Security is important in all aspects of life - driving in a car, flying in a plane, uploading content to social media. The same is the case for your sensor data being sent to Ubidots. Ubidots is a streamlined platform designed for ease-of-use and quick deployment with security best practices built in along the way. For added layers of security, we recommend using your own firmware while utilizing Ubidots libraries for reference. Below you will find some of Ubidots API best practices and some preventative measures you can take to keep your data yours.
API Best Practices
HTTP with SSL Encryption
HTTPS involves the use of an SSL certificate - "SSL" stands for secure sockets layer -which creates a secure encrypted connection between our servers and your devices. HTTPS helps us guarantee confidentiality, authenticity, and integrity.
MQTT with TLS Encryption
Ubidots supports the MQTT protocol, a lightweight publish/subscribe messaging transport optimized for IoT that supports TLS encryption. TLS (Transport Layer Security) provides a secure communication channel between a client and a server. Just like SSL, TLS is a cryptographic protocol that uses a handshake mechanism to create a secure connection between the client and the server. After the handshake is completed, an encrypted communication between client and server is established and no attacker could understand the content of the communication.
Unlike traditional server-based authentication, where a username and password need to be sent in every request (constantly exposing them to potential attackers), token-based authentication assigns a signed token after the first request, which can then be used for sub-sequent requests. This is how the token-based authentication takes place:
- Client requests a security token using an API Key
- Our Application validates the API Key
- Our Application provides a signed token back to the client
- Client stores that token and sends it along with every request
- Server verifies token and accepts requests
- If Client doesn't use the token for more than 6 hours, then it will need to request a new token using the API key.
Token-based authentication has become the standard for web API's and Ubidots has also adopted it as a best practice. The token, which is not a cookie, is sent on every request and with no cookie being sent CSRF attacks can be prevented. We also support token revocation that allows you to invalidate a specific token from your account.
Token in the HTTP headers
Ubidots supports an alternative means for authentication, which is by specifying the Token in the URL as a parameter in the form of "token=". We enabled this to help you build faster prototypes as some devices might require extra coding to set HTTP headers, making it simpler to just use the Token in the URL.
However, when you go to production, keep in mind that we recommend sending the token in the HTTP headers, using the "X-Auth-Token" HTTP header field rather than the "token=" query parameter as it provides an added level of security.
Although we utilize HTTPS to ensure that all requests are encrypted for network transport, there is a possibility that the plain-text URL, with the value of the token, might appear in logs of HTTP servers which process the requests. Additionally, there are spyware exploits whereby certain browser extensions track and aggregate browsing behavior and sell that data to third parties. Again, use of token as a query parameter could lend itself to unintentional exposure of your token.
Working with Leading Cloud Providers
Ubidots Industrial IoT licenses are hosted by default on IBM's Toronto Datacenter. Industrial users can request deployment in a different datacenter or leading cloud provider.
Working with renowned cloud providers help us minimize the risk of outages given their focus on reliability and uptime. IBM's cloud complies with more than 15 guidelines, including:
- ISO 270001: a widely-adopted global security standard outlining the requirements for information security management systems and provides a systematic approach to managing company and customer information based on periodic risk assessments.
- SAS 70: Statement on Auditing Standards (SAS) No. 70, is a widely recognized auditing standard developed by the American Institute of Certified Public Accountants (AICPA). It represents that a service organization has been through an in-depth examination of their control objectives and control activities, which often include controls over information technology and related processes.
Multi-AAA User Management
Authentication, authorization, and accounting (AAA) is a term used to describe a framework that successfully controls access to computer resources, enforcing policies, auditing usage, and providing the information necessary to bill for services.
Ubidots Industrial license allows you to gain control over who can access your device data at different levels: apps, customers and end-users.
- Apps Permissions: Set which organizations can access a specific app.
- Organization Permissions: Set which devices, dashboards and users belong to a specific Organization and can access it.
- User Permissions: Add users to organizations, set passwords or revoke access when needed.
Ubidots has committed itself to being a safe place for your IoT development, exploration, and deployments. Using the best practices provided in this article and limiting access with Ubidots Multi-AAA user management, you can ward off malicious intruders from your valuable insights.