SAP HANA Cloud Platform for the Internet of Things, SAP HANA Cloud Platform serves as the RA and CA for issuing and verifying X.509 certificates. X.509 certificates can also be used to generate digital signatures to protect data against tampering. Note that with X.509 certificates, for privacy protection, the network communication between the IoT connector and the IoT services running on SAP HANA Cloud Platform must be secured with a mutually authenticated TLS connection.
Let’s take a closer look at authentication in action in an SAP HANA Cloud Platform for the Internet of Things scenario by stepping through an example that uses X.509 certificates with the IoT connector.
Behind the Scenes: Ensuring a Secure Device Connection
Returning to our car manufacturer example, suppose we are using SAP Predictive Maintenance and Service and we want to collect data from an IoT-enabled compressor on the manufacturing assembly line so we can monitor the compressor and proactively address any necessary repairs. To enable communication between the compressor and SAP HANA Cloud Platform, where SAP Predictive Maintenance and Service is running, the device (the compressor) must be issued an X.509-based registration certificate with a key pair by a trusted CA.
In this scenario, after configuring the X.509 authentication requirement for the device type using the Internet of Things Services cockpit, the registration certificate is issued to the device (the IoT-enabled compressor) automatically by SAP HANA Cloud Platform as part of the automated, secure onboarding process. The car manufacturer performs a test run of the manufacturing assembly line, and the self-registration process for an individual X.509 device certificate is automatically initiated by the IoT connector. The IoT connector generates public and private keys on the device, along with a registration certificate and a request for an individual device certificate. The registration certificate and the device certificate request (including the public key) are sent to the IoT services running on SAP HANA Cloud Platform. The registration certificate is then used to authenticate the device to SAP HANA Cloud Platform.
After successful verification of the registration certificate, the individual device certificate is issued by SAP HANA Cloud Platform and sent back to the device via the IoT connector, which then deletes the registration certificate and corresponding private key from local persistence to prevent leaking the manufacturer’s registration credentials to the customer. Going forward, the individual device certificate and key pair are sufficient for secure authentication between this device and SAP HANA Cloud Platform. Options for adding an even higher level of security include adding firewalls between the IoT connector and the IoT services, as well as delivering X.509 certificates and their corresponding keys on personalized industry computers with trusted platform modules (TPM) — that is, computers with standards-based cryptographic keys built directly into the hardware to secure the device.
Of course, the very nature of an IoT landscape means that there will be changes to manage in your secured runtime environment — in particular, devices will need software and firmware updates delivered by manufacturers. To securely handle these updates, the IoT services running on SAP HANA Cloud Platform automatically check the digital signature of the update package, delivered by an X.509 certificate, to verify that it is, in fact, from the manufacturer and has not been altered during the transmission over the network. The verification results are logged by SAP HANA Cloud Platform and stored on the device.
SAP HANA Cloud Platform for the Internet of Things gives SAP customers a set of IoT services that provide a standards-based approach to secure authentication between devices and SAP HANA Cloud Platform.
The biggest challenge in an IoT scenario is protecting the integrity, authenticity, and privacy of the data that is collected from devices, transferred to a central system, and integrated with business data for analysis. SAP HANA Cloud Platform for the Internet of Things helps SAP customers meet this challenge with a set of IoT services that provide a standards-based approach to secure authentication between devices and SAP HANA Cloud Platform, enabling IoT applications running on the platform to provide insight based on integrated machine and business data.
The ability to get up and running with an IoT landscape both quickly and securely will allow you to get started capitalizing on the opportunity instead of spending time playing catch-up, and with security built in at the technology foundation, SAP helps its customers do this with minimal risk. Learn more at www.sap.com/IoT and help.hana.ondemand.com/iot. Interested in trying out the IoT services for SAP HANA Cloud Platform? Visit scn.sap.com/docs/DOC-63811 and github.com/SAP/iot-starterkit.
2 Access to SAP HANA Cloud Platform requires a developer account. A trial edition of the platform, along with a trial developer account, is available free of charge at https://account.hanatrial.ondemand.com. Access for productive accounts is provided at https://account.hana.ondemand.com/cockpit. [back]