迹客信息安全白皮书
安全原则
安全目标
迹客科技作为工业互联网解决方案提供商,为工业企业客户提供端到云的软硬件产品和云服务,基于工业物联网、云计算、运筹优化和知识图谱等技术,帮助工业企业实现生成过程管控和优化以及装备产品智能化。为保障客户的网络和数据安全,迹客科技郑重承诺:在所有的软硬件产品和云服务中做到安全第一。为实现安全目标,迹客科技在所有的软硬件产品和云服务的各层级都部署安全保护措施并实现安全审计能力,在选用第三方云服务时严格审查信息安全相关能力。
合规原则
迹客科技以《中华人民共和国网络安全法》为指导,遵循信息安全和隐私保护相关法律法规,做到在中国境内合规运行。
安全责任
服务商责任
迹客科技为拥有知识产权的软硬件产品和云服务担负所有信息安全责任,包括:工业网关的硬件和固件安全;云服务和客户端软件的数据传输和存储安全以及隐私保护。迹客云服务所依赖的第三方云平台安全由第三方云服务商保证,客户有权选择迹客支持的第三方云服务商,第三方云服务商必须具备的能力为物联网服务和云基础设施。
客户责任
客户为自己开发的软硬件集成产品担负信息安全责任,保证自己选择的第三方云服务商的安全审查。客户需要遵循自己内部信息安全管理制度,正确设置用户权限,防止用户密码泄露并及时注销无效用户。
数据安全
数据所有权
客户对自己产生的数据拥有所有权利,迹客软硬件产品和云服务为客户提供数据采集、处理、存储和查询操作。出于信息安全管理和系统健康管理需要,迹客会使用自主研发的运维系统监控客户的安全审计日志和系统运行日志,除此之外,迹客无权在客户不知情的情况下使用任何客户所产生的数据。
数据存储区域
迹客云服务默认的数据存储区域为:阿里云青岛区域和杭州区域。客户可以根据自身的业务需要来选择非迹客默认的第三方云服务商和数据存储区域。
操作审计日志
迹客云服务在管理控制台提供操作审计日志查询功能,迹客云服务根据操作安全等级来记录操作审计日志,记录规则为:所有涉及到用户登入登出和密码修改相关的操作都会记录审计日志;主要业务对象的增删改操作都会记录审计日志;根据客户的业务需要可选择是否记录数据查看的审计日志。客户操作产生的审计日志默认为永久保存,可根据客户的请求由迹客运维人员来删除客户操作所记录的审计日志。迹客运维系统会自动侦测有异常可能性的安全审计日志并报警通知迹客运维人员来及时处理和应对。
租户数据隔离
迹客云服务支持共享型和独享型多租户模式,共享型模式基于租户编号来限制不同租户的数据访问,独享型模式为租户提供独立的数据存储空间来隔离不同租户的数据。选择共享型模式时,客户只允许通过迹客云服务的客户端或API来访问自己的数据;选择独享型模式时,客户可以自己控制第三方云服务商的物联网服务和云基础设施并保证信息安全,也可以授权迹客运维人员来维护第三方云服务商的物联网服务和云基础设施并保证信息安全。无论是共享型模式还是独享型模式,迹客云服务都会接入迹客运维系统来监控安全审计日志和系统运行日志来保障信息安全管理和系统健康管理。
敏感数据加密
客户敏感数据会根据需要来加密保存,用户密码始终使用哈希算法进行不可逆加密后才会保存到数据库中,对于需解密的敏感数据,系统支持非对称加密算法来加密后再保存到数据库或对象存储空间中。客户需要使用非对称加密算法来加密敏感数据时,可以选择迹客通用的密钥对来加密和解密数据,迹客也可以根据客户业务需要提供技术支持,集成第三方云服务商的KMS服务来提供客户自己的密钥对,以满足客户对敏感数据加密的需求。
隐私数据保护
涉及到隐私的数据,迹客科技会严格遵守法律法规来保护。客户的个人信息和商业伙伴信息保存在独立的隐私数据表中,客户在录入隐私数据时可选择是否加密保存,如需支持加密保存,迹客可根据客户业务需要提供技术支持,集成第三方云服务商的KMS服务来提供客户自己的密钥对,以满足客户对隐私数据加密的需求。隐私数据的生命周期管理完全由客户自己在迹客云服务中控制,迹客运维人员不允许在客户不知情的情况下访问任何保存在隐私数据表中未脱敏的隐私数据。迹客云服务在访问隐私数据表时,会根据法律法规要求和客户业务需要来匿名化隐私数据并记录数据查看的审计日志。
数据备份和删除
为防止数据意外丢失,迹客云服务会每天自动备份数据,并保存一周的数据备份文件,一周前的数据备份文件会自动清除。客户可以通过迹客云服务的客户端或API来删除客户自己产生的数据,系统会标识逻辑删除和物理删除,对于因为数据依赖关系而只能逻辑删除的数据,可根据客户的请求由迹客运维人员来完成物理删除。完成物理删除但依然保存在备份文件中的数据,其备份文件会在一周后自动清除。
终端安全
Web客户端安全
