• No results found

Digi Device Cloud: Security You Can Trust

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Digi Device Cloud: Security You Can Trust"

Copied!
5
0
0

Loading.... (view fulltext now)

Download now ( 5 Page )

Full text

(1)

Digi Device Cloud:

Security You Can Trust

Abstract

Historically, security has oftentimes been an afterthought or a bolt-on to any

engineering product. In today’s markets, however, security is taking a firm front seat in engineering solution design. Digi International recognizes the crucial nature of security components to our products and services, including DigiDevice CloudSM. Indeed,

security is at the core of Device Cloud and regarded as a critical component to be passed to our customers.

This whitepaper will discuss the standards and controls put in place by Digi’s Cloud Security Office and answer common security questions. Digi’s Cloud Security policies are designed to support customer security frameworks, enabling solutions that meet specific corporate or standard security requirements.

(2)

2 www.digi.com | +1-877-912-3444 | +1-952-912-3444

Overview

Security is firmly at the core of every feature developed and every decision that is made regarding Device Cloud. The Digi Cloud Security Office fiercely protects the confidentiality, integrity and availability of the Device Cloud service. With over 175 different security controls in place that take into account security frameworks including, ISO27002’s ISMS, NERCs critical infrastructure protection (CIP) guidance, Payment Card Industry PCI-DSS v2, the Cloud Security Alliance (CSA) Cloud Controls Matrix, as well as relevant HIPAA and NIST standards, Device Cloud customers are assured that there is no safer place for their data.

People

Security for cloud services is a rapidly changing paradigm and the Device Cloud team is committed to providing security controls that set the industry standard. Working in conjunction with the Cloud Security Alliance, of which Digi International is a corporate member, a new version of the Cloud Controls Matrix v1.2 has been developed that reflects improved controls from NERC/CIP into cloud based services. The Device Cloud security team members are active and visible players in the data security space, speaking regularly at security conferences, including DefCon and ISSA, and have numerous articles published across online channels and industry journals. Our employees proudly hold certifications such as CISSP, RHCE, CCNP, MCSE, EC-COUNCIL’s Certified Security Analyst (CSA) and Certified Ethical Hacker (CEH), as well as ISO27002 Certified Lead Implementer certifications.

Certifications

Our systems are located in SSAE-16 (old SAS-70 Type II ) and ISO27001 certified facilities. If you are a Device Cloud customer and are interested in reviewing this information and these reports, please send an email to cloud.security@digi.com.

NERC/CIP

Device Cloud enables you to meet your security compliance targets by providing to your field devices the following security functions: Centralized Device Patching, Capacity Planning, Centralized Logging, Compliance Scanning, Compliance Reporting, Change Control, Backup/Disaster Recovery, Intrusion Detection and Asset Management.

HIPAA Compliance

Device Cloud is a strong component of a HIPAA-compliant solution. To meet HIPAA compliance, Digi recommends that Device Cloud act as a data conduit for health information. Since it does not process health information, customers looking to implement a HIPAA solution do not need a Business Associate agreement signed, provided that they encrypt the data while it is passed through the Device Cloud service.

(3)

PCI Compliance

Device Cloud has been used in PCI compliant networks. Our devices, in conjunction with standard security hardening practices, have received a passing ROC (Report on Compliance) from a top QSA.

Device Cloud Security Office Functions

The Device Cloud security office embraces a continuous improvement program for each security function:

Security Governance and Compliance

This bi-annual process is conducted to allow verification of compliance with all Device Cloud security policies. This includes such audit checks as user access attestations, as well as contract review processes.

Asset Management

To properly identify our scope of controls and configuration compliance, and to understand which function one of our servers does and which data it holds, we track this information via a Configuration Management DataBase.

Awareness Training

All employees and anyone who interacts with Device Cloud undergo mandatory annual training on information security. This training focuses on common security training as well as job specific training, for example the OWASP top ten security mistakes made by developers. This program is updated yearly and is required to be taken with a PASS/FAIL grade.

Compliance Reporting Change Control Centralized Logging Compliance Scanning Backup/ Disaster Recovery Intrusion Detection Asset Management Capacity Planning Centralized Device Patching

Security Compliance

(4)

4 www.digi.com | +1-877-912-3444 | +1-952-912-3444

Change Control

All Device Cloud code deployments follow a strict process of change control, where Quality Assurance processes are validated and all proper change control functions are tested prior to deployment to production, in order to minimize outages.

Compliance Scanning/Patch Management

Device Cloud uses the technology of eEye to identify non-compliance with the Center for Internet Standards (CIS) templates for security. Standards are also tracked against other configurations, such as FISMA and other DISA standards. Since this is an active scanning technology, any non-compliance is reported within 15 minutes. The eEye product also scans for and reports on vendor patches that are not applied.

