In the early 2000s, when Cisco's (then) CEO John Chambers coined the term Network as a Platform (INETNW), the era of cloud computing had just begun to take shape. Cloud computing is one of the disruptive technologies that set the stage for game-changing, "network-enabled" platforms, which are today considered massive growth engines for businesses.

Traditionally, computing resources had been hardware-based assets with fixed compute capacity, and collocated in enterprise premises. This model provided data proximity, data ownership, and data security benefits. However, when a business needs to scale up its compute capacity, then that would translate to significant capex increase and management costs.

A typical cloud computing framework turns this model around. Cloud computing equips third-party cloud providers to offer on-demand compute power, data storage, and application hosting services. Compute resources and applications no longer need to physically...

Cloud-based platforms centralize compute, storage, and management functions; this improves the overall economics of scalable deployments. For industrial IoT uses cases, however, cloud security must be architected while considering the unique time-sensitive characteristics of industrial applications, and must be in alignment with safety, reliability, and data privacy regulations. Figure 6.1 illustrates the various elements of an IIoT cloud security architecture, which spans from the industrial premises to centralized data centers where the cloud services are hosted:

Figure 6.1: Elements of an IIoT cloud security infrastructure

This security architecture has four main functional components.

To protect cloud-based solutions, the tenant (customer) and the CSPs usually share the security responsibilities. The three common models of cloud service offerings are listed as follows:

The split in responsibilities varies according to the cloud service level agreement between the customer and cloud provider, as specified in the ISO/IEC 17789 standard. Since the customer is in control of the edge functionalities, a separation of duties is key to ensure the implementation of the right security controls. To avoid any ambiguity, the ISO/IEC 27017 standard recommends a cloud service agreement between the customer and the provider to clearly enumerate these shared roles and responsibilities.

In the case of the IaaS cloud service model, the customer is typically responsible for the security of data, application software stack, systems, networks, and also security...

As more and more enterprises are moving their data, compute, and storage to the cloud, CSPs now have a greater onus to protect customer assets using best of breed cybersecurity controls. However, conventional cybersecurity countermeasures, such as patching and upgrades, are reactive, wherein resolution comes after the compromise has happened.

Repeated reports of DDoS and data breach incidents highlight a need for more robust and security compliant cloud architectures, more so with the introduction of Industrial Internet applications. Today, industry leading CSPs such as Microsoft Azure, AWS, and IBM Cloud. have service offerings specific to the IoT marketplace. The new IoT-specific cloud capabilities, such as device life cycle management, big data analytics, and visualizations must be augmented with measures to protect not only the cloud infrastructure but also the critical infrastructures that are now integrated with these cloud platforms.

Cloud security...

The first line of defense is to implement security controls to protect the security of data-center assets, such as server farms, routers, switches, wiring closets, network firewalls, and so on, from both natural and human threats. Anti-tailgating measures, video surveillance, physical access-controlled barriers, password protected consoles, port locking, and so on are a few examples of physical security measures. Connected assets should also implement hardware-based root of trust, tamper resistance, secure boot and updates, and other endpoint security controls described in Chapter 4, Endpoint Security and Trustworthiness. ISO 27002 section 11, PCI DSS 3.2 requirement 9, and other standards (CSCC) provide guidance on these controls.

In the case of multi-tenant architectures, compute, network, and storage resources are shared but require adequate isolation between tenant workloads. Depending on the SLA, isolation can be implemented at the bare metal and physical hardware...

Trust underpins the reliability and resilience of M2C communications.

Cloud-based IIoT deployments have a large attack surface prone to threats such as masquerade device identity, escalate privilege to compromise a device or application, snoop data in transit, send malicious data and control commands, and so on.

Devices and services must mutually authenticate to establish a trust relationship. Similarly, developers, applications, and users must also authenticate their identity before they can take action based on device data or send control commands. Roles and responsibilities of identity and access management are typically shared between the cloud vendor and the tenant or customer. For an IIoT deployment, identity, authentication, and authorization best practices include:

In any cloud offering, the application software stack is a key component. IIoT applications typically act upon the intelligence hidden in the data. In general, application software interfaces with the stream and batch analytics engines, machine learning models, and so on to generate control commands, business insights, and also data visualizations.

Enterprise information systems such as remote asset tracking, asset performance management, anomaly detection, and business intelligence systems are part of this application layer. By using a remote monitoring app, for example, an operator can keep track of a turbine's temperature and pressure states, receive alerts if these states exceed a certain threshold, and send control commands to operate the turbine within safety boundaries.

Today, many IIoT solution providers are offering platform-agnostic SaaS products running on the top of cloud platforms such as AWS and Microsoft Azure. These SaaS products essentially offer an abstraction...

In a data-driven economy, data itself is an asset. IIoT is about unlocking the intelligence inherent in data, using cloud-enabled analytics. Every organization has an onus to protect its own data, and also customer data. In the case of the healthcare industry, medical facilities must protect sensitive data related to patient biometrics, health records, credit cards, and so on. In the transportation and insurance industries, customers' Personally Identifiable Information (PII) needs to be safeguarded. Unauthorized visibility into machine data can lead to sensitive technical information leakage, which can be misused against the organization that owns the data.

