Verasys Enterprise Johnson Controls Milwaukee WI, USA www.verasyscontrols.com LIT-12013026 March 2018
Contents Introduction... 3 Microsoft Azure security and privacy... 5 Security... 5 Privacy...5 Compliance...5 Data Platform authentication... 7 IMS authorization and API access... 7 Verasys Enterprise logging and monitoring...8 Application logging... 8 Server monitoring...8
3 Introduction This document is intended for building automation system (BAS) and IT professionals. Engage appropriate network security professionals to ensure that the computer that hosts the Site Director is a secure host for Internet access. Network security is an important issue. Typically, your IT organization must approve configurations that expose networks to the Internet. Be sure to read and understand IT Compliance documentation for your site. Verasys Enterprise automatically inherits your Verasys infrastructure from Smart Building Hubs. You can use Verasys Enterprise to monitor and control multiple Smart Building Hubs across your portfolio. 1: Verasys architecture diagram 2: Verasys Enterprise architecture diagram Verasys Enterprise interacts with the Identity Management Service (IMS) over https. After successful authentication, Verasys Enterprise receives a token from the IMS and interacts with the Data Platform REST APIs over https. The SBH communicates with Verasys Enterprise in OData JSON and the user communicates with Verasys Enterprise with the https protocol. The Microsoft Azure cloud storage platform consists of the following components: IOT Hub Verasys Enterprise collects data with Azure IOT Hub and stores data in the Azure Document DB. IOT Hub includes the following functionality: Provides reliable device-to-cloud and cloud-to-device messaging at scale. Enables secure communications with per-device security credentials and access control.
4 Provides extensive monitoring for device connectivity and device identity management events. Includes device libraries for the most popular languages and platforms. Web Jobs Web Jobs runs programs or scripts in the App Service web app continuously, on demand, or on a schedule. Event Hub Event Hub is an event processing service that provides event and telemetry ingress to the cloud at massive scale, with low latency and high reliability. Document DB Document DB is a NoSQL document database service that supports JSON directly inside the database engine. Data Platform APIs The Verasys SBH interacts with Verasys Enteprirse with the Platform APIs. The Data Platform is a collection of services that collect and serve building objects and time series data. The Data Platform serves multiple applications. 3: Data Platform API architecture
5 Microsoft Azure security and privacy Microsoft makes security and privacy a priority at every step, from code development up to incident response. Security and privacy are built into the Azure platform. The Security Development Lifecycle (SDL) addresses security at every development phase, from initial planning to launch. Microsoft update Azure continually to make it even more secure. Operational Security Assurance (OSA) is an additional framework that ensures secure operations throughout the lifecycle of the cloud-based service. Azure is the only public cloud platform to offer continuous security-health monitoring. For more information about Microsoft Azure security and privacy, read this document and see the Microsoft Azure Onboarding Guide Security Microsoft employs rigorous security and technology practices to ensure that Azure is resilient to attack, safeguards user access to the Azure environment, and keeps customer data secure. Encrypting communications and operation processes: For data in transit, Azure uses industry-standard transport protocols between user devices and Microsoft datacenters, and within datacenters themselves. For data at rest, Azure has a wide range of encryption capabilities up to AES-256. Securing networks: Azure has the infrastructure necessary to securely connect virtual machines to one another and to connect on-premises datacenters with Azure VMs. Azure blocks unauthorized traffic to and within Microsoft datacenters with a variety of technologies. Azure Virtual Network extends your on-premises network to the cloud with site-to-site VPN. Managing threats: To protect against online threats, Azure uses Microsoft Anti-Malware for cloud services and virtual machines. Microsoft also employs intrusion detection, denial-of-service (DDoS) attack prevention, regular penetration testing, data analytics and machine learning tools to mitigate threats to the Azure platform. Privacy Microsoft adheres to the the world s first code of practice for cloud privacy, ISO/IEC 27018. With Azure, customers own customer data - that is, all data, including text, sound, video or image files and software, that customers supply to Microsoft with Azure. Customers can access their data at any time and for any reason without assistance from Microsoft. Microsoft does not use customer data or derive information from it for advertising or data mining. Compliance Azure conforms to a broad set of international and industry-specific compliance standards, such as ISO 27001, HIPAA, FedRAMP, SOC 1, and SOC 2, as well as country-specific standards like Australia IRAP, UK G-Cloud and Singapore MTCS. Rigorous third-party audits, such as by the British Standards Institute, verify Azure s adherence to the strict security controls that these standards mandate. As part of Microsoft's commitment to trans-
6 parency, you can request audit results from these third parties to verify successful implementation of security controls.
7 Data Platform authentication All authentication to the Data Platform occurs with the Identity Management Service (IMS) API. The IMS API uses Identity Server 3. Use the following list to understand typical interactions: Browsers communicate with web applications. Web applications communicate with web APIs autonomously or on behalf of a user. Browser-based applications communicate with web APIs. Native applications communicate with web APIs. Server-based applications communicate with web APIs. Web APIs communicate with web APIs autonomously or on behalf of a user. The IMS handles all fundamental security functions. IMS authorization and API access Verasys Enterprise uses OAuth2 to authorize user access. OAuth2 is a protocol that applications can use to request access tokens from a security token service and then use the tokens to communicate with APIs. This practice reduces complexity on the client application as well as the API, since authentication and authorization are centralized. The OAuth2 specification defines several authorization grants that can be used to coordinate authentication of a user and grant access to resources that the user owns.
8 Verasys Enterprise logging and monitoring Verasys Enteprise creates log files to record issues that may occur. Johnson Controls staff monitor these log files and Verasys Enterprise servers. Application logging Application log information is available within the application user interface for administrators to monitor critical activity. Verasys Enterprise conducts additional application logging of the user interface for troubleshooting purposes. The Johnson Controls Data Center Operations team monitors logs for critical events. Server monitoring The Johnson Controls Development Operations team uses IT Brain to monitor server availability and performance. Verasys Enterprise sends an automated alert to the team if there is any issue on the server.