This section will show security concepts and aspects of Cumulocity, structured into physical security, network security, application security and access control. Finally, it shows how Cumulocity helps in managing the security of your IoT solution.
This section is especially intended for IT security staff and management staff. IT security expertise is required when running Cumulocity.
More information can be found in the security-related sections of the remaining documentation, like the REST implementation and User API description in the Reference guide. Permissions required for individual API calls are documented in the respective Reference guide sections for the APIs.
Cumulocity complies with Nokia Networks’ “Design for Security” policy (which is unfortunately not available publicly) and Deutsche Telekom’s “Privacy and Security Assessment” (PSA):
* detailed criteria in English
* detailed criteria in German
Physical security aspects
Physical security of IT systems prevents unauthorized physical access to servers, storage, and network devices.
Cumulocity Standard Tenant accounts are hosted at Amazon Web Services (AWS). AWS has been certified according to ISO 27001, DSS and other standards. It features extensive physical security measures and is independently audited. Not all details are published for actual security reasons. Audit reports can be obtained directly at AWS Compliance.
Our strategic hosting partners follow up to date concepts and concepts of data security.
In IoT solutions, physical security also includes unauthorized access to IoT devices, for example, to redirect or manipulate data from devices, read credentials from devices or change a device’s configuration. We recommend to review the physical security of the devices that you plan to use for your IoT solution and, for example, make configuration ports unavailable to unauthorized people or include tamper sensors as an additional security control within your own system.
As the operator of the Cumulocity platform we do not control internal systems of our tenants. As a tenant you must follow a powerful and carefully considered security concept for your own system.
Network security aspects
Network security prevents unauthorized access to data transmitted over the network and tampering with or unauthorized modification of data. It also ensures that network services are available.
Cumulocity ensures that your data stays confidential and cannot be tampered with through an end-to-end implementation of HTTPS from devices to applications. It uses up-to-date encryption technology that has been independently rated “A” by SSLlabs. Any communication with Cumulocity is subject to individual authentication and authorization.
This communication architecture is illustrated below. Inside the sensor networks and from the sensor networks to agents, device- and gateway-specific protocols may be in use (such as ZigBee or Modbus). Securing these is a device-specific matter. Agents communicate with the Cumulocity platform using HTTPS to send and receive data. Similarly, IoT applications use HTTPS for communication. If an IoT application exposes own interfaces towards web browsers, it is recommended that these use HTTPS. This way, the whole path from agents to the end user is secured.
As mentioned above, Cumulocity does not require any device that might expose ports or services on the Internet. This is an important feature: it not only simplifies the connection of devices to Cumulocity, but also simplifies the safety backup of these devices drastically. When deploying an IoT solution, check other services that might make a device available on the Internet or expose it, such as web-based device managers or SMS-based configuration options.
The Cumulocity IoT platform allows old or low-power devices to connect to it over unencrypted protocols like HTTP. This because such devices are not capable of doing encryption or only provide week encryption methods (e.g. TLSv1.0). Using old devices and unencrypted communications is discretionary and considering the risk that such communications are prone to attacks. For instance, an attacker suitably positioned to view a legitimate device’s network traffic could record and monitor their interactions with the platform and obtain any information the device supplies. Note that using a mixture of encrypted and unencrypted communications is an ineffective defense against active attackers, because they can easily remove references to encrypted resources when these references are transmitted over an unencrypted connection.
Hence, it is recommended to use transport-level encryption (SSL/TLS) to protect all communications passing between the device and the platform. The Strict-Transport-Security HTTP header should be used to ensure that devices refuse to access the platform over an insecure connection.
Application security aspects
Application security addresses security at the software level.
Cumulocity follows standard practices for application-level hardening as making sure that only properly upgraded operating systems and web servers are in use. A number of additional “best practices” are employed to make Cumulocity secure by design.
- All functionality of Cumulocity is coherently implemented with the same set of publicly documented, sessionless REST APIs. This means that none of the popular “session stealing” techniques will work with Cumulocity.
- Cumulocity does not use a SQL database for IoT data storage and is itself not based on a scripting language. This means that so-called “injection attacks” will not work with Cumulocity.
- As discussed above, devices are clients at Cumulocity and therefore popular attacks to devices will not work.
- Devices are individually connected with Cumulocity’s device registration feature. This means that if a device is stolen or tampered with, it can be individually disconnected from Cumulocity.
