The Losant IoT application enablement platform keeps our customers’ solutions protected by using the highest level of security. Losant uses industry-standard encryption mechanisms to fully encrypt all data during transit and while at rest. This article provides a detailed overview of how Losant provides a secure environment for its users and applications.
Losant is proudly SOC 2 Compliant and undergoes recertification and auditing annually.
SOC Compliance is a set of criteria developed by the American Institute of CPAs (AICPA) that defines how customer data is managed. There are five principles:
- Processing Integrity
SOC 2 Compliance, specifically, is a certification given by a third-party auditor that assesses a system’s operational effectiveness with those five principles.
All communication between devices and Losant is fully encrypted using the Transport Security Layer (TLS). TLS is an industry-standard encryption scheme and most commonly used by browsers to encrypt HTTPS data. TLS is widely adopted and available on most embedded devices, languages, and operating systems.
API access is controlled by the industry-standard JSON Web Tokens authentication mechanism. Users create remote API access tokens through the account dashboard. The types of resources available to the token can be individually controlled depending on the needs of the specific API client. For example, an application that only needs access to view data can generate a token that just grants access to data. This token is not be able to view, edit, or manage any information about workflows or devices. API access tokens can be revoked at any time.
Losant does not store the tokens once they are generated; it is up to the user to securely save this information. You cannot recover a token if it is lost. The scope of each token is securely encrypted directly into the token, which is decrypted by Losant server-side. This allows Losant to use the token to grant access to resources without having to store any information about the token directly. The benefit of this approach is that access tokens can never by obtained from any data stored on Losant’s servers.
Devices that communicate using MQTT use application secrets and keys. These are implemented in the same way as API Security Tokens, but automatically scope access to the specific application. The key and secret are used as MQTT’s username and password fields respectively.
Losant uses Google Compute as its underlying infrastructure provider. All data is stored using Google Compute Engine’s persistent disk functionality, which encrypts all data in transit and at rest. Google complies with the strictest information and physical security requirements. Please refer to their security documentation for more information.
Losant has implemented a Two-Factor Authentication (2FA) scheme based on the Internet Engineering Task Force standard RFC 6238. The same time-variant-based one-time password algorithm used by Google and Amazon also protects a Losant user’s account against unauthorized access even if their password has been compromised.