AllSeen Alliance Addresses Major IoT Security Challenge; New Layer Gives More User Control and Key Management For Even Greater Device Security
SEATTLE, AllSeen Alliance Summit, Oct. 19, 2015 – The AllSeen Alliance, a cross-industry collaboration to advance the Internet of Everything through the AllJoyn®open source software project, today announced major authentication and device authorization updates to the AllJoyn open source framework for Internet of Things (IoT). The new functionality builds on AllJoyn’s existing end-to-end data encryption and message-based security, adding rich semantics that extend familiar security models from the cloud and app domain to the devices that make up the IoT. The result is the industry’s most complete IoT framework with built-in security. With this addition, AllJoyn-enabled devices will work safely and securely, regardless of platform, manufacturer, transports, OS or chipset.
The variety and volume of connected devices is staggering and the standard security protocols across the IoT ecosystem are lacking. Today’s security protocols vary from manufacturer to manufacturer, and even device to device, resulting in fragmentation, poor network security policies and weak links that create undue risk. The AllSeen Alliance recognizes that the use cases for connected devices, services and applications are highly customized by the user and provider, requiring a security framework that can offer protection across a breadth of scenarios. Building on the existing AllJoyn message-based security model, major new security updates, such as fine-grained access controls, allow developers and OEMs to easily implement security policies in a consistent way.
The updates follow a model of security commonly found in computing and applications with users, groups, roles, relationships and things extended to IoT. The security manager service architecture now inherent in AllJoyn minimizes development time and complexity, providing key management, permission rules, and certificates when managing IoT applications and devices.
“For IoT to see mainstream adoption, and more importantly truly make people’s lives better, any fears or concerns about security and device privacy must be addressed. We’re enhancing AllJoyn’s security with collaboration across the IoT ecosystem, allowing us to standardize security for IoT, regardless of manufacturer or use-case,” said Philip DesAutels, Senior Director of IoT, AllSeen Alliance.“ We’ve extended a familiar security model to the world of IoT, making it as easy as possible for developers, product managers and engineers to adopt an industry standard security protocol for all IoT devices, regardless of transport or operating system.”
Using a peer-to-peer communications framework, AllJoyn is the first IoT platform to provide end-to-end, application-level security and data encryption. AllJoyn security occurs at the application level; there is no trust at the device level. By running on the local, proximal network without LAN/Wi-Fi security requirements, AllJoyn-enabled applications and devices can talk directly to each other quickly and efficiently with reduced vulnerability to outside attacks. When cloud connection is required or desired, the AllJoyn Gateway Agent allows cloud services to bridge with the AllJoyn proximal network securely and privately.
AllJoyn’s new updates focus on three key pillars of security:
- Authentication: enhanced AllJoyn authentication is fully managed by the framework. While completely transparent to users, it’s possible to grant different users specific device access functionality by easily setting unique policies and permissions. User credentials are not stored and reused across all devices in a home or business. Usernames, passwords and pins are eliminated, which are all pain points for consumers and weak links with IoT security.
- Authorization: fine-grained access control grants permissions or restricts access to users. With enhanced AllJoyn authorization, no central authority or Internet connectivity is required. AllJoyn-enabled IoT devices can also become aware of specific end-users and adjust behavior accordingly.
- Encryption: The framework has existing end-to-end encryption to protect data and heighten user privacy.