Security is our top priority. We provide end-to-end security with multiple layers of protection at each step.
Device-side security is addressed by the following:
- Plug and Play Push module eliminates the need to expose the Edge Devices to the public internet.
- In case the Integrator needs direct access to Edge Device WebUI for troubleshooting reasons, we provide an option to create a secure, temporary proxy connection to the device.
- Further lock-down options are available such as autogenerating strong passwords, blocking inbound connections, and others.
Security is a first-class citizen in our Cloud.
- Every AWS Service where data lands provides Encryption at-rest and in-transit.
- Full trail logs, application logs, metrics, and alerts are collected and can be provided upon request.
- AWS Services, such as GuardDuty, provides us with continuous monitoring for malicious activity and unauthorized behavior.
- We utilize Storage with eleven 9s of durability and each file has a unique signature (md5).
- We heavily utilize AWS serverless architecture, where tasks are executed on demand. This eliminates the need to worry about servers, the underlying systems being unpatched, outdated, or other similar issues.
- Long-lasting tasks are executed in a containerized, virtual private cloud environment.
- For the public sector, even more secure GovCloud is available.
For End-User security we provide:
- 2 Factor Authentication.
- HTTPS protocol mandatory everywhere.
- Native UI without any add-ons.
- The single code base for web UI and Mobile Apps – to reduce the attack surface.
The following is an outline of the main layers of security we utilize to ensure that all data is protected and always handled in accordance with the industry best practice policies.
The first layer of security is provided from Amazon AWS, here are some of the bullet points:
- Local Security utilizes AWS security services: Security, Identity, and Compliance on AWS
- AWS WAF used as a firewall (only available for Local Security domains, extra charge is applied for white label domains).
- AWS Certificate Manager to issue SSL certificates.
- AWS GuardDuty is used to continuously monitor and detect malicious activity.
- AWS SecretManager is used to store sensitive data in an encrypted fashion.
- AWS IAM is used for Identity management, policy and roles.
- Services are isolated based on docker containers.
- Machines are located in VPCs.
- Access to AWS resources for Containers controlled through IAM policies.
- RDS (Database) access is controlled through IAM policies.
- MFA required for all accounts. Access to AWS restricted by IAM policies.
- RDS are located in their own VPC.
- Streaming servers are in separate DMZ VPC.
- All server logs are stored in AWS CloudWatch. Based on metrics generated alerts delivered to the support team.
- All server-less infrastructure logs are stored in CloudTrail and CloudWatch. Based on metrics generated alerts delivered to the support team.
- Logs are reviewed weekly using AWS Athena.
- S3 provides 99.999999999% durability. Each file signed with an md5 signature.
- Servers are always updated to the latest AMI.
- Security Hotfixes are being propagated through the System Services Manager (SSM) at the scheduled update time.
- Server-less architecture is always using the latest fully patched OS version.
The second layer is provided by our software development practices.
- Local Security exercises mandatory policy to move to new framework versions.
- The latest updated libraries during the build process are used.
- Best practices during the development process are followed.
- Standard libraries and approaches to encryption, authentication and authorization are used.
- Local Security performs load tests and code inspection on every new version build.
- End-user UI (web/mobile) is checked against the common vectors of attacks. Extraneous content on the client is blocked using CSP headers.
- Full logs of UI interactions are stored in AWS CloudWatch.
- All communication is done over SSL.
- Local Security offers pure HTML5 UI without any plugins, ActiveX, or other add-ons.
The third layer comes with our P&P technology.
- Local Security Push module is the most secure way and network-friendly method to connect an edge device to the cloud.
- Local Security Push module will initiate outbound 443 TCP connection to a cloud on startup. To block such a connection requires blocking all Outbound HTTPS traffic on the firewall.
- No public IP or ports need to be exposed to access and stream the edge device.
- No changes to edge device firmware are performed to avoid introducing potential security holes. Local Security Push module is installed as an add-on on top of the firmware.
- Auto-updater in the Local Security Push module is used to perform remote centralized updates without the need to go on-site.
- Local Security Push module includes the option to fully lock-in a camera. In such a case the camera would be available only through the cloud and no local access to the camera would be possible.
- Push Proxy server is available to generate a temporary URL to access edge device Web UI through a cloud for maintenance and troubleshooting.
- With some camera manufacturers, there is an option to prevent removing the Local Security Push module even in case of camera firmware is change, a factory reset is performed, or any other unauthorized tampering is done to the camera.
- Full access logs are stored in AWS CloudWatch.