Digi Device Cloud: Security You Can Trust

Transcription

1 Digi Device Cloud: Security You Can Trust Abstract Historically, security has oftentimes been an afterthought or a bolt-on to any engineering product. In today s markets, however, security is taking a firm front seat in engineering solution design. Digi International recognizes the crucial nature of security components to our products and services, including Digi Device Cloud SM. Indeed, security is at the core of Device Cloud and regarded as a critical component to be passed to our customers. This whitepaper will discuss the standards and controls put in place by Digi s Cloud Security Office and answer common security questions. Digi s Cloud Security policies are designed to support customer security frameworks, enabling solutions that meet specific corporate or standard security requirements. About Digi Digi International is your mission critical M2M solutions expert, providing the industry s broadest range of wireless products, a cloud computing platform tailored for devices and development services to help customers get to market fast with wireless devices and applications. Digi s entire solution set is tailored to allow any device to communicate with any application, anywhere in the world

2 Overview Security is firmly at the core of every feature developed and every decision that is made regarding Device Cloud. The Digi Cloud Security Office fiercely protects the confidentiality, integrity and availability of the Device Cloud service. With over 175 different security controls in place that take into account security frameworks including, ISO27002 s ISMS, NERCs critical infrastructure protection (CIP) guidance, Payment Card Industry PCI-DSS v2, the Cloud Security Alliance (CSA) Cloud Controls Matrix, as well as relevant HIPAA and NIST standards, Device Cloud customers are assured that there is no safer place for their data. People Security for cloud services is a rapidly changing paradigm and the Device Cloud team is committed to providing security controls that set the industry standard. Working in conjunction with the Cloud Security Alliance, of which Digi International is a corporate member, a new version of the Cloud Controls Matrix v1.2 has been developed that reflects improved controls from NERC/CIP into cloud based services. The Device Cloud security team members are active and visible players in the data security space, speaking regularly at security conferences, including DefCon and ISSA, and have numerous articles published across online channels and industry journals. Our employees proudly hold certifications such as CISSP, RHCE, CCNP, MCSE, EC-COUNCIL s Certified Security Analyst (CSA) and Certified Ethical Hacker (CEH), as well as ISO27002 Certified Lead Implementer certifications. Certifications Our systems are located in SSAE-16 (old SAS-70 Type II ) and ISO27001 certified facilities. If you are a Device Cloud customer and are interested in reviewing this information and these reports, please send an to cloud.security@digi.com. NERC/CIP Device Cloud enables you to meet your security compliance targets by providing to your field devices the following security functions: Centralized Device Patching, Capacity Planning, Centralized Logging, Compliance Scanning, Compliance Reporting, Change Control, Backup/Disaster Recovery, Intrusion Detection and Asset Management. HIPAA Compliance Device Cloud is a strong component of a HIPAA-compliant solution. To meet HIPAA compliance, Digi recommends that Device Cloud act as a data conduit for health information. Since it does not process health information, customers looking to implement a HIPAA solution do not need a Business Associate agreement signed, provided that they encrypt the data while it is passed through the Device Cloud service

3 PCI Compliance Device Cloud has been used in PCI compliant networks. Our devices, in conjunction with standard security hardening practices, have received a passing ROC (Report on Compliance) from a top QSA. Device Cloud Security Office Functions The Device Cloud security office embraces a continuous improvement program for each security function: Security Compliance Centralized device management with Digi Device Cloud simplifies security compliance Capacity Planning Centralized Device Patching Compliance Reporting Intrusion Detection Change Control Asset Management Centralized Logging Compliance Scanning Backup/ Disaster Recovery Security Governance and Compliance This bi-annual process is conducted to allow verification of compliance with all Device Cloud security policies. This includes such audit checks as user access attestations, as well as contract review processes. Asset Management To properly identify our scope of controls and configuration compliance, and to understand which function one of our servers does and which data it holds, we track this information via a Configuration Management DataBase. Awareness Training All employees and anyone who interacts with Device Cloud undergo mandatory annual training on information security. This training focuses on common security training as well as job specific training, for example the OWASP top ten security mistakes made by developers. This program is updated yearly and is required to be taken with a PASS/FAIL grade

