2. Home
  4. Docs
  6. IoT Data Orchestration
  8. Security

Security

The IoTGtw serves as a secure entry point (secure service access point) to IoT devices and also provides secure integration to customer upstream application servers to the IoTGtw cloud services. This allows device and data management as well as data orchestration operations to be performed securely.

 

The IoTGtw cloud service provides secure access to the IoT devices by allowing one or combination of the following security mechanisms.

  • DTLS Encryption (Datagram Transport Layer Security)- The IoTGtw service supports DTLS encryption using pre-shared keys for device session encryption. DTLS can be used to provide bearer security for any of the supported application protocols and data frameworks.
  • Symmetric token key authentication – IoT devices setup to use the “SimplyTiny for IoT”, CoAP, MQTT-SN, etc can be configured with an authentication token key which the device must present in each message.
  • The IoTGtw cloud service can be setup to automatically capture the first authentication token the device connect with, to auto-learn the device token at first deployment or during factory reset of the device.
  • The IoTGtw cloud service can be setup to permit device bootstrapping to distribute device ID and authentication tokens to devices that perform a valid bootstrap request.
  • The IoTGtw cloud service can be setup to permit device to periodically request for authentication token refresh.
  • Private Service Access Points which is only accessible to the customer IoT devices or the specific subset of devices permitted to use the private service access point.
  • Fine grained access control to define which IoT devices are permitted to use one or more service regions and service access points.
  • Granular IoT Traffic orchestration and steering to/from specific customer endpoints / customer upstream applications. .
  • Messaging Access Logs – Customer can gain insight to all access attempts including failed and dropped messages on the customer private Service Access Point. This information can be queried using the messaging API and is useful for troubleshooting and or security logs.
  • Full Access Logging – The service provides API interface to retrieve all provisioning and messaging API request meta data.
  • Encrypted Application data – The service supports use of encrypted IoT messages to pass through transparently between the IoT device and the Upstream application.
  • End to End Security and Encryption – The service provides end to end encryption for example using DTLS enabled Service Access Points and HTTPS Secure RESTful API or MQTT/TLS upstream delivery.

The IoTGtw provides secure access to the customer upstream applications based on the following security mechanisms:

  • API integration only allows encrypted connection (https/SSL)
  • Granular IP whitelisting to dictate which customer application server (IP addresses) may initiate a message submit request. This can be configured on a per Messaging Endpoint Profile basis.
  • Only the devices linked to the Upstream Application Profile (by way of the service profile) can be reached from the whitelisted customer upstream applications (IP addresses).
  • Secure Outbound Messaging and Event Notifications – The service provide secure channels such as HTTPS/RESTful APIs, MQTT/TLS, etc to push outbound message payload and or notification events to customer endpoint as defined in the Messaging Endpoint Profile.
  • In addition to the bearer level encryption, request authentication can be added to the outbound API request header using industry standard  Basic-Auth, JSON Web Tokens (JWT) or Bearer Tokens authentication depending on the customer requirements (configured in the Customer Upstream Application Profile).
Was this article helpful to you? Yes No

How can we help?