EnOS Edge, being part of EnOS, fully complies with the EnOS security standards and protection rules, implementing security control for hardware, cloud communication, certificate encryption, and access control.
Edge devices can be installed on different qualified hardware. With built-in firmware and software upgrade features for manual or automatic upgrade of critical security vulnerabilities, any changes or firmware or software upgrades applied to the Edge will be logged in EnOS Cloud.
The unused USB ports on the Edge devices are disabled by default to prevent malicious access. Edge’s network policy only allows the ports to be used by the required applications and services.
Edge supports encrypting the hardware with TPM chips, which helps to securely store client certificates. The RSA private keys generated by the TPM chip are stored in the TPM chip itself, while the private key tags and public keys are stored in relevant files.
The private keys can never be taken out from the TPM chip, i.e., the encrypted files cannot be decrypted except by combining the local TPM chip and relevant files, which ensures a high level of security.
Communication with the EnOS Cloud¶
All Edge devices need to be created in EnOS Cloud before it can communicate with EnOS Cloud. The unique identity of each Edge device together with the user-customized Edge ID form the basis of the tokens and signatures needed to communicate with EnOS cloud.
The Edge ID can be an out-of-the-box fixed identifier, such as a device serial number, a network MAC address, or any other identifier that cannot be changed easily. The Edge ID is managed by the edge device connector of the EnOS Cloud through the EnOS Management Console or API interface and the EnOS Cloud provides secure storage for Edge IDs and keys.
The Edge communicates with EnOS Cloud over a TLS data channel where X.509 certificate-based bi-authentication is enforced for each session. To ensure that each Edge device has its own unique client certificate, the certificate request is executed by the Edge device upon first power-on.
The Edge device generates a public key certificate request according to a public key infrastructure (PKI), which contains a unique device identifier (serial number or MAC address) and a corresponding private key.
The certificate request is then forwarded to the EnOS authentication service or a certificate authority (CA) for signature. The signed public key certificate will then be sent back to the Edge device and stored locally along with the private key.
To ensure a secure connection from the device to EnOS Cloud, the TLS protocol and public key encryption is used during data transfer to avoid eavesdropping, tampering, or message forgery.
When a device calls an EnOS API, the call is based on the HTTPS protocol. The TLS channel between the device and EnOS Cloud uses X.509 certificate-based bi-authentication, and all data is encrypted.
Edge users’ access permissions can be managed from EnOS Cloud. Log auditing is also provided in Edge. The operations and changes by all users are recorded in the audit logs and uploaded to the cloud.