4 Change Control All Device Cloud code deployments follow a strict process of change control, where Quality Assurance processes are validated and all proper change control functions are tested prior to deployment to production, in order to minimize outages. Compliance Scanning/Patch Management Device Cloud uses the technology of eeye to identify non-compliance with the Center for Internet Standards (CIS) templates for security. Standards are also tracked against other configurations, such as FISMA and other DISA standards. Since this is an active scanning technology, any noncompliance is reported within 15 minutes. The eeye product also scans for and reports on vendor patches that are not applied. Disaster Recovery Risk assessments for Device Cloud service are continually reviewed and analyzed. With these risk assessments, the Device Cloud service can be quickly recovered from any unplanned outages. Although Device Cloud does not have a guaranteed recovery point objective (RPO) or recovery time objective (RTO) at this time, we have managed our program to meet a 3 hour RTO, with a 15 minute RPO. This program is minimally tested yearly. Information gathered from tests is reutilized to increase the robustness of our service. Intrusion Detection and Anti-Virus A top-tier product for network intrusion detection/prevention is used. In conjunction, a host-based intrusion detection/prevention system for further detection of security events is implemented. A leading provider is used for Anti-Virus. This solution is centrally managed and any alerts are centrally alerted via our SIEM solution and investigated. Security Information and Event Management Device Cloud uses LogRhythm as a SIEM solution. Logs are collected from the entire Device Cloud infrastructure to include, but not limited to, OS, firewalls, intrusion detection systems, as well as the Device Cloud core and applications. This data is centrally fed to a secure SIEM server and saved minimally for 1 year. An extensive list of active alarms for specific log messages, along with tools to review correlated events between different equipment looking for security attacks on Device Cloud infrastructure and applications ensures peace of mind. Risk Management The ISO27001 series process for calculating the risk for Device Cloud is strictly adhered to. This analysis is created by Device Cloud staff in conjunction with external vendors for accuracy. This risk assessment drives our process for determining areas for improvements. Vulnerability Management Device Cloud follows a complex vulnerability program. This includes many vendors and layers of testing. Below are the different methodologies of testing and frequency followed. Findings are recorded in a bug tracking system for further review and resolution

5 External Infrastructure Yearly Pen Test (Outside Organization) A leading vendor is contracted to conduct a yearly pen test on Device Cloud systems. All services that are available via our IPs are tested, along with any common standard protocols for all publically known weaknesses. Web applications and web services for common application weaknesses also use this. External Application Authenticated Access Continuous Testing (Outside Organization) A leading application vulnerability scanning service is contracted. This service runs continuously with a credentialed access looking for web application weaknesses in Device Cloud code. An automated scan, many parts of the scan are reviewed and further tested by professional pen testers to validate false positives. This service alerts Device Cloud to any immediate vulnerabilities. Internal Infrastructure Automated Scanning Testing (Internal) Device Cloud uses an eeye server and Retina scanner to look for and detect open ports, and other services that may be vulnerable to attack. This scan runs on a nightly basis. Internal Infrastructure Pen Test (Internal) Device Cloud uses Nessus and other tools that are contained on the Backtrack CD for internal pen testing. This testing occurs during the QA process for major releases, as well as on an ad-hoc basis. Code Reviews All developers for Device Cloud code have a peer review process that allows them to validate each other s work. The code for all of Device Cloud is run nightly through source code Security and Bug tools called Coverity and FindBugs. The code base is also run through other tools, such as Fortify, on an ad-hoc basis to validation between other tools. For more information, please contact the Digi Cloud Security Office at cloud.security@digi.com. About Digi Digi International is your mission critical M2M solutions expert, providing the industry s broadest range of wireless products, a cloud computing platform tailored for devices and development services to help customers get to market fast with wireless devices and applications. Digi s entire solution set is tailored to allow any device to communicate with any application, anywhere in the world B2/615