{"id":2525,"date":"2020-10-28T16:30:20","date_gmt":"2020-10-28T16:30:20","guid":{"rendered":"https:\/\/davra.com\/?p=2525"},"modified":"2020-10-30T10:49:05","modified_gmt":"2020-10-30T10:49:05","slug":"pillar-5-security-compliance-blog","status":"publish","type":"post","link":"https:\/\/davra.com\/pillar-5-security-compliance-blog\/","title":{"rendered":"Pillar 5: Security & Compliance"},"content":{"rendered":"

Security has always been at the tip of organisation\u2019s tongues when it comes to Industrial IoT<\/a>. Even with machine-2-machine communications and 5G capabilities allowing for further IoT and Industrial developments, data breaches and attacks are always an underlying concern. There are multiple cogs working together in the security realm, from the basic 2-factor authentication to VPN concentrators and device authenticators.\u00a0<\/span><\/p>\n

And it doesn\u2019t stop there. Employees need to be trained and educated on a regular basis to ensure they are up to date with password safety and workflows<\/a> around handling personal and private data and information. Not only does the workforce need regular training in information security<\/a> and compliance, they now also need to manage a whole new routine of working from home, making organisations even more vulnerable to threats.\u00a0<\/span><\/p>\n

In today\u2019s pillar topic, we\u2019re going to discuss the security steps Davra takes to ensure the platform and any applications developed on the platform remain safe and secure.\u00a0<\/span><\/p>\n

But what exactly is this critical capability? According to Gartner, security encompasses the \u201csoftware, tools and practices facilitated to audit and ensure compliance, and to establish and execute preventive, detective and corrective controls and actions to ensure the privacy and security of data across the IIoT solution.\u201d<\/span><\/p>\n

Data Flow Architecture\u00a0<\/strong><\/h1>\n

On the Davra platform, there are multiple systems with data flowing in and out so it\u2019s imperative that each of these systems is secure and built to detect and prevent both explicit attacks and accidental leaks.\u00a0<\/span><\/p>\n

The application builder framework is hosted on the cloud or else on premise, this is our security parameter. It\u2019s implicit in the role of an IoT platform to make things talk that didn\u2019t talk to each other before, therefore requiring a lot of surfaces such as gateways, sensors, web APIs.\u00a0<\/span><\/p>\n

Davra develop AAA goals across all the various data sources. AAA means authentication, authorisation and auditing.\u00a0<\/span><\/p>\n

The other surfaces that come east or west bound into the operational system that the customer has; to share meta data or receive from those systems, also need to be tightly secured. It is easier to secure the Davra API when they all sit inside the platform, but this might not always be possible.<\/span><\/p>\n

Southbound security covers the data receiver and involves using HTTPS and encryption. If we have a gateway we do encryption at the network and application level which maintains double encryption. Davra also use a VPN concentrator with an Information Security (ISec) tunnel. For our customers, the device layer and application payload will be encrypted as well.\u00a0<\/span><\/p>\n

A Davra security principle is no native access to the database, because it\u2019s easier to secure. In order to get to this data<\/a> you have to access our AAA service, which is where all the security checks are carried out. We don\u2019t have to secure each database individually, rather there\u2019s one single place to secure the databases all together.\u00a0<\/span><\/p>\n

On-disk encryption is also an option for all or a segment of your data, especially if you have personal identifiable data.<\/span><\/p>\n

We have a local encrypted database, LDAP, OAuth, and over 130 optional security strategies at the AAA Service and UI\/API level, which are other ways security can be implemented.\u00a0<\/span><\/p>\n

For example, if you want to login to the platform with your Facebook or Google credentials; there are ways about doing this in a secure manner.<\/span><\/p>\n

Devices & Gateways\u00a0<\/strong><\/h1>\n

If you have devices in your environment, ensure that the device on the network and on our platform is guided through a dialog that has all the checks in there so that when they are fully provisioned they\u2019re trusted. We enable checks so you can carry out that joining process to identify an anomaly or malicious device.\u00a0<\/span><\/p>\n