Cumulocity uses a standard authentication and authorization process based on realms, users, user groups, and authorities. A realm is a database of users and user groups, who follow the same authentication and authorization policy. A user is a person or an external system entitled to access protected resources inside Cumulocity.
Cumulocity creates a new realm for each tenant to store the users of that tenant. Realms provide an own namespace for usernames, allowing users to keep the names that they are familiar with from their own enterprise IT or other IT systems. There is no conflict between user names: A user “smith” of one particular tenant is different from a user “smith” of another tenant. This username is valid for all Cumulocity applications that a tenant subscribes to.
Each new realm is automatically populated with an initial administrator user who can create further users and user groups (i.e. global roles), and who can assign permissions to them. This enables an enterprise to manage users and their permissions on their own using the Administration application.
Permissions and ownership
The ability to execute certain functionality on the system depends on two concepts: Permissions and ownership.
Permissions define explicitly what functionality can be executed by a user.
Cumulocity distinguishes read permissions and administration permissions. Read permissions enable users to read data. Administration permissions enable users to create, update and delete data. Read and administration permissions are separately available for the different types of data in Cumulocity. For example, there are read permissions for inventory data, measurements, operations and so forth.
To manage permissions more easily, they are grouped into so-called “roles”. Every user can be associated with a number of roles, adding up permissions of the user.
The following types of roles can be associated with users:
Global roles: Contain permissions that apply to all data within a tenant. Inventory roles: Contain permissions that apply to groups of devices.
Objects in the inventory also have an owner associated with them. If you have created an object, you are the owner of it and can manage it without requiring any further permissions. Owners can always, regardless of their other permissions,
- Read, Update and delete the inventory objects they own.
- Create, read, update and delete data associated with the objects they own.
For example, if you are the owner of a smart meter in the inventory, you can store meter readings for that smart meter even if you do not have any other measurement permissions.
The inventory also features a CREATE permission. A user having just the create permission can store new objects in the inventory, but can not read, modify or delete any other data. This is mainly relevant for devices. The CREATE permission also includes the possibility to link your object to another object as child device or child asset.
However, you cannot manage any devices or groups that you did not create yourself, unless you also have the UPDATE permission or an additional inventory role.
This concept helps to assign minimal permissions to devices.
Limiting access to managed objects
Cumulocity allows you to set global permissions that are applicable to all managed objects, measurements, events and so forth. It also allows a limitation of permits.
- To specific managed objects or a set of managed objects.
- To a single user or a group of users.
- To individual fragments.
Managing roles and assigning permissions
Global roles and inventory roles are created and managed in the Roles page of the Administration application.
A detailed description on available default roles and on creating and assigning global and inventory roles can be found in Managing permissions in the Administration section of the User guide.
Globally accessible objects
It is possible to make any object accessible by any user without specific rights. To grant those rights just add a new fragment called “c8y_Global” to the object.
Permissions are extended along two dimensions:
- Permissions for a group apply to all users in that group.
- Permissions for a managed object apply to all child devices and child assets.
Permit a user to read the temperature measurement of device “10200”:
10200, MEASUREMENT, c8y_TemperatureMeasurement, READ
Permit a user to read any measurement of device “10200”:
10200, MEASUREMENT, *, READ
Permit a user to restart device “10200”:
10200, OPERATION, c8yRestart, ADMIN
Security management aspects
Whenever a security-relevant event occurs, it needs to be logged for potential auditing. Security-relevant events may happen both on application level as well as in the IoT network. A simple example of a security-relevant event on application level is a login to the application. An example of a security-relevant event on the network level is using a local software or local control on a device to manipulate the device.
To capture security-relevant events, Cumulocity offers an auditing interface. This interface enables applications and agents to write audit logs, which are persistently stored and cannot be externally modified after being written. Cumulocity itself also writes own audit records related to login and device control operations.
To receive security-related reports about Cumulocity itself, interested parties can subscribe to the Cumulocity security bulletin. To report security incidents, please mail to email@example.com.
Cumulocity addresses security on various levels.
All business partners and service providers have recognized security certificates. Cumulocity also deals with network security aspects by individual authentication and authorization methods.
Connections from and to Cumulocity are established using HTTPS technology.
All tenants have full rights to add or terminate users and user groups. The tenant also assigns rights to agents and devices.