SensorSpace is a streamlined platform designed for ease-of-use and quick deployment with security best practices built in along the way.
The software and hardware devices used to deliver data to SensorSpace use a combination of the security measures listed below.
Device Data Delivery
Software Devices
HTTP with SSL Encryption
HTTPS involves the use of an SSL certificate. "SSL" stands for secure sockets layer, which creates a secure encrypted connection between our servers and your devices. HTTPS helps us guarantee confidentiality, authenticity, and integrity.
Token in the HTTP headers
Software devices send their Security Token in the HTTP headers, using the "X-Auth-Token" HTTP header field to provide an added level of security.
Security Tokens are the unique allocated token to your device that identifies it and routes it’s delivered data to the correct Organisation in SensorSpace.
Although we utilize HTTPS to ensure that all requests are encrypted for network transport, there is a possibility that the plain-text URL, with the value of the token, might appear in logs of HTTP servers which process the requests. Additionally, there are spyware exploits whereby certain browser extensions track and aggregate browsing behaviour and sell that data to third parties. No Authorisation data is held in the URL so avoiding unintentional exposure of your unique Security Token.
TCP Direct Socket Connection
Some software devices offer this option to deliver data. This method of data delivery is not encrypted but does have the advantage that there is very little data transferred and this option has been included for the specific reason of reducing data usage when using cellular access to the cloud and therefore reducing data usage of data limited SIM plans. Usually, as this option would be chosen when the software is on a computer connected to a cellular modem then the connection between the modem and the cloud can be considered pretty private but the choice is there to use the more verbose but more secure HTTP option as stated above.
Hardware Devices
MQTT with TLS Encryption
Hardware devices use MQTT with TLS. SensorSpace supports the MQTT protocol, a lightweight publish/subscribe messaging transport optimized for IoT that supports TLS encryption. TLS (Transport Layer Security) provides a secure communication channel between a client and a server. Just like SSL, TLS is a cryptographic protocol that uses a handshake mechanism to create a secure connection between the client and the server. After the handshake is completed, an encrypted communication between client and server is established and no attacker could understand the content of the communication.
LAN Security
The hardware devices that connect to your LAN are also safe when it comes to looking at the security of your own local area network (LAN). The devices have no way of accessing your own network resources and simply use the LAN as a gateway to the Internet using DHCP and MQTT protocols.
There are no interfaces by which unauthorised users can gain access to you network via the hardware devices as only the T24 radio interface is exposed and this is incapable of allowing access to your LAN.
Customer API Use
If our APIs are used then the choice of API and choice of whether to support the security options made available becomes a matter of choice for the customer. If the customer chooses to ignore the supported security features such as TLS or SSL then that is beyond the control of SensorSpace.
We would recommend:
- Use SSL when using HTTP Rest API and use the security token in the headers rather than the URL.
- Use TLS when using MQTT.
- Avoid TCP or UDP Socket API if the network traffic is under risk of monitoring/sniffing.
- Keep your allocated Security Token safe and private.
Multi-AAA User Management
Authentication, authorization, and accounting (AAA) is a term used to describe a framework that successfully controls access to computer resources, enforcing policies, auditing usage, and providing the information necessary to bill for services.
SensorSpace plans allows you to gain control over who can access your device data at different levels: apps, customers and end-users.
Organisation Permissions: Set which devices, dashboards and users belong to a specific Organisation and can access it.
User Permissions: Add users to organisations, set passwords or revoke access when needed.
The final part in the AAA framework is accounting, which measures the resources a user consumes during access. This can include the amount of system time or the amount of data a user has sent and/or received during a session. Accounting is carried out by logging of session statistics and usage information and is used for authorization control, billing, trend analysis, resource utilization, and capacity planning activities.
SensorSpace has committed itself to being a safe place for your IoT development, exploration, and deployments. Using the best practices provided in this article and limiting access with SensorSpace Multi-AAA user management, you can ward off malicious intruders from your valuable insights.