In LoRa, we ensure various layers of the stack have the keys to authenticate the device to authorise it to join the network. Our application level feeds the lower levels of the tech stack so they know to authenticate the devices. They have the serial numbers of the devices that need to be provisioned which send those devices down into the layers<\/span><\/p>\n

The gateways are the shipping gateways to the field. For example, a utilities company worker can climb up a utility pole with the IP device to install it, and they\u2019d wait until the light went green to ensure the gateway works as expected. These processes need to make it simple to provision devices at scale, but also do the underlying checks to make sure they are the devices they say they are.\u00a0<\/span><\/p>\n

Davra can allow a gateway to join in phases, as it joins it has to prove itself in parts. The more trusted the gateway, then you send it more information. The gateway gets its cert from the cert authority, then on the VPN where it can send app data<\/a>.\u00a0<\/span><\/p>\n

Compliance and Regulatory Lifecycle Management\u00a0\u00a0\u00a0<\/strong><\/h1>\n

We run this process on the apps developed on the Davra platform.\u00a0<\/span><\/p>\n

We look at the design requirements, if it\u2019s for a new feature on our platform or application, we take those requirements and run them through assessments:\u00a0<\/span><\/p>\n

    \n
  1. \n
      \n
    1. Privacy,\u00a0<\/span><\/li>\n
    2. Cyberthreat,\u00a0<\/span><\/li>\n
    3. Risk,\u00a0<\/span><\/li>\n
    4. Data integrity,<\/span><\/li>\n
    5. GDPR assessments.<\/span><\/li>\n<\/ol>\n<\/li>\n<\/ol>\n

      The output of these assessments gives us a set of criteria that feeds back into our design phase\u00a0<\/span><\/p>\n

        \n
      1. We build and conform.\u00a0<\/span><\/li>\n
      2. We then test and validate the criteria.<\/span><\/li>\n
      3. License\u00a0<\/span><\/li>\n
      4. Release and maintain\u00a0<\/span><\/li>\n
      5. QMS: Quality management system, continuous auditability; this ensures security and compliance across all regulatory compliance criteria.\u00a0<\/span><\/li>\n<\/ol>\n

        We have an independent company that advise us and maintains this system over time. This is part of what it takes to bring a high-quality security system and software deliver solution to the market that\u2019s completely secure.<\/span><\/p>\n

        Horizontal & Industry-Specific Approaches to Compliance<\/strong><\/h1>\n

        At Davra, we follow a whole host of frameworks to ensure we are up to date on the latest compliance outlines in every industry we operate in.\u00a0<\/span><\/p>\n

        NIST security framework<\/strong><\/h2>\n

        Critical infrastructure cybersecurity framework in 2014. It\u2019s the US standard but has been adopted globally.\u00a0<\/span><\/p>\n

        \u2022 How you identify where the attack occurred?<\/span><\/p>\n

        \u2022 Do you have the tech and the processes in place to identify the attack?<\/span><\/p>\n

        \u2022 How do you protect against attacks?\u00a0<\/span><\/p>\n

        \u2022 How do you detect if something goes wrong?<\/span><\/p>\n

        \u2022 Incident response.<\/span><\/p>\n

        \u2022 How do you recover from the attack?<\/span><\/p>\n

        We have the base framework ISO 27001, which is the international standard that is recognised globally for managing risks to the security of information held.<\/span><\/p>\n

        Regulatory compliance frameworks\u00a0<\/strong><\/h2>\n

        FedRamp:<\/b> in Davra, our IoT solutions are at FedRamp moderate levels. This allows you to sell to the US Government. There are 325 security controls that you have to implement. We also deliver to other regulated environments, which allows us to inherit security controls in this framework because we\u2019ve already done it with other projects.<\/span><\/p>\n

        There needs to be a process for the organisation that consumes your product also needs to implement controls to ensure maximum security.\u00a0<\/span><\/p>\n

        HIPAA compliant<\/b>: For health staff to consume, they also need to be careful when printing patient records etc. The org that consumes it also needs to implement their own security controls.\u00a0<\/span><\/p>\n

