EdgeX: Security + Systems Management WGs Face-to-Face Meeting - Day 1 - Shared screen with speaker view
Having a little hard time hearing Gabrielle. Can she say what organization she is from again?
Brett - LF
I am so glad, based on the last hour’s discussion, that we waited to implement any security in EdgeX. These discussions about where do you start and what options do you want to take/not take are exactly why at Dell fretted making any premature and unilateral decision without a larger community input. Thanks guys!Question: to Dean’s point, OpenSSL has issues. Good first step, but with known issues. Some organizations (especially in Europe) may discard OpenSSL. By adopting OpenSSL as a first step, and supposedly doing some work with EdgeX to incorporate it, will we be able to (and how) provide a path to European and other organizations wishing an alternate security solution to still adopt EdgeX and pull out SSL componentry and input something else to satisfy their needs? If so, great first step. If not, problem.
Alex Newman (Canonical)
+1 — if we hardcode OpenSSL, we’re going to spend time stripping it out. We should build a reference SSL provider around OpenSSL.
seems to me the discussion is between IT security guys and IT/OT security guys where the former understand cyber security but haven't yet grappled with the realites of cyber-physical or kinetic cyber security. Am I missing somehting?
Encryption cannot happen in the OS for the system to be secure. That is a fundamnetal challenge.
level of security for banking today is not sufficient for cyber-physical environments. Actually, it is good enough for banking either :-)
I suggest we consider the IISF guidelines for the design being discussed - see page 64.
Michael - the EdgeX architecture was built exactly as you speak. Device services do not communicate data out and nothing from the north directly communicates with a device service without going through other services or "agents" as you call them.
Jim, Agreed, and understood. I think EdgeX ultimately serves as a tool for customers to enforce their security policies on the edge.
Yep - or not at their risk based on use case and deployment model.