Gooee’s IoT Platform is architected to provide enterprise-grade security.
TUV IoT Data Privacy Certification
The“IoT Protected Privacy Service” certification was developed by TÜV Rheinland in 2017 in response to the growing IoT market and is based on the actual, applicable European data protection laws and regulations. Gooee began the process in February 2018. It has become the first platform to achieve the certification after several months of auditing and infrastructure analysis.
The certification covers a wide area of topics to ensure all aspects of a system are protected; including data encryption and cryptography standards, secure data handling, infrastructure access, and management. Gooee is also working to achieve the equivalent TÜV Rheinland product-centric certificate known as the “IoT Protected Privacy Product” for its various hardware components.
Users, devices & applications must be identified & authenticated
when communicating with the Gooee Platform.
Hardware devices need to make sure that the servers they talk to are legitimate Gooee servers. This is guaranteed by a Public Key Infrastructure (PKI) and based on Transport Layer Security (TLS) certificates.
The root certificates (public keys) of the Gooee Platform are bundled into our embedded Software Development Kits (SDKs). Similarly, the Gooee Portal has the root certificates in their trust store.
Gooee provides secure API keys for anyone or anything accessing the platform. These are secret, unique tokens (a long string of characters) generated by cryptographically strong random number algorithms for each device, application or user; and are used to authenticate each request sent.
We provide trusted application keys, user keys, device keys & operator keys to control access, which can be reset or revoked at any time if a token has been compromised.
Gooee uses a secure authentication API; it requires strong passwords, implements lockout mechanisms and offers Two-Factor Authentication with Time-based One-Time Passwords.
This greatly reduces the risk of an intrusion and presents a fundamental blocker to (distributed) brute-force attacks as well as cross-site scripting and SQL injections.
State-of-the-art encryption ensures that only authorized
parties can access and decode data.
All passwords are encrypted using a multi-faceted strong encryption mechanism, which protects against rainbow table and brute-force search attacks.
Encryption of Data
All data sent to and from the platform is transmitted via TLS, ensuring end-to-end encryption from the server to the device, application, or browser. We implement TLS/DTLS across all the protocols supported, both on the device and cloud-side.
Gooee also has a complex crypto-secure random number generator with high entropy to generate API keys and Device IDs, the unique digital identifiers which are used to represent individual physical products on the platform.
Access Control & Authorization
All users, applications and devices have granular permissions
defining what access they are entitled to.
Anything communicating with the platform can only access, manage or share data it’s granted access to. Users can control which other users can manage their devices; for example, allowing a neighbor to be able to silence a burglar alarm, but not to deactivate it.
Alternatively, manufacturers may want to make energy consumption data from a smart plug available to an analytics application, but restrict access to any personal data about the user.
Gooee’s fine-grained control allows data access to be defined down to an individual ‘property’ (dynamic field) such as ‘current temperature’ of an individual device. This is extremely powerful in supporting as-yet undefined future use cases where devices, users and systems all interact and share controlled data within the wider IoT platform.
Customer data is stored securely in the Gooee Building Operation System.
All user data is stored exclusively in the cloud and subject to state-of-the-art encryption at rest mechanisms. Gooee uses a cluster of different NoSQL databases ensuring data redundancy in case of any loss.
Each newly created disk volume is encrypted and protected by a key management infrastructure, which implements strong logical and physical security controls to prevent unauthorized access.
Access to the Gooee platform infrastructure is controlled and protected.
Gooee’s cloud platform is hosted by Amazon Web Services (AWS).
AWS is a highly flexible and secure cloud computing environment, built and managed according to security best practices and standards, with certifications including ISO 27001, SOC 1/2/3 and PCI DSS Level 1.
Machine isolation & VPC
Gooee’s infrastructure is deployed across several Virtual Private Clouds (VPCs). Access to the application and database servers is only granted to machines within the private local network, thereby minimizing the number of Internet entry points to the infrastructure.
The only entry point for Gooee customers is through the Amazon-managed load balancers (ELBs): highly secure, ephemeral machines accepting traffic only on the HTTPS, WebSockets & MQTT ports.
Gooee uses intrusion detection and mitigation techniques to protect against DDoS and other unauthorized attacks, utilizing a range of Amazon-provided cloud security features.
Under of our enterprise-level SLA we monitor and support the platform 24×7. Unusual and suspicious activities are logged, with mitigation measures carried out in real time.