Disaster Recovery

Risk assessments for Device Cloud service are continually reviewed and analyzed. With these risk assessments, the Device Cloud service can be quickly recovered from any unplanned outages. Although Device Cloud does not have a guaranteed recovery point objective (RPO) or recovery time objective (RTO) at this time, we have managed our program to meet a 3 hour RTO, with a 15 minute RPO. This program is minimally tested yearly. Information gathered from tests is reutilized to increase the robustness of our service.

Intrusion Detection and Anti-Virus

A top-tier product for network intrusion detection/prevention is used. In conjunction, a host-based intrusion detection/prevention system for further detection of security events is implemented. A leading provider is used for Anti-Virus. This solution is centrally managed and any alerts are centrally alerted via our SIEM solution and investigated.

Security Information and Event Management

Device Cloud uses LogRhythm as a SIEM solution. Logs are collected from the entire Device Cloud infrastructure to include, but not limited to, OS, firewalls, intrusion detection systems, as well as the Device Cloud core and applications. This data is centrally fed to a secure SIEM server and saved minimally for 1 year. An extensive list of active alarms for specific log messages, along with tools to review correlated events between different equipment looking for security attacks on Device Cloud infrastructure and applications ensures peace of mind.

Risk Management

The ISO27001 series process for calculating the risk for Device Cloud is strictly adhered to. This analysis is created by Device Cloud staff in conjunction with external vendors for accuracy. This risk assessment drives our process for determining areas for improvements.

Vulnerability Management

Device Cloud follows a complex vulnerability program. This includes many vendors and layers of testing. Below are the different methodologies of testing and frequency followed. Findings are recorded in a bug tracking system for further review and resolution.

(5)

External Infrastructure Yearly Pen Test (Outside Organization)

A leading vendor is contracted to conduct a yearly pen test on Device Cloud systems. All services that are available via our IPs are tested, along with any common standard protocols for all publically known weaknesses. Web applications and web services for common application weaknesses also use this.

External Application Authenticated Access

Continuous Testing (Outside Organization)

A leading application vulnerability scanning service is contracted. This service runs continuously with a credentialed access looking for web application weaknesses in Device Cloud code. An automated scan, many parts of the scan are reviewed and further tested by professional pen testers to validate false positives. This service alerts Device Cloud to any immediate vulnerabilities.

Internal Infrastructure Automated Scanning Testing (Internal)

Device Cloud uses an eEye server and Retina scanner to look for and detect open ports, and other services that may be vulnerable to attack. This scan runs on a nightly basis.

Internal Infrastructure Pen Test (Internal)

Device Cloud uses Nessus and other tools that are contained on the Backtrack CD for internal pen testing. This testing occurs during the QA process for major releases, as well as on an ad-hoc basis.

Code Reviews

All developers for Device Cloud code have a peer review process that allows them to validate each other’s work. The code for all of Device Cloud is run nightly through source code Security and Bug tools called Coverity and FindBugs. The code base is also run through other tools, such as Fortify, on an ad-hoc basis to validation between other tools.

References

Download now ( PDF - 5 Page - 62.74 KB )

Related documents

All the Lights of Midnight by Mark Z. Danielewski

Of course in the chapters that follow, Bassil leaves the common greats to concentrate exclusively on that genius from Chile, Salbatore Nufro y Cuevas Ruvias Orejón Sandino,

De novo assembly of viral quasispecies using overlap graphs

A sample sequenced with next-generation sequencing technology delivers enough reads and sufficient coverage to allow a de novo assembly of a viral genome (here, we mean a single

Can You Trust a Cloud-based Security Solution?

This site contains materials that have been created, developed, or commissioned by, and published with the permission of, Realtime Publishers (the “Materials”) and this site and

RE: 167 South Broadway, Salem NH SFC project # Tax Map 108, Lot 734

□ Six copies of the plan set (22” x 34”) dated 3/22/21, including floor plan by RWH □ One reduced copy of the plan prepared an 11” x 17” format.. □ Completed and signed

ADMINISTRATION GUIDE Cisco Small Business

To connect a device such as a PC or printer to your wireless network, you must configure the wireless connection on the device using the security information you configured for

ADMINISTRATION GUIDE Cisco Small Business

To connect a device such as a PC or printer to your wireless network, you must configure the wireless connection on the device using the security information you configured for

Bible Story 42 WATER FROM THE ROCK EXODUS 17:1-6

"And the LORD said to Moses, 'Go on before the people, and take with you some of the elders of Israel... There was plenty of water for the people

802.1x in the Enterprise Network

However, EAP Chaining can only be used if it is supported by both the supplicant on the client device and the RADIUS server involved with the authentication process..