As our continued effort to increase security built into the IBM Watson IoT Platform, we have an important notification for our customers.
On or after May 2017, Transport Level Security (TLS) will be the default connection security setting for devices and gateways connecting via MQTT to new organizations
You can read more about the details of these security enhancements below.
What is TLS/SSL ?
It is a standard for wrapping other protocols (such as HTTP, MQTT …) for use over insecure networks like the Internet. It authenticates the server to the client and provides integrity checking and encryption. It can optionally authenticate the client to the server.
What is the difference between SSL and TLS?
SSL (Secure Sockets Layer) was the name for early versions but was replaced by TLS (Transport Level Security) when the protocol was revised in 1999. The name SSL is still used as a synonym for TLS. The Watson IoT Platform supports TLS 1.2 which is more secure than previous versions of SSL/TLS.
How does TLS it work ?
The client and server do an initial TLS protocol handshake that performs the authentication, agrees on the cryptographic algorithms that are to be used, and establishes encryption keys for the session.
After that, the client and server talk their normal protocol (e.g. HTTP or MQTT) exchanging protocol packets as usual. A TLS library at the sender encrypts each packet and adds an integrity checksum to it. The TLS library at the receiver validates the checksum and decrypts the packet.
For the Watson IoT Platform TLS assists with Authentication, Encryption and Integrity.
When a subject connects, the Watson IoT Platform needs to be sure that it really is the subject that it claims to be.
When a subject connects, the subject needs to be sure that it is connecting to the genuine Watson IoT Platform.
When data is transmitted to or from the Watson IoT Platform it should be encrypted so that it cannot be read by third parties.
In particular, any credentials transmitted by the authentication process need to be encrypted.
Ensure that malicious third parties are not able to modify data travelling to or from the Watson IoT Platform.
Ensure that malicious third parties are not able to inject new data or replay old data.
Simply put, when the proposed changes take effect, devices and gateways attempting to connect to Watson IoT Platform Organizations via MQTT will be required to connect via TLS by default. You can find out more about the architecture of the Watson IoT Platform and the definition of Organizations in the Official documentation.
What is a Watson IoT Platform Organization?
When you register with the Watson IoT Platform, you are given an organization ID. Your organization ID is a unique six-character identifier for your account.
Organizations ensure that your data is only accessible by your devices and applications. After registration, devices and API keys are bound to a single organization. When an application connects to the service by using an API key, it will register to the organization that is associated with the API key that is used.
For your security, it is impossible for cross-organization communication. The only way to transmit data between two organizations is to create an application within each organization that will communicate with applications in the other organization.
Why add TLS as default? Why change now?
We are continually reviewing and enhancing the security around the Watson IoT Platform. We considered that the Organizations should be configured to be as secure as possible when they are instantiated, but also providing the flexibility for our customers modify the levels of security to align to a level of risk that is acceptable to them.
Before this enhancement, devices could connect to a Watson IoT Platform Organization unencrypted. This was to cater for low powered IoT devices which might not be able to spare the processing power to encrypt or decrypt transmissions. We accept that there might still be customers who face this challenge. Customers have options to address the scenario where they have devices which cannot support TLS. The options include setting the default Connection Security Level to TLS Optional or using a gateway which does support TLS as an intermediary between those devices and the Watson IoT Platform.
If you are using the Standard plan, set the Connection Security level on the Settings tab to TLS Optional. When using the Advanced Security plan, TLS may be disabled by going to the Security tab, configuring the Connection Security policy and setting either the Default Connection Security or one of the Custom Connection Security configurations to TLS Optional.
I’m already using the Watson IoT Platform and already have an organization. What does this mean?
If you are an existing Watson IoT Platform customer with existing Watson IoT Platform Organizations they will continue to operate as-is. You have the option to make changes to those existing organizations to take advantage of the additional security of adopting TLS connections by default.
What if I want to make changes to my existing Watson IoT Platform Organizations to take advantage of these new features?
To take advantage of these new security measures within existing Watson IoT Platform Organizations you can follow these steps:
If you are on the Standard pricing plan, the Connection Security Level specifies how all devices in your organization must connect to the Watson IoT Platform. You may choose to make TLS Optional, enforce TLS for all devices, or enforce TLS with client side certificates on every device. Connection Security is found on the Settings tab.
When using the Advanced Security pricing plan, you have the additional ability to set a different Connection Security level for each device type. Older devices can remain at TLS Optional while newer devices are forced to connection with TLS. This configuration is found under the Connection Security policy on the Security tab. The Security tab is only visible when using the Advanced Security pricing plan.
What if I create a new Watson IoT Platform Organization?
Any Watson IoT Platform Organizations created after these proposed changes will be automatically configured to use TLS by default. If you do not want this setting you will need to modify the configuration as indicated below.
- Click the Settings tab from the left navigation panel in the Watson IoT UI.
- Select TLS Optional from the Default Connection Security Level drop down menu
What if I want to have more control over how different types of devices connect to my Watson IoT Platform organization?
The Watson IoT Platform also has Advanced security features leveraging dashboards and policies which will allow custom connectivity security policies configured at a device type level. These features were announced in January 2017. Customers have complete flexibility over how different types of devices can or can’t connect to their Watson IoT Platform Organization.
We hope that through this notification you understand and appreciate the additional security precautions we are making to deliver a secure and reliable IoT platform.