A Better Solution for IoT Security and MQTT
Written by Ian Skerrett
Category: HiveMQ Security Extension
Published: July 18, 2019
IoT security is a key concern for most organizations deploying an IoT solution. The risk of a data breach or losing control of a connected device could result in serious implications for the business. Government regulations for data privacy and safety, and business continuity of a deployed IoT solution all drive the requirement for better IoT security.
IoT solutions that use MQTT need to consider two levels of security:
- transport security to ensure the data being sent from the device is kept private
- application security to handle device authentication and authorization to ensure only authorized devices have access to the MQTT brokers.
HiveMQ has always provided first class transport security for using SSL/TLS to encrypt MQTT messages. In the past, we have provided support for device authentication and authorization. However, we knew this support could be improved for clusters and centralized management so we are thrilled to announce the new HiveMQ Enterprise Security Extension (ESE).
The current method most MQTT brokers implement for device authentication and authorization is through a simple configuration file containing username/passwords and roles/permissions residing with each broker instance. However, this type of system is very difficult to scale across clusters and cluster nodes. Any updates to the configuration file needs to be copied to each broker instance. This process can be error prone and lead to security gaps if not managed correctly.
Our customers who deploy production IoT solutions required a security solution that will scale out to meet their requirements. This is why we built HiveMQ ESE.
The key features of HiveMQ ESE are:
- integration of HiveMQ with third party enterprise security systems, i.e. databases, to provide a single source of truth of device authentication information
- allow for fine-grained authorization rules that can specify permissions for specific clients or a group of clients
- a structured access log for tracking security related device information.
Integration with Enterprise Security System
HiveMQ ESE is based on the HiveMQ extension framework so it operates as a first-class service of HiveMQ. The extension is architected to connect with an existing enterprise security system to access the device authentication information. This allows for each HiveMQ broker instance to connect with a single-source of trust for the device authentication and authorization information.
The first release of HiveMQ ESE will support connecting with SQL databases that host username/password device authentication information and roles/permissions authorization information. We support a wide variety of databases, including MySQL, PostgreSQL, MSSQL, Azure SQL, and Amazon Aurora. In the near future, we plan to add support for OAuth, LDAP, X.509 certificates and NoSQL databases.
HiveMQ ESE allows you to define the topics a client or group of clients can publish and subscribe to. For instance, permissions can be set that a device can only subscribe to single topic meant for that device, or a back-end monitoring client could be authorized to subscribe to a broad range of topics it needs to monitor.
HiveMQ ESE allows the system administrators to setup a database of permission roles and user permissions. We have built a sophisticated variable processing engine to allow operators to specify permission placeholders in their authorizations tables that are processed at runtime. This provides the maximum flexibility for defining authorization rules.
Structured Access Log
Finally, HiveMQ ESE automatically creates a centralized access log for all tasks completed by ESE.
This allows operators to:
- audit all operations taken by ESE
- use the access logs in intrusion-detection services to identify security breaches
- the chronological order of the access records can be useful for a post-mortem after a data breach.
We believe the centralized approach to security will make it a lot easier for HiveMQ customers to integrate security into their IoT solutions. Creating a central source of trust for all MQTT brokers to access will make it easier to manage and scale-out secure IoT solutions.
The first release of HiveMQ Enterprise Security Extension is available today. An evaluation version is available for download that requires HiveMQ Professional or Enterprise. HiveMQ customers can purchase HiveMQ ESE by contacting HiveMQ sales. We still plan to support the existing RBAC file extension for the HiveMQ Community Edition.