Mist Security

We live in a world where data center breaches are in the headlines almost monthly, and there is a fear of security in public cloud due to fears around data security. Clearly, there are myths that cloud computing is inherently less secure than traditional approaches. The paranoia is largely due to the fact that the approach itself feels insecure, with your data stored on servers and systems you don’t own or control.

The truth, however, is that public cloud is often more secure than most traditional data centers. That is because cloud providers have better security mechanisms in place and are more paranoid and attentive to security risks throughout their entire stack. The cloud providers are much better at systemic security services, such as looking out for attacks using pattern matching and AI technologies. In addition, they are always leveraging the most up- to-date security technologies and solutions for minimizing exploits.

It is no surprise that the hackers move on to easier pickings: enterprise data centers. The on-premises systems that IT manages is typically a mix of technologies from different eras. The aging infrastructure is often less secure — and less securable — than the modern technology used by cloud providers simply because the old, on-premises technology was designed for an earlier era of less-sophisticated threats. The mixture of different technologies in the typical on-premises data center also opens up more gaps for hackers to exploit

Mist Cloud Security

Mist treats data security as a core strategy in the company culture. All servers are hardened and user access is highly restricted. Industry standard encryption is utilized for data in transit and data at rest. Any user information stored in the cloud is obfuscated with an organization specific key. Security is integrated with the development cycles and pen tests are performed to detect vulnerabilities at the network and application levels. The graphics shown below illustrates what protocols AP uses to communicate securely with cloud servers. All data is block encrypted in the cloud.

Salient points about Mist cloud security:

  • Servers are hosted in a SOC2 type 2 compliant datacenter, across multiple availability zones/regions.
  • All servers run Linux OS and are hardened per best practices.
  • Audit logs are captured at a centralized location.
  • Principles of granting minimal privileges, minimal access, and minimal services are used.
  • User access is highly restricted.
  • Industry standard encryption is utilized for data in transit and data at rest.
  • Client information stored in the cloud is obfuscated with an organization specific key.
  • Security is integrated with the development cycles and vulnerability scans are performed prior toreleasing the code to production environment.
  • Mist performs web security testing right from the development to production stages. Mist scansfor SQL injections, XSS and 700+ other vulnerabilities, including OWASP Top 10.
  • Servers are hosted at AWS in multiple VPCs and security groups, protected by firewalls. Only the required ports are opened on front end servers or terminators that need to communicate directly with APs or APIs from outside.

Data Security

Mist encrypts and secures data in the following way.

  • AP to Mist Cloud: Communication between the Mist cloud and the AP uses HTTPS/TLS with AES-128 encryption, and mutual authentication is provided by a combination of digital certificate and per-AP shared key created during manufacturing.
  • UI or API: API communication (including UI access) uses HTTPS/TLS and is encrypted with AES-256.
  • Internal to Cloud: Data within the cloud is stored using AES-256 encryption.
    • Hosted in a SOC2 type 2 compliant datacenter across multiple availability zones/regions
  • Management console: Accessed over https connection, using 2048-bit RSA key.
  • Data types:
    • Sensitive information is obfuscated with a different key per organization.
      • In addition, block level encryption is done for all data using AES-256.
    • Config data – Database is encrypted
    • User data (user traffic) – not transferred to cloud
    • Packet captures (used for network debugging) – only headers are captured
      Meta-data – location, statistics

      • Controlled via org level access

Access Control

Mist controls access to various resources in the following way.

  • Access Restrictions
    • Access to AP’s – No user accessible interface.
    • AP access to cloud — Based on role.
  • Types of access
    • Role based for org/site changes
    • AP to cloud:
      • The connection to this site is encrypted and authenticated using a strong protocol (TLS 1.2), a strong key exchange (ECDHE_RSA with P-256), and a strong cipher (AES_128_GCM). And then we do a separate DH step with EC rather than RSA for the per-connection key
    • Employee access:
      • HTTPS to API servers.
      • SSH to all servers for administration. SSH is protected on an individual basis using digital certificates. Key additions and accesses are audited.
    • Access to AP’s:
      • SSH access requires a private/public key pair, managed on an individual basis.
      • Default: no keys. There is no user accessible console port. We have a serial port for local troubleshooting.
    • Tenancy
      • Organization data is transmitted and stored with the individual tenant ID to prevent access by other organization.

Mist Security PDF