We are an IoT platform serving manufacturing customers. Initially focused on SMB customers, we are becoming more attractive to bigger enterprise-like customers. These bigger companies have more strict IT/security teams and policies. Their concerns are mostly the same: security.
Even though we have used all the documentation we have found on the topic in Particle. Is there any deeper documentation availaible to give peace of mind to these customers? It seems that the current documentation on the topic (the one we’ve found) is not enough for them:
How do the particle.publish work? or how can they track a data package going out of their network. Explaining a customer that we can just put a line of code “particle.publish…” in our firmware app and the event data gets to the particle cloud without us worrying about lower level code (e.g setting up servers or IP addresses) seem problematic for them.
Some of them ask us about DNS addresses of the particle cloud
They ask us about perimetral security measures.
We’re not experts on security. So, a bit of extra more detailed documentation would help miles.
And then for any follow-ups you have, please feel free to reach out to my team at security@particle.io. We have some documents/audit reports etc, that can only be shared under NDA, and this is the right place to start that process.
There is also source code which can be dug into for publish and receive events.
Some security standards you will not be able to meet with particle cloud, for example, PCI, because you can not force 2 factor authentication on the accounts and the online build ide would be an absolute auditors nightmare.
Could you have instead another cloud in between your customers and the Particle cloud that implements that? Your customers could be managed by, let's say, Google Firebase Authentication and there you can force MFA:
The problem isn’t the customers, it’s the development side. Separation of duties, I can not push code I’ve written to production without someone else’s review - in the particle world, anyone with an account login could push code without a review. Development environments need to be secure, i.e. rotating passwords, 2 factor, etc. Particle would fail a PCI audit for sure (been there, done them).
Now, I would trust that the data in their system is secure, or well enough secure, but that’s not what most audits and security reviews are about. In fact, I just wrote in a kill switch to a system with one of our partners, so we can turn them off at a moment’s notice - just because they don’t do patching on a schedule we approve of.
When we start talking about hard core security - trust me, it’s really complex, really quick.
Workbench is how it's coded. Development under PCI certification anymore requires a pipeline, typically in github/gitlab/bitbucket/etc. and separation of duties, who approves the production release, must understand the code going out, but not have written any of the most recent release - which often isn't possible in small shop type setups.
I'm not saying this is what your client is looking for, only that it's a typical part of security - and anyone doing a security investigation should be looking for these simple things.
