IRIS+™ Security Overview

cybersecurity is a field dedicated to protecting systems, networks, and data from digital attacks, damage, or unauthorized access here’s a broad overview of the key concepts and components involved in protecting iris+™ application and system iris+™ endpoints secured endpoints all endpoint communication based on https / wss certificate issued by a well known ca (letsencrypt) data encryption data transfer from/to the iris+™ core is encrypted (tls 1 3) sensitive configuration data is encrypted (sha 256) data validation input data is serialized to well known structured types input data validation to avoid injections iris+™ cluster security isolated containers each service in the system is packed as an isolated container image hosted by the orchestrator (kubernetes) namespaces services in the cluster run as pods in different namespaces to comply with multi tier application architecture 1\ app – all stateless services processing data in memory 2\ data – all stateful services holding data (db, messaging, streaming) kubernetes provides internal dns and firewall rules to restrict communication across namespaces nodes tagging nodes are tagged according to the logical namespace to ensure nodes are assigned to a specific namespace customers may restrict traffic across nodes (physical/virtual) using an external firewall iris+™ application security authentication every iris+™ user is authenticated using a login/password users can enable totp based second factor password must comply with a strict password policy authorization (rbac) users are authorized to use their roles to access and perform actions on the data access restriction access to the system requires a valid api key (to identify the system) and access token (to identify the user/service account) with specific access to resources session timeout sessions (identified by access token) are restricted to 20 minutes of idle time audit log any user/service account action is logged in the audit log and kept for 60 days iris+™ edge security isolated containers each service running in the edge is packed as an isolated container image hosted by the orchestrator (kubernetes) or docker ce engine host machine hardening the host os runs the minimal set of daemons required to run kubernetes or docker ce access to the network configuration page is protected by edge credentials access to the device configuration page is protected by the registered iris+™ user credentials for more information please contact irisity customer support for enterprise solutions e mail technicalsupport\@irisity com mailto\ technicalsupport\@irisity com phone not supported for central monitoring services email support\@irisity com phone +46 771 41 11 00