        The sec controls are hugely overlappable. We can apply them to the different frameworks.<\/span><\/p>\n

        ISO 27001<\/b> is security in the cloud, if you store identifiable information in the cloud.<\/span><\/p>\n

        When you go into specific industries, they\u2019ll all have their own criteria and compliance that you need to abide by. Your application may fall into niche and specific criteria.\u00a0<\/span><\/p>\n

        We also look to the <\/span>HITRUST<\/b> certification, which enables vendors and covered entities to demonstrate compliance to HIPAA requirements based on a standardized framework.<\/span><\/p>\n

        We also seek advice from <\/span>NIST 8259 CSF2014<\/b> cloud software. They brought out a framework for IoT device manufacturers to follow, this came out in May 2020. This framework aims to clear up confusion in the market about what actually is a safe device.\u00a0<\/span><\/p>\n

        83% of IoT devices data are in the clear and it most insecure data is in the home devices industry.\u00a0<\/span><\/p>\n

        Use Cases\u00a0<\/strong><\/h1>\n

        \u2022 Monitoring patients in hospitals.<\/span><\/p>\n

        \u2022 Monitoring patients at home using sensors and giving the information to the carers.\u00a0<\/span><\/p>\n

        \u2022 First responders: ambulances, police officers, incident response flows.<\/span><\/p>\n

        \u2022 Tracking high value shipments: multimodal transport, looking inside containers, vehicles, rail road and sea using satellite tech, high value imperishable goods, bags of money, diamonds and livestock.<\/span><\/p>\n

        \u2022 Tracking work safety through using audio communication.<\/span><\/p>\n

        \u2022 Contact tracing for the enterprise: bringing staff back to work safely. Developing decision trees and workflows around cleaning protocols. Using tag technology that can help enterprises track close contacts. If you\u2019re informed of a case, there is no personally identifiable information on the tag that Davra can trace, but the line manager would have the information of people using each individual tag with the tag number and it can be set to vibrate the tag to let them know they\u2019re in too close contact with someone.<\/span><\/p>\n

        There are a multitude of areas where security and safety need to be considered, and unfortunately due to the global pandemic we are in, more and more companies are cutting their security budgets or leaving it as an afterthought. If security is a key concern for you, or you would like more information on how Davra consistently lean into security frameworks to ensure our customers\u2019 data is reliable and safe, <\/span>please contact us today<\/span><\/a><\/p>\n

         <\/p>\n","protected":false},"excerpt":{"rendered":"

        Security has always been at the tip of organisation\u2019s tongues when it comes to Industrial IoT. Even with machine-2-machine communications and 5G capabilities allowing for further IoT and Industrial developments, data breaches and attacks are always an underlying concern. There are multiple cogs working together in the security realm, from the basic 2-factor authentication to […]<\/p>\n","protected":false},"author":6,"featured_media":2527,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"yst_prominent_words":[2550,2549,2546,75,108,2285,254,84,2553,2554,200,80,2548,116,2552,124,2551,831,2547,2545],"_links":{"self":[{"href":"https:\/\/davra.com\/wp-json\/wp\/v2\/posts\/2525"}],"collection":[{"href":"https:\/\/davra.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/davra.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/davra.com\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/davra.com\/wp-json\/wp\/v2\/comments?post=2525"}],"version-history":[{"count":0,"href":"https:\/\/davra.com\/wp-json\/wp\/v2\/posts\/2525\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/davra.com\/wp-json\/wp\/v2\/media\/2527"}],"wp:attachment":[{"href":"https:\/\/davra.com\/wp-json\/wp\/v2\/media?parent=2525"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/davra.com\/wp-json\/wp\/v2\/categories?post=2525"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/davra.com\/wp-json\/wp\/v2\/tags?post=2525"},{"taxonomy":"yst_prominent_words","embeddable":true,"href":"https:\/\/davra.com\/wp-json\/wp\/v2\/yst_prominent_words?post=2525"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}