The device authentication and authorization workflow occurs in this way:
- The device connects to the Sentience Identity Service, and conducts an RPK negotiation over TLS to establish device identity
- The identity service signs a short-lived JavaScript Object Notation Web Token (JWT) for the device to use to take to the provisioning
service
- The provisioning service validates the token and returns a longer-lived JWT and Shared Access Signature (SAS) token for the
device to use in communication with subsequent services
Additionally, the Cloud Backup Service ensures encryption of all communications, as well as integrity in transit via TLS 1.2.
The encrypted backups in the cloud require the source station's system passphrase (the one in use at the time the backup was
created) from Niagara 4 in order to restore the backup. Finally, the system ensures storage of sensitive data at rest (via RPK private key) by utilizing
the Java KeyStore (JKS).
Security features summarized
Niagara Cloud Services protects your data via the following methods:
- User authentication provides fine grained permissions for each backup operation: view, create, download, delete
- Device authentication uses raw public key (RPK) key exchange over a one-way TLS transport
- Device authorization utilizes short-lived tokens for service-based authorizations
- Encryption of all communications and integrity in transit with TLS 1.2
- Backups in the cloud are encrypted with the source station's system passphrase
- Storage of sensitive data at rest (RPK private key) utilizes Java KeyStore