Stream Security Solutions: Device Auditing and Platform Security

In my previous article, I explained how Stream's network infrastructure helps to protect our customers' online security. In this article explain more of Stream's security features, including how we monitor device behaviour to detect security red flags and I'll detail the security features of our connectivity management platform, IoT-X.

Device Auditing

Stream have an extremely detailed level of visibility relating to the behaviour of the devices operating on our network. Stream's device auditing tools provide us with live visibility of device behaviour, including information such as whether devices are online or offline, the amount of data they are using and the locations to which they are transmitting data. This is extremely beneficial when it comes to determining if the security of a device has been compromised. For example, if it is suspected that the security of a customer's devices has been breached, they can raise a request with Stream's support team to audit the device on their behalf.

Stream foster a much closer relationship with our customers than other connectivity providers, and the auditing services that we provide are indicative of this. Our team use a variety of tools to audit devices, including traffic tracing, audit logs and data monitoring alerts.

Traffic Tracing on Demand

If you suspect that a device has been compromised, Stream's team of Technical Support Analysts can perform a Wireshark trace on the device's traffic. This enables us to monitor all TCP (Transmission Control Protocol) or UDP (User Datagram Protocol) traffic from the device. Our team can assist in interpreting the results and determine whether the device's security has been compromised. If a device has been compromised, we can advise on the action you should take to isolate the problem.

Audit Logs of Packet Transfers

Audit logs of packet transfers contain metadata relating to the location to which a device is sending data. This information is useful for determining if a device has been compromised. For example, if the logs indicate that the device is sending packets to an unknown location, or to a location that has not been specified by the customer, this provides a clear indication that the device has been breached.

Data Monitoring Alerts

Stream's data monitoring alert service allows customers to set usage alert thresholds and receive notifications if their devices exceed defined usage limits. Usage limits can be defined on a company-wide, device group or device-by-device basis. Customers can nominate monitoring alert recipients, who will be notified by email if data usage thresholds are reached. This service can be used to guard against customers incurring data charges from unwanted traffic being sent to or from their devices.

Custom Credentials per Device

To bolster the security of your devices, Stream can generate custom username and password credentials on a device-by-device basis. This can be useful for organisations with a large device estate, as it means the customer can minimise the time spent on configuring secure device credentials.

Platform Security

IoT-X is Stream's award-winning connectivity management platform. It's used by enterprises and global organisations to manage cellular, satellite and LPWAN (Low-Power Wide Area Network) connectivity, including LoRa®. As well as supporting established connectivity methods, IoT-X is fully integrated with Oberthur's M-Connect eUICC platform, Stream's LoRaWAN™ network server and it includes LoRa subscription management capability. IoT-X has been developed with security in mind to this end, the platform includes a wealth of functionality that's designed to keep your devices safe, secure and private.

Two-Factor Authentication

Increasing levels of digital crime and internet fraud have raised awareness of the importance of using passwords that are difficult to guess. Common password guidelines include tips like:

  • Make sure your passwords are at least 8 characters in length - ideally longer.
  • Use a random mixture of upper and lower-case characters, numbers, punctuation, spaces and symbols.
  • Don't use a word that's found in the dictionary.
  • Don't use the same password twice.
  • Never share your password.

Despite this, a list of the most common passwords of 2016 reveals that using the word "password" as a password is still a thing.

Two-factor authentication, also called 2FA, delivers an extra layer of security on top of the conventional username and password authentication method. It's designed to make sure that you're the only person who can access your account, even if your password has been compromised.

Two-factor authentication requires the user to log in to an application by using their username and password as well as providing a piece of information that only they have. This is often a physical token or comes as a single use "one time" password which can be sent via text or phone call. Most people who use services such as online banking will be familiar with this process, although they may not realise it's called two-factor authentication. To protect accounts from being accessed by unwanted parties IoT-X enables organisations to set up two-factor authentication for their users.

Fine-Grain User Management

If a user is provided with unnecessary privileges or data access rights, the impact of misuse or compromise of the account will be more severe than it needs to be. To mitigate against this risk, Stream recommends that all users are assigned with the minimum level of permissions they need to do their job. We also recommend that the number of users that have highly elevated system permissions is kept to a minimum.

To facilitate this, the IoT-X user management system provides account administrators with an extremely granular means of managing the level of access that users have with regards to the functionality and devices associated with the account. This enables administrators to restrict the activities that users can perform on devices when they're logged in to the platform. For example, if a user wants to terminate a device, they must have the permission to "Terminate a Device". Similarly, if an administrator wants to minimise the number of people within their organisation who can order new devices, they can restrict the number of users who have the "Order Stock" permission.

IoT-X's fine-grain user management system allows account administrators to ensure that access to the platform is proportionate to each user's role. By only providing users with the permissions that they need to fulfil their role, administrators can reduce the capability of attackers seeking to compromise the system. For example, malicious parties will often target user accounts that have an extremely high level of system access. If an attacker compromises an account that has a high level of access, they will be able to do more damage than if they access an account with basic privileges. Therefore, using the IoT-X permission system to minimise the number of users that have a high level of access to the account is key to security as it also minimises the attack vectors that can be used by malicious parties seeking to access the platform.

Device Groups

IoT-X allows customers to organise their devices into distinct groups and restrict access to the devices in each group to specific users. This is useful, not just in terms of security, but also in terms of organisation. For example, if a company wants to organise their devices by location, they can create a device group for each location to which devices are deployed. Once the group has been created, devices can be added to it to make it easy to identify where devices are in geographic terms.

This functionality also enables organisations to provide restricted access to their device estate. For example, an organisation can use device groups to provide restricted device access to external parties, such as contractors or on-site technicians. In this case, the organisation can create a group which is limited to the devices that the technician needs access to. This means that the technician will only able to view and perform operations on devices that are in this group. This mitigates against the risk of a third-party accidently manipulating a device that they should not have access to.

Stay Informed

To keep up to date with the latest on Stream's products and services, be sure to follow us on:

Twitter: @StreamTechLtd
Facebook: /StreamTechUK