迹客云服务的Web客户端代码会使用混淆器来混淆以避免黑客可以轻松的分析代码并找寻漏洞,Web客户端所依赖的开源JS库只选用广泛被使用的版本,每月发布Web客户端新版本时会根据需要来升级所依赖的开源JS库以免错过安全补丁。客户可根据业务需要来集成第三方的多因素认证服务,迹客的默认用户登录服务会产生不可猜测生成的登录令牌,登录令牌的有效期由迹客云服务控制,Web客户端会保存该登录令牌到浏览器的本地存储用于在令牌有效期内合法访问迹客云服务,Web客户端提供退出功能来清除临时保存在浏览器本地存储中的信息并立刻失效登录令牌。Web客户端与迹客云服务的通讯全部采用HTTPS,与第三方地图服务通讯采用HTTPS,与第三方物联网服务通讯采用支持TLS的MQTT协议。迹客不提供SSL证书服务,迹客云服务默认使用迹客的域名来从第三方签发SSL证书,如客户需要为自己的域名签发SSL证书,客户需从第三方服务商购买SSL证书。
硬件和固件安全
迹客工业物联网网关有WiFi和4G版本,分别安装RTOS系统和Linux系统,在非安全场所部署时推荐使用4G版本以避免网络入侵。固件代码为C++编写并混淆,不可反编译,固件升级会严格校验文件签名。迹客为每个工业物联网网关分配独立的密钥对,默认采用软证书模式,客户可根据业务需要选配HSM模组来保存私钥证书。迹客不提供证书服务,需集成第三方云服务商的KMS服务。网关固件与迹客云服务和第三方云服务商提供的物联网服务通讯时采用双向证书认证和支持TLS的MQTT协议,固件会定期检查网关的激活状态,运维人员可远程注销非法的网关。网络断开时会缓存数据到网关本地存储,数据存储格式为编码的数据。
云服务安全
物联网服务
迹客科技不直接提供MQTT接入和时序数据存储服务,迹客云服务需要集成第三方云服务商的物联网服务来实现物联网数据的接入和存储,物联网服务的安全责任由第三方云服务商承担。迹客科技默认集成的物联网服务由百度智能云提供。
云基础设施
迹客云服务的所有服务器均采用Linux操作系统,部署在第三方云服务商的云基础设施之上,云基础设施的安全责任由第三方云服务商承担。迹客默认部署的云基础设施由阿里云提供,并由阿里云提供安全服务,包括:操作系统及软件的定期漏洞扫描,基线检查,网络防火墙,Web应用防火墙,DDoS防护,攻击分析等。
运营风险管理
内部安全管控
安全第一是迹客产品开发的基本原则,迹客产品团队在开发过程中会执行威胁建模分析、安全代码审查、安全测试和权限测试。迹客运维人员会定期学习信息安全知识,监控系统安全审计日志,并根据安全评级来及时应对安全事件报警。
业务连续性
迹客云服务采用原生云架构从技术上保证系统弹性可扩展和自恢复,依赖第三方云服务商的云基础设施灾备服务实现容灾,迹客运维人员通过迹客运维系统实时监控系统健康状况,从而保障系统的可用性满足SLA。
JIKE Information Security Whitepaper
Security Principles
Security Goals
As an industrial internet solution provider, JIKE offer software and hardware products from edge to cloud. Based on emerging technologies, such as industrial IoT, cloud computing, operational research and knowledge graph, JIKE help industrial customers to optimize production management and digitalize industrial products. To safeguard customers' network and data security, JIKE claim to ensure security first in every software and hardware products. To achieve the security goals, JIKE have deployed security protection countermeasures into all the software and hardware products at all possible layers and implemented audit trail capabilities. Meanwhile, JIKE have strictly checked the information security capabilities of 3rd party cloud service provider.
