Commend Defense In-Depth-Strategy is based on the principle of ensuring IT security in all areas (environments, design, implementation and integration) to eliminate vulnerabilities and attack vectors. In practice, this means:
- IEC ISO 27001:2013 certified, company-wide information management system (Learn more)
- World’s first Intercom company certified to IEC 62443:
- Tested and certified by globally recognized cyber security certification service provider TÜV SÜD
- Commend development teams develop and implement secure communication and automation solutions in accordance with the IEC 62443 Part 4-1 (Learn more)
- Use of secure standard Internet protocols:
- TLS and SSH data transfer security for HTTP and MQTT
- Secured SIP network access via 802.1x auth and 802.1q VLAN connections
- Use of secure cryptography by default:
- Encrypted, login-protected communication via Commend signed device certificates
- Commend Public Key Infrastructure (PKI) as a basic ‘Root of Trust’ (for generating and signing of device and application certificates) to ensure mutually login-protected, encrypted communication
- Security-focussed development processes:
- Multi-level monitoring and testing
- Regular test cycles before product releases and after updates
- Vulnerability monitoring and disclosure policy:
- Pen tests by external security testing bodies or ethical hackers
- Coordinated processes for reporting and disclosing vulnerabilities
- Commend Security Advisory Program: summaries of notifications, affected products, software updates, workarounds or mitigation, change log, etc.
The global security-specific hardening of local and cloud-based Commend systems spans several basic levels:
Device Security
- Physical access protection
- Vandal-resistant Video Intercom stations (with camera)
- Tamper detection via electromechanical contact
- USB and port debugging protection
- Access Control Systems
- Secured network access
- 802.1q VLAN standard (network segmentation)
- 802.1x secured login
- Commend IP Secure Connector (automatic network cut-off in case of manipulation)
- Terminal device security
- Offline capability, includes SIP call and door call functions
- Unique system login credentials for each individual device
- SSH remote maintenance functions disabled by default
- SHA and BCRYPT salted passphrase, encrypted access credentials
Data Security
- Data transfer protection
- Encrypted, login-protected communication settings
- TLS v1.2+ used exclusively with Secure Cipher Suites (> 128-bit)
- X.509 ECC NIST P-384 Commend device certificates
- Protection of stored data
- Use of MS Azure for database and data storage via PaaS
- Secured access to Azure data storage via device-specific SAS tokens
- Powerful 256-bit latest-generation AES data encryption
- SHA and BCRYPT salted password hashes (> 256-bit)
Application Security
- VirtuoSIS application security
- Offline capability, includes SIP call and door call functions
- Support of multiple instances: enables service redundancies as an emergency fallback solution
- Application security for devices
- Offline capability, includes SIP call and door call functions
- Enforced change of default login credentials upon first login
- Password minimum requirements: 12 characters
- Detection of brute-force login attacks
- Secured network ports
Platform Security
- Cloud platform-security
- OAuth Identity and Access Management (IAM)
- Azure Security Center Monitoring
- Azure KeyVault Secrets Management
- Azure Storage Service Encryption (SSE)
- Database Transparent Data Encryption (TDE)
- Open source and vulnerability management
- Use of proven de-facto standard libraries for logins and encryption
- Contribution to open source applications (e.g., Asterisk,
- BareSip, Mosquito, Wireshark)
- Continuous vulnerability scanning and monitoring
- Commend Security Advisories
- Secure default Internet protocols with focus on compatibility and security