Device Security Overview
This document provides an overview of the data security of Terso’s solutions. While this document aims to proactively answer security related questions, any additional comments or questions are welcomed. Please contact Terso Technical Support by dialing +1.888.376.0257 in the U.S. or +49.6227.6906.800 in Europe. Support can also be contacted by visiting https://www.tersosolutions.com/support.
Management Commitment to Security
Terso is committed to preserving the security of the data that our customers entrust to us. Our solutions are engineered with security as a top priority. We ensure that our employees have the appropriate skills, training, and supervision so that they understand and follow our policies, processes, and procedures.
General Description of Solution
Terso produces a range of cabinets, refrigerators, freezers, and other solutions (collectively referred to as devices) that track valuable inventory using RFID tags attached to each item. The devices communicate with Jetstream®, Terso’s cloud-based data platform, over the internet using secure communication protocols. Customer data systems, such as Hospital Information Systems (HIS), Enterprise Resource Planning (ERP) systems, and a wide array of other systems, can then be configured to query Jetstream for information provided by the connected devices. The following sections provide additional details.
The Terso devices run a custom embedded Linux distribution that has been hardened by removing or disabling all listening services except for the dynamic host configuration protocol (DHCP) client. Access to the device's operating system is only achieved by removing the protective cover from the device and then connecting to an on-board serial based console port. The firmware running on the devices allows for limited, local configuration by connecting to the external USB port. Secure socket shell (SSH) is disabled by default. Additionally, the firmware monitors for SSH and will disable the service if it is somehow found to be running.
Since the devices are installed on a customer’s premises, the customer is responsible for the physical security of the device as well as its contents. Customers may implement network security controls as necessary to meet organizational security requirements without adversely affecting the device communication in most circumstances. An alternative approach is to put the devices on isolated network segments or use a network access control solution.
Terso devices are designed to always initiate the connection to the Jetstream web services; no listening transmission control protocol (TCP) ports are required. This allows the TCP three-way handshake to occur so that port forwarding is not necessary on network hardware. The device transmits various event data to Jetstream. Data may include the RFID tag values, RFID access pass values, and status information such as temperature. The data is sent as XML or JSON messages that are typically 10 kilobytes or less, with a maximum size of 100 kilobytes. Occasionally, maintenance files are downloaded by the device and range from 350 kilobytes to 15 megabytes.
The devices use the following TCP/IP protocols:
- HTTPS (TCP port 443) – The devices send messages to Jetstream via an API call made over HTTPS. This may include the use of WebSockets (https://en.wikipedia.org/wiki/WebSocket) to reduce bandwidth and latency.
- DNS (UDP/TCP Port 53) – Devices will perform domain name lookups to resolve the IP addresses associated to Jetstream.
The Jetstream servers are hosted by Amazon Web Services (https://aws.amazon.com/). AWS provides the security for the servers. Administrative access to the servers is limited to a small team of operators within Terso who are tasked with the maintenance and reliability of these systems. These duties include uptime monitoring, patching, and scanning for vulnerabilities.
Does the hardware work with a proxy server?
Terso devices do not support communication to the internet via active proxy server. Devices do support passive proxy (NAT/PAT).
What DNS servers can be utilized?
Any properly configured Domain Name Server (DNS) on the Internet will be able to resolve or forward queries for Jetstream domain names.
Which public IP addresses does Jetstream use for device communication?
Jetstream uses the following static WAN IP addresses for device communication:
What are WebSockets? How do they work?
A WebSocket is a full-duplex communication protocol used by modern web services that need a persistent, full-duplex communication channel. It is a TCP protocol standardized by the Internet Engineering Task Force (IETF) operating according to the specifications defined in RFC 6455 (https://tools.ietf.org/html/rfc6455).
How do Terso devices use WebSockets?
Terso devices are designed to use the standard implementation of WebSockets. In this scenario, the device makes a request to the server to create a WebSocket connection. The server will send a periodic “keep alive” over the WebSocket connection to keep the connection up. The connection will remain up until either the device or server terminates it. All traffic over the connection is encrypted.
How is the device OS hardened?
Devices use a Linux-based embedded operating system that has minimal libraries and processes running. It does not have any listening TCP/IP ports to minimize potential network attacks.
Is data encrypted at rest and in motion?
Data is encrypted when in transit to protect its integrity. Encryption is accomplished via Transport Layer Security (TLS). The data is encrypted at rest in the Jetstream databases but not on the device itself.
Where is the device data hosted?
Terso utilizes Amazon Web Services (AWS) to host RFID device data. AWS is ISO 27001 certified confirming their commitment to the security, confidentiality, and availability of their servers. More information is available by visiting https://aws.amazon.com/compliance/iso-27001-faqs/. AWS also makes System & Organization Control (SOC) reports available. The SOC reports can be obtained by visiting https://aws.amazon.com/compliance/soc-faqs/.
What triggers a device to call home?
There are various triggers, but all communications with Jetstream originate from the device itself. For example, manual triggers, such as opening and closing the door on a device, would trigger an event. Similarly, events for monitoring temperature or performing an inventory reconciliation are triggered by a configurable schedule.
How is LAN communication established by the device?
The device is designed to initiate all API calls (i.e. “call home”). All inbound traffic is in response to the device’s outbound session. An inbound network communication does not initiate connection.
Does the Terso device use a VPN?
Although the solution is compatible with VPNs, no VPN is necessary because data is transmitted over HTTPS.
How are devices updated in the field?
The device is scheduled to periodically check if there is a pending firmware upgrade. If this occurs, the device will download, validate, and install the new firmware. Firmware updates can also be performed locally by connecting to the USB port on the device itself.
Does the Terso device store or send any personal data?
The data transmitted only contains the RFID values for the tags stored inside the device and the user pass ID values. No personal data is stored or available to the device.
What if the network security policy requires MAC address filtering?
If MAC Address filtering is in place, the network must recognize and permit the device’s NIC to communicate. Contact Terso Technical Support and request the MAC address of the device being installed.
Does Terso have a Business Continuity Plan?
Terso maintains important disaster recovery and business continuity plans that may be activated in the event of significant business disruption. These plans include nightly backups, failover servers in multiple data centers, and other proactive measures. Terso’s plans contain details of a confidential and proprietary nature and thus cannot be distributed to the public.
Please contact us if you have any additional security questions or concerns.