Security recommendations

One of the goals for Niagara Cloud development is for the station to execute the commands received from the cloud (cloud application and/or cloud platform). This functionality opens multiple opportunities for developers to control and manage the station remotely from a cloud application, but it also creates challenges (station security, stability, etc.). This is especially important for the stations used as on-premise building command-and-control devices.

This chapter describes the chosen approach and steps required for stations to implement cloud commands.

One important point is that to secure the delivery and execution of cloud commends, actions are required on three system layers: in the cloud application, on the cloud platform, and in the NiagaraStation.

Figure 3.   Message flow between on-premise device and cloud platform

Cloud applications provide the UI and serve various customer needs using cloud platform services.

Cloud applications send the commands on behalf of the user and receive a response from the station through the cloud platform. This means that cloud applications are in charge of user authentication and authorization (with or without cloud platform assistance). All other layers (cloud platform and station) improve the security but rely on the user information provided by the cloud application.

The cloud platform provides station registration (for Sentience 1.0 a System Guid is assigned for any registered station), cloud application authentication & authorization, and secure messages delivery to and from station.