Compliance Guidelines
JIKE follow the guidelines of China Cyber Security Law and related rules of information security and data privacy protection, guarantee compliance to operate within China.
Security Responsibilities
Responsibilities of Vendors
JIKE take full responsibilities of all the software and hardware products with own intellectual property, include hardware and firmware of industrial gateway, data transmission between cloud services and software clients, data storage encryption and data privacy protection. The dependent 3rd party cloud services will be taken care by 3rd party IaaS and PaaS providers. Customers have the rights to choose the 3rd party IaaS and PaaS providers which are in JIKE's support list.
Responsibilities of Customers
Customers are responsible for their own software and hardware products, and responsible for security check of chosen 3rd party IaaS and PaaS providers. Customers shall follow internal information security guidelines to ensure security management, such as user authorizations, user credentials, deactivate invalid users in time, etc.
Data Security
Rights of Data
Customers have all the rights of their own generated data. JIKE offer customers software and hardware products to collect, process, store and query data. For the sake of information security management and system health monitor, JIKE will use operation services to monitor security audit logs and system runtime logs. Besides the security audit logs and system runtime logs, JIKE has no rights to use any of the customer generated data without notification and agreement with customers.
Data Storage Regions
JIKE's default data storage regions are Aliyun Qingdao and Hangzhou data centers. Customers have the rights to choose data storage region of 3rd party IaaS providers.
Operation Audit Log
JIKE provide cloud management console to query system operation audit log. All the cloud services shall record operation audit log according to security levels, the rules are: all the user login, logout and password change related actions shall be recorded; modifications of important business objects shall be recorded; data read actions can be recorded per customers' request. The audit logs generated by customers' actions in JIKE cloud services shall be stored permanently by default, customers can request JIKE to delete their own audit logs. JIKE Cloud Operation System monitors all the audit logs in backend instantly and will notify JIKE cloud operation team for abnormal security audit logs to deal with potential attacks in time.
Separation of Tenant Data
JIKE multi-tenant cloud services support share model and dedicate model. The share model uses tenant unique ID to restrict cross tenant data access. The dedicate model offers dedicated data storage spaces to isolate data of tenants. When choosing the share model, customers shall use JIKE's software clients and APIs to access their data. When choosing the dedicate model, customers can manage the 3rd party IaaS and PaaS instances and ensure information security on their own or authorize JIKE to maintain the instances. For both share model and dedicate model, JIKE cloud services shall be connected to JIKE Cloud Operation System to monitor security audit logs and system runtime logs to ensure information security management and system health management.
Sensitive Data Encryption
Sensitive data can be encrypt based on customers' requests. Credentials shall be encrypted with one-way encryption hash algorithms before storing into database. For those sensitive data which are required to be decrypted, JIKE cloud services use asymmetric cryptographic algorithm to encrypt data before storing into databases or object storages. When using asymmetric cryptographic algorithm, customers can use JIKE's secret key by default. If customers want to use their own secret keys, JIKE can provide technical support to integrate KMS offered by 3rd party cloud providers.