That's why in IIoT deployments, where sensitive data may be transported, processed, and stored across multiple organizational boundaries, data protection and governance must be clearly defined and prioritized. Cloud service providers must guarantee the protection of data in use and data at rest (storage) for tenants. However...

Data encryption protects data confidentiality; however, applying encryption to all data is not always required, nor is it efficient or cost effective when not needed. The cloud platform provider and tenant can mutually decide on a use case-specific data encryption policy, considering the scope of encryption, where to apply encryption, and also the organizational and regulatory requirements.

The scope of encryption defines which data types need encryption, encryption key usage, and so on. If these parameters are user configurable, then the platform provider needs to implement a default encryption mechanism to enable less educated customers protect themselves. When data needs to be persistently stored outside the data center and on-premises, such as in a mobile device, then encryption methodologies must be decided as part of the deployment requirements (device policies and so on).

Encryption of data in transit typically uses connectivity framework mechanisms (for example, DDS...

Data generated by connected assets has a life cycle. Device-cloud communication involves data acquisition, processing, retention, and deletion. In order to protect the privacy of data across its life cycle, policies need to enumerate the responsibilities of all parties covering the entire period of contract engagement.

Encryption of sensitive data protects data during acquisition, protection, and retention phases.

Data activity monitoring services provide logging and auditing traces associated with the data access, changes, and events, often at a data-element level of granularity. Thresholds and rules define the normal activity to flag alerts in the case of data anomalies. In multi-tenant environments, the visibility of these events should be limited only to associated tenants and users. While the cloud platform provider may provide proprietary data monitoring solutions, some well-known third-party solutions include IBM Guardium Data Activity Monitoring and Imperva...

Cloud security is not a one-time solution. It has to align and persist throughout the active lifespan of an IIoT deployment, involving development, Continuous Integration/Continuous Deployment (CI/CD) and other secure DevOps functions, design re-engineering, and so on.

Most IIoT deployments involve connected devices at the scale of thousands if not millions. Management of these devices at scale is one of the core offerings of most IoT cloud providers. The end-to-end life cycle management of devices includes secured provisioning, identity and access control, configuration management, remote monitoring of device health, and retirement of unused devices. An automated device provisioning service registers new devices with geographically diverse PoPs, manages device configurations, secures devices by pushing OTA patches and updates, and also re-provisions devices when they reconnect or relocate.

For secured and efficient access to device state information and health data, and to facilitate analysis and business application development, a virtual replica of each device is maintained in the cloud. This replica is referred to by various names by various cloud platforms, for example, "digital or device twins", "device shadows", and so on...

Multiple security standards have been developed to protect customer assets when using cloud services. These standards can be broadly classified as advisory, security frameworks, and technical specifications. Customers need to evaluate to what extent the cloud service providers are in compliance with these standards. A list of the security standards is provided here:

Secured management of an IIoT system involves many moving parts. This leads to complexity requiring domain expertise in multiple disciplines, high cost of development and integration, and a very long time to market. To mitigate this difficult terrain, many cloud platform providers have expanded their portfolio beyond centralized data analytics to include end-to-end services specific to Industrial IoT workloads. In collaboration with their ecosystem partners, the CSPs are able to offer a service set that includes zero-touch provisioning at the scale of millions of IoT devices, device management, physical WAN connectivity using cellular and fixed lines, VPN-based edge to cloud connectivity, single billing, and so on. In this section, readers can review three IoT-specific cloud platforms AWS IoT, Azure IoT, and Predix from GE Digital to gain real-world insights into cloud-based security architectures and services.

In this chapter, we discussed multiple security controls for a cloud service to meet the industrial grade of trustworthiness.Table 6.2 provides an assessment matrix that can be used in conjunction with cloud security standards compliance to evaluate the security readiness of an IIoT cloud service:

Table 6.1: Cloud security assessment matrix

As an illustration of the use of the table, Table 6.3 shows the mapping of the published security capabilities (at the time of writing) of the Predix IIoT platform in the security assessment matrix (PDX-BRF):

Table 6.2: A sample cloud security assessment Matrix

As the Industrial Internet evolves, so do the security requirements. Secure cloud platforms enable industrial enterprises to unlock the potential of the data that already resides in the organization. While IIoT edge-cloud services enable industrial enterprises to manage scaled deployments, they also significantly increase the attack surface, exposing the deployment to new attack vectors. This chapter presented readers with insights into the security controls in edge-cloud architectures. The defense-in-depth strategy for secure cloud platforms, security measures specific to the infrastructure, application, data protection and encryption, and the DevOps life cycle were discussed using real-world case studies. The chapter includes a list of important cloud security industry standards that cloud services need to comply with, in addition to regional and international data protection and privacy regulations. A cloud security assessment matrix developed in this chapter can be a useful resource...