Industrial Internet Security Framework v 1.0 | Page 77

Security Framework 8: Protecting Endpoints Examples of process isolation include security agents, software libraries that perform security operations, a software key store and any directory and file access control lists that depend on OS enforcement of the security. Figure 8-4: Endpoint and Container Isolation Techniques 8.12.2 CONTAINER ISOLATION The container isolation model implements either hardware-or software-enforced boundaries (see Figure 8-4). Software containers rely on the OS to enforce the resource isolation boundaries; hardware containers use a physically different compute element on the same platform. Hybrid containers combine both approaches. Examples of software containers include: • • • Operating system-managed containers such as Android (Trusty TEE) or Linux Containers such as LXC and Docker. 1 Secure memory mapping that provides appropriate entry/exit locations for security to be implemented down to very small sensor-type devices. Network interface controllers that embed policy and enforcement directly on the hardware of the network interface so that only a predefined set of source/destination, port and protocol combinations from the security policy can communicate to/from the endpoint. All other communication attempts result in failure. Hardware containers separate the security implementation by enabling a separate compute engine, either on the same chip or on the same board, or on a daughter board in the same physical entity. This creates a security coprocessor that implements some level of security functionality that is separate from the main processor’s compute engine. Common examples of hardware containers include: • 1 TPM: The TPM (see section 8.2.2) is a trusted execution environment (hardware root of trust) that provides secure storage of credentials, and protected execution of cryptographic operations. It is isolated from the main CPU, and implemented either as a discrete chip, a security coprocessor (see below), or in firmware. See [Andr-Trusty], [LinuxC-LXC] and [Docker] IIC:PUB:G4:V1.0:PB:20160926 - 77 -