Privacy Data Protection
JIKE strictly follow the laws to protect privacy data. Personal information and business partners data shall be stored in standalone tables. Customers can choose to encrypt privacy data, JIKE can provide technical support to integrate KMS offered by 3rd party cloud providers. Lifecycle management of privacy data are under customers' full control in all JIKE cloud services. Without customers' acknowledgement, anyone from JIKE are not allowed to access the privacy data which are not desensitized. Per customers' request to process the privacy data in backend, JIKE cloud services shall record the audit logs.
Data Backup and Deletion
To avoid big data loss by accident, JIKE cloud services shall backup data at daily basis and store the backup files for one week. The backup files shall be deleted automatically after one week. Customers can use JIKE software clients and APIs to delete their own data at any time. For the sake of data dependencies and avoid mistaken deletion, JIKE cloud services perform logical deletion by default. Customers can request JIKE to perform physical deletion. The physical deleted data will be stored in the backup files in up to one week and shall be cleaned while the backup files are deleted automatically.
Client Security
Web Client Security
The codes of JIKE web clients shall be obfuscated with code obfuscation tools to avoid code analysis by hackers. Only the widely used open source JavaScript libraries can be included into JIKE web clients. In the monthly releases, JIKE web clients will upgrade to the stable version of open source libraries to avoid missing of security patches. JIKE provide technical support to integrate with 3rd party multi-factor authentication services. By default, JIKE user authentication services generate unguessable logon token and control the expiration of the token. JIKE web clients store the logon token into user browser's local storage to entitle user accesses during the valid period of the token. Once user logout the web clients, the logon token with be invalidated immediately and cleared from user browser's local storage. The communication channels between JIKE web clients and cloud services are all HTTPS or TLS based MQTT. JIKE don't offer SSL certificate issue service, by default, JIKE cloud services will use the SSL certificate issued to JIKE domains by 3rd party vendors. If customers need to use their own certificates, they need to purchase SSL certificated from 3rd party vendors. JIKE provide technical support to deploy customers' certificate and configure customers' own domains.
Hardware and Firmware Security
JIKE industrial gateway support WiFi and 4G networks, RTOS embedded OS and Linux embedded OS. JIKE recommend using 4G network at unsafe place to avoid network intrusion. JIKE firmware code language is C++ and all the codes shall be obfuscated, not possible to be decompiled. JIKE firmware shall check signature before upgrading. JIKE assign key pair for each industrial gateway and store the keys into embedded OS file system by default. Customer can choose to plug HSM chip into the gateway to store private key. JIKE provide technical support to integrate with 3rd party KMS cloud services to install keys into JIKE industrial gateway. Communication between JIKE firmware and IoT cloud services shall be TLS based MQTT with two-way authentication. JIKE firmware shall check its activation status regularly. JIKE cloud operation team can deactivate the illegal gateways remotely. JIKE firmware offers the capability to cache the data upon its memory limit in case of network issue, all the local cached data shall be encoded.
Cloud Security
PaaS
JIKE products integrate with 3rd party IoT connectivity services and time series databases, customer can choose their preferred 3rd party PaaS vendors and perform security check with the vendors.
IaaS
JIKE cloud services can be deployed into Linux servers offered by 3rd party IaaS vendors, customers can choose their preferred 3rd party IaaS vendors and perform security check with the vendors. JIKE system operation team shall perform regular security scan to the servers and upgrade with patches regularly. The security services include OS security scan, libraries security scan, baseline scan, network firewall, web application firewall, DDoS protection, attack analysis.
Operation Risk Management
Security Governance
Security first is the principle of JIKE product development. During product development, JIKE product team shall perform threat modelling, security code review, security tests and authorization tests for monthly releases. JIKE cloud operation team shall take information security training, monitor security audit logs and deal with security incidents in time.
Business Continuity
JIKE cloud services adopt cloud native architecture to ensure system scalability and resilience. Disaster recovery for JIKE servers have been guaranteed by 3rd IaaS vendors. JIKE cloud operation team shall monitor system health logs and deal with system stability incidents in time to ensure SLA.