IRIS+™ CM Security Overview

17min

Cybersecurity is a field dedicated to protecting systems, networks, and data from digital attacks, damage, or unauthorized access. Here’s a broad overview of the key concepts and components involved in protecting IRIS+™ CM application and system:

IRIS+™ CM Endpoints

Secured Endpoints

  • All endpoint communication based on HTTPS / WSS
  • Certificate issued by a well-known CA (LetsEncrypt)

Data Encryption

  • Data transfer from/to the IRIS+™ Core is encrypted (TLS 1.3)

Password Security

  • IRIS+CM utilizes SHA-256 to generate hash keys

Data Validation

  • Input data is serialized to well-known structured types
  • Input data validation to avoid injections

IRIS+™ CM Cluster Security

Isolated Containers

  • Each service in the system is packed as an isolated container image hosted by the orchestrator (Kubernetes)

Namespaces

  • Services in the cluster run as pods in different namespaces to comply with multi-tier application architecture:

1. App – all stateless services processing data in memory

2. Data – all stateful services holding data (DB, Messaging, Streaming)

  • Kubernetes provides internal DNS and firewall rules to restrict communication across namespaces

Nodes Tagging

  • Nodes are tagged according to the logical namespace to ensure nodes are assigned to a specific namespace

IRIS+™ CM Application Security

Authentication

  • Every IRIS+™ user is authenticated using an email/password
  • Users can enable TOTP-based second-factor
  • Password requirements follow the NIST password guidelines and practice, with a minimum password length requirement of 8-characters
  • Authentication checks for email and password similarities to prevent easy-to-crack passwords



Authorization (RBAC)

  • Users access and roles are restricted to only their account and data to prevent unauthorized data access

Access Restriction

  • Authentication cookies are utilized to access IRIS+ via the browser
  • Access tokens are generated and used for communications to the core
  • API keys and access tokens are utilized to access service accounts that operate with the IRIS+ ecosystem

Session Timeout

  • Portal browser sessions (as identified by their authentication cookie) are restricted to 20 minutes of idle time
  • If the user operates under an Operator role, the user is restricted to a maximum of 24 hours, regardless of idle time.

Audit Log

  • Any user/service account action is logged in the audit log and kept for 60 days

IRIS+™ CM Edge Security

Isolated Containers

  • Each service running in the edge is packed as an isolated container image hosted by the orchestrator (Kubernetes) or Docker CE engine

Host Machine Hardening

  • The host OS runs the minimal set of daemons required to run Kubernetes or Docker CE
  • Access to the network configuration page is protected by Edge Credentials
  • Access to the device configuration page is protected by the registered IRIS+™ user credentials



For more information please contact Irisity customer support using the link by Submitting a support ticket or by reaching out to our Services support team at [email protected]

PREVIOUS
IRIS+™ CM Architecture and Engineering
NEXT
Application notes
Docs powered by Archbee