IT security put at the fingertips
In the first part of this IT Security miniseries on the Symphony Cloud platform, we talked about Physical Security at the building's entrance door/gate. In this post, we will look at the next level(s) of the Symphony defense-in-depth strategy: Network and Data Security.
Earlier this year Forbes magazine reported that 70% of network security breaches originate at endpoints. Typical reasons include missing or insufficient protective controls, such as authentication, certification and encryption. Poorly protected endpoints (such as cloud-based devices) are a prime target for cybercriminals who have a growing arsenal of amazingly efficient tools at their disposal to 'sniff out' such vulnerabilities. Open-source port scanners such as Masscan can scan the entire Internet for open ports in under six minutes (!) from a single machine. And search engines like shodan make finding vulnerable devices on the Internet of Things as easy as a simple Google search.
In view of these developments, it was clear to the Symphony developers that simply adding IT security measures on top of the cloud-based apps and devices wouldn't do – not by a long shot. It is precisely for this reason that the cloud native Commend Symphony platform has been developed from the start to be “secure by design” in line with Commend's holistic Privacy and Security by Design (PSBD) approach. In keeping with this commitment, Commend has also implemented an ISO/IEC 27001:2013 compliant Information Security Management System (ISMS) to keep all corporate data as well as customer and supplier information safe.
Putting security first – and making it last
In their security-first approach, Commend's DevSecOps team has gone to great lengths to build latest cybersecurity capabilities into the Symphony Cloud platform. Throughout the entire lifecycle, they follow a security-focussed approach by consistently applying a variety of measures. Let's look at some of them.
Threat modelling: Be prepared!
Cyberattacks come in an amazing variety of strategy and level of sophistication. To meet this challenge, Symphony security development is based on the STRIDE approach. This allows the developers to study potential vulnerabilities and simulate various attack scenarios (e.g., client/server spoofing, denial of service (DoS) attacks, elevation of privilege via code injection, etc.). Based on the results, they can then implement countermeasures with respect to specific security goals. To complement these efforts, the Symphony deliverables are subjected to continuous highly automated quality testing, and for further network security the mechanisms of the cloud provider are used.
Authentication: A question of identity
Poor authentication, especially in a cloud-based solution, is like a security disaster waiting to happen. This is why in Symphony all access to configuration settings are state-of-the-art password-protected based on our internal product secret policy. In addition, the Symphony platform API is protected by state-of-the-art API token authentication. Naturally, Symphony also comes with a zero-tolerance policy where default passwords are concerned. To ensure ultimate security, authentication throughout the Symphony platform is managed via world-leading authentication & authorisation services.
Authorization: The key to secure communication
Implicitly trusting every device within one's network is a mistake that Symphony avoids systematically through certification of valid Symphony devices. For this reason, every Commend device comes pre-configured with a factory-set certificate.
Now whenever a Symphony device, such as a concerto Station or a third-party iOS or Android mobile devices is ‘claimed’ with the Symphony service, it becomes an edge device to be managed by the Symphony Cloud only. As a result, it can be identified as a valid component with specific access privileges within the Symphony environment.
With all registered devices being 'fingerprinted' like that, Symphony can immediately detect and block any attempt by an attacker spoofing a Symphony device by means of extraneous equipment.
These certificates are also used to enable a secure key-exchange, as Symphony uses only encrypted connections for all data and audio/video connections (SIPS, SRTP, HTTPS, MQTTS etc.). These essential security features cannot be deactivated by the user.
What is more, these security measures are complemented by regular automatic updates that keep reinforcing Symphony’s cyberdefence shields without the user having to lift a finger.
All these network and data security measures involve sophisticated processes based on amazingly powerful concepts like public key encryption and related technologies (which we intend to explore a little further in an upcoming post). The main takeaway at this point is that Symphony puts it all at the fingertips of users and operators without them even noticing it. This way, they can enjoy all the benefits of revolutionary door call convenience and upcoming services with tap-and-swipe ease, while Symphony makes sure they can do so with the reassurance of having their safety, privacy and property protected.
In our next blog post we’re taking a closer look at the final layer of Symphony IT Security: Fail Safety.
To learn more about Symphony, visit the Symphony homepage or contact your local Commend representative.