WEGnology Security Overview
The WEGnology IoT application enablement platform keeps our customers solutions protected by using the highest level of security. WEGnology uses industry-standard encryption mechanisms to fully encrypt all data during transit and while at rest. This article provides a detailed overview of how WEGnology provides a secure environment for its users and applications.
WEGnology is proudly SOC 2 Compliant and undergoes recertification and auditing annually.
SOC Compliance is a set of criteria developed by the American Institute of CPAs (AICPA) that defines how customer data is managed. There are five principles:
- Processing Integrity
SOC 2 Compliance, specifically, is a certification given by a third-party auditor that assesses a system’s operational effectiveness with those five principles.
All communication between devices and WEGnology is fully encrypted using the Transport Security Layer (TLS). TLS is an industry-standard encryption scheme and most commonly used by browsers to encrypt HTTPS data. TLS is widely adopted and available on most devices, languages, and operating systems.
API Security Tokens
API access is controlled by the industry-standard JSON Web Tokens authentication mechanism. Users create remote API access tokens through the account dashboard. The types of resources available to the token can be individually controlled depending on the needs of the specific API client. For example, an application that only needs access to view data can generate a token that just grants access to data. This token is not be able to view, edit, or manage any information about workflows or devices. API access tokens can be revoked at any time.
WEGnology does not store the tokens once they are generated; it is up to the user to securely save this information. You cannot recover a token if it is lost. The scope of each token is securely encrypted directly into the token, which is decrypted by WEGnology server-side. This allows WEGnology to use the token to grant access to resources without having to store any information about the token directly. The benefit of this approach is that access tokens can never by obtained from any data stored on WEGnology’s servers.
Application Secret and Keys
Devices that communicate using MQTT use application secrets and keys. These are implemented in the same way as API Security Tokens, but automatically scope access to the specific application. The key and secret are used as MQTT’s username and password fields respectively.
WEGnology uses Amazon Compute as its underlying infrastructure provider. The AWS Compliance Program helps customers to understand the robust controls in place at AWS to maintain security and compliance of the cloud. By tying together governance-focused, audit-friendly service features with applicable compliance or audit standards, AWS Compliance Enablers build on traditional programs, helping customers to establish and operate in an AWS security control environment.
IT standards we comply with are broken out by Certifications and Attestations; Laws, Regulations and Privacy; and Alignments and Frameworks. Compliance certifications and attestations are assessed by a third-party, independent auditor and result in a certification, audit report, or attestation of compliance. AWS customers remain responsible for complying with applicable compliance laws, regulations and privacy programs. Compliance alignments and frameworks include published security or compliance requirements for a specific purpose, such as a specific industry or function.
WEGnology has implemented a Two-Factor Authentication (2FA) scheme based on the Internet Engineering Task Force standard RFC 6238. The same time-variant-based one-time password algorithm used by Google and Amazon also protects a WEGnology user’s account against unauthorized access even if their password has been compromised.