Documentation
Platform Deployment & Security
Security mechanisms and technologies

Security mechanisms and technologies

Modern systems require a layered approach to security, where each layer performs specific functions and interacts with others to create a comprehensive security system. Let’s look at the key layers, their mechanisms and technologies, and best practices for their implementation.

System security levels

Physical layer

Important

Physical security is the foundation of the entire defense system. It is aimed at preventing unauthorized access to hardware resources and infrastructure.

  • Server rooms and data centers:
    Equipment shall be located in secure data centers with multi-level access control systems: biometric authentication, RFID cards, video surveillance. The premises shall be equipped with fire extinguishing, climate control and protection against voltage fluctuations.
  • Perimeter protection:
    Physical barriers (e.g. double door locks), motion sensors, 24/7 security are used. For critical facilities, the principle of “defense in depth” is used - multi-layered security with regular vulnerability audits.
  • Infrastructure redundancy:
    Backup power supplies (UPS, generators), duplication of communication channels and distributed data centers (geographic isolation) are used to minimize risks.

Network Layer

This layer provides security of data transmission, prevention of attacks on network resources and traffic control.

  • Firewalls:
    Modern NGFWs (Next-Generation Firewall) analyze traffic at the application level, blocking suspicious sessions. Example: configuring rules to deny outbound connections on a Tor network or blocking ports not used by the system.
  • Protection against DDoS attacks:
    Cloud-based services (e.g. Cloudflare) that filter traffic by recognizing anomalous patterns. Local solutions include rate limiting and blackhole routing.
  • Network segmentation:
    Networks are divided into VLANs, DMZs, and isolated subnets. Dedicated APNs (Access Point Name) are used for IoT devices to prevent them from interacting with corporate traffic.
  • Intrusion Detection and Prevention Systems (IDS/IPS):
    Tools like Snort or Suricata analyze packets in real time, blocking attacks based on signatures and behavioral anomalies. Integration with SIEMs (e.g. Splunk) allows for automated response.
  • Traffic encryption:
    Mandatory use of TLS 1.3 with modern ciphers (AES-GCM, ChaCha20). For VPN, WireGuard or IPsec protocols are recommended instead of legacy PPTP/L2TP.

Operating System Layer

OS security is achieved through strict configuration, timely updates and process isolation.

  • Containerization (Docker, Kubernetes):
    Each service runs in an isolated container with limited rights. For example, a web server is assigned a separate user with no access to system files.
  • Mandatory Access Control (MAC) modules:**
    • SELinux: Implements label-based policies to prevent the execution of unsigned binaries.
    • AppArmor: Profiles applications by restricting their access to the file system.
  • Auditing and monitoring:
    Tools like Auditd or Osquery monitor changes in critical files (e.g. /etc/passwd). ELK stacks (Elasticsearch, Logstash, Kibana) or Grafana are used to analyze logs.
  • Updates and patches:
    Automation via utilities like unattended-upgrades (Linux) or WSUS (Windows). For critical systems, pre-test updates in a staging environment.

Application Layer.

Application security requires a combination of built-in mechanisms and adherence to development standards.

  • Authentication and Authorization:
    • Multi-factor authentication (MFA) via OTP, U2F keys, or biometrics.
    • OAuth 2.0/OpenID Connect implementation for delegated access.
    • RBAC (role-based access) with least privilege.
  • Web Attack Protection:
    • CSRF: Token generation using crypto-resistant algorithms (HMAC-SHA256).
    • XSS: Input sanitization via libraries like DOMPurify, CSP implementation with default-src 'self' directive.
    • SQL injections: Use of ORM (Hibernate, SQLAlchemy) or prepared statements.
  • Secure development (DevSecOps):
    Integrate vulnerability scanners (OWASP ZAP, SonarQube) into CI/CD pipeline. Regular pentests and code reviews.

Data storage layer

Ensuring confidentiality, integrity and availability of data.

  • Encryption:
    • At-rest: Using LUKS (Linux) or BitLocker (Windows) with AES-256.
    • In-transit: TLS for transmission between servers and clients.
    • Keys: Storage in hardware HSM (Hardware Security Module) or cloud KMS (AWS KMS, HashiCorp Vault).
  • Redundant Copying:
    3-2-1 strategy: 3 copies, on 2 different media, 1 off-location. Automation via BorgBackup or Veeam.
  • Access Control:
    • RBAC/ABAC: Dynamic rights management based on user attributes (job title, location).
    • Audit: Logging of all operations (CREATE, UPDATE, DELETE) with integration into SIEM.

Note

Multi-layered security requires not only the implementation of technology, but also constant monitoring, employee training and adaptation to new threats. Regular audits, use of standards (ISO 27001, NIST) and automation of processes are key to long-term sustainability.

Implemented security mechanisms

Network layer security

  • Incoming and outgoing traffic filtering is configured to block unauthorized connections. To increase security, it is recommended to restrict access to the system to only from trusted IP addresses (Internet) or via VPN.
  • Use a dedicated APN in the sim card settings of telemetry (IoT) devices. This isolates devices from general Internet traffic and increases data protection.
  • Access to the web interface is via HTTPS protocol (TLS/SSL certificates), which provides encryption of traffic between the client and the server.

Operating System Layer Protection

  • Process isolation increases resilience to system failures and hacks. In an IoT server, each part of the system is isolated using Docker containerization. Containerization allows different parts of the system to be isolated from each other, which minimizes possible damage from attacks and failures.

  • The use of AppArmor, SELinux, Parsec modules (optional). Using security modules provide additional protection at the operating system level, strengthening access control and preventing unwanted actions in the system.

      • Policy Customization: create strict security policies to restrict access to critical resources.
      • Security Audit: regularly analyze logs to identify suspicious activity.

  • Security Audit: regular analysis of logs to identify suspicious activity.

Application layer protection

  • The web part of the system is protected against attacks like Cross-Site Request Forgery (CSRF). Built-in mechanisms generate unique tokens for each form, preventing request forgery. SameSite headers for cookies and Referer checks are also used.

  • The system has built-in protection against Cross-Site Scripting (XSS) attacks, including filtering user input data to prevent the injection of malicious JavaScript code. - * Content Security Policy (CSP): Configuring policies to restrict sources of script downloads and other resources. - * Data shielding: automatically shield HTML, CSS, and JavaScript in user input.

  • Interaction with the database is performed using ORM module, which has built-in protection against SQL injection (inability to execute arbitrary SQL code), and also performs query logging to detect suspicious activity.

Data storage level protection

  • Data encryption: uses encryption algorithms (e.g., AES-256) to protect data on disk and in transit.

  • Backup: regular backups of data are made and stored in secure storage.

  • Access Control: Role Based Access Control (RBAC) and auditing of all data operations in the storage is used.

Last updated on
Platform and services installation