IRIS+™ Security Overview

16min

Cybersecurity is a field dedicated to protecting systems, networks, and data from digital attacks, damage, or unauthorized access. Here’s a broad overview of the key concepts and components involved in protecting IRIS+™ application and system:

Document image


IRIS+™ Endpoints

Secured Endpoints

  • All endpoint communication based on HTTPS / WSS
  • Certificate issued by a well-known CA (LetsEncrypt)

Data Encryption

  • Data transfer from/to the IRIS+™ Core is encrypted (TLS 1.3)
  • Sensitive configuration data is encrypted (SHA-256)

Data Validation

  • Input data is serialized to well-known structured types
  • Input data validation to avoid injections



IRIS+™ Cluster Security

Isolated Containers

  • Each service in the system is packed as an isolated container image hosted by the orchestrator (Kubernetes)

Namespaces

  • Services in the cluster run as pods in different namespaces to comply with multi-tier application architecture:

1. App – all stateless services processing data in memory

2. Data – all stateful services holding data (DB, Messaging, Streaming)

  • Kubernetes provides internal DNS and firewall rules to restrict communication across namespaces

Nodes Tagging

  • Nodes are tagged according to the logical namespace to ensure nodes are assigned to a specific namespace
  • Customers may restrict traffic across nodes (physical/virtual) using an external firewall

IRIS+™ Application Security

Authentication

  • Every IRIS+™ user is authenticated using a login/password
  • Users can enable TOTP-based second-factor
  • Password must comply with a strict password policy

Authorization (RBAC)

  • Users are authorized to use their roles to access and perform actions on the data

Access Restriction

  • Access to the system requires a valid API Key (to identify the system) and Access Token (to identify the user/service account) with specific access to resources

Session Timeout

  • Sessions (identified by Access Token) are restricted to 20 minutes of Idle time

Audit Log

  • Any user/service account action is logged in the audit log and kept for 60 days



IRIS+™ Edge Security

Isolated Containers

  • Each service running in the edge is packed as an isolated container image hosted by the orchestrator (Kubernetes) or Docker CE engine

Host Machine Hardening

  • The host OS runs the minimal set of daemons required to run Kubernetes or Docker CE
  • Access to the network configuration page is protected by Edge Credentials
  • Access to the device configuration page is protected by the registered IRIS+™ user credentials



For more information please contact Irisity customer support

For enterprise solutions E-mail [email protected] Phone: Not supported

For central monitoring services Email: [email protected] Phone: +46 771 41 11 00

PREVIOUS
IRIS+™ Architecture and Engineering
NEXT
Application notes
Docs powered by Archbee