NNNCo is a licensed Australian Telecommunications carriage service provider. As such all elements of the NNNCo network and systems are scrutinised annually for security and resilience by the ACMA and Department of Home Affairs under the standard reporting compliance requirements. All elements of the NNNCo network are designed to deliver highly reliable, available and secure services and data. N2N-DL has been designed to remove or reduce the barriers for IoT application development. Security is an integral part of our commitment to all users. This article summarises the overall security approach and reflects the NNNCo Security Policy.
Protecting device and customer data
The focus of the NNNCo network security program including N2N DL Data Platform is to prevent unauthorised access to device and customer data. For NNNCo, security is a shared responsibility across all stakeholders and our team take extensive steps to identify and mitigate risks, implement best practices, and constantly develop ways to improve.
Secure by design
Every element of the NNNCo network is designed with security underpinning all decisions. Device data is encrypted using 2 x 128bit AES encryption to protect data and network path. Gateway to Network Core is protected with IPSec security. The Network Core to N2N-DL is protected using, as a minimum, SSL connectivity and delivery of data to application layers and customer end points.
Even though N2N-DL does not store credit card information, our leadership team has made the conscious decision of following the Payment Card Industry Data Security Standards (PCI DSS) security recommendations wherever possible/applicable.
Building and maintaining a secure network
We protect customer and device data with strong password one-way encryption and have password policies in place to avoid default/simple passwords and enforce timely rotation for critical system access. Network security is maintained further with IPSec Certificates which are stored in a secure software element on every gateway. Further to this all external ports are locked down. NNNCo also monitors for DDOS and other attacks.
Protecting customer and device data
Data in Transit
NNNCo encrypts transmission of customer and device data across open and public networks using SSL for all inter process communication.
All data transmitted between N2N-DL clients and NNNCo services is done using strong encryption protocols. We support the latest recommended secure cipher suites to encrypt all traffic in transit, including the use of TLS 1.2 protocols, AES256 encryption, and SHA2 signatures, whenever supported by the clients.
Data at rest
We offer encryption at rest options for data storage if/when requested by the client depending on commercial arrangements and we support client provided keys which are never stored or logged on our side.
Data segregation and durability
NNNCo Network core is a protected environment with access only provided to NNNCo network engineering personnel and support staff. All Passwords are stored in accordance with security standards.
Each N2N-DL data is hosted in our shared infrastructure and logically separated from other customers’ data. There is no overlap or intersection between non-authorised users of data.
We use a combination of best practices as recommended by our cloud providers (AWS / Google Cloud) to ensure customer data durability (99.999999999%) to ensure protection from hardware failures and returns quickly when requested.
Network security and Hosting
The NNNCo Network Core is hosted in AWS data centres based in Australia and all data is held within the region as defined by NNNCo. N2N-DL is hosted within AWS data centres which are maintained by industry-leading service providers, offering state-of-the-art physical protection for the servers and infrastructure that comprise our operating environment.
Systems supporting testing and development activities are hosted in a separate network from systems supporting N2N-DL’s production infrastructure. All servers within our production fleet are hardened (e.g. disabling unnecessary ports, removing default passwords etc) and have a base configuration image applied to ensure consistency across the environment.
Network access to NNNCo’s production environment from open, public networks (the Internet) is restricted, with only a small number of production servers accessible from the Internet. Only those network protocols essential for delivery of N2N-DL’s service to its users are open at our perimeter and there are mitigations against distributed denial of service (DDoS) attacks deployed at the network perimeter.
Under Data Sovereignty concerns, NNNCo has a policy that all data is owned by the owner of the device generating the data. As policy and under process no data can be shared with any third party without express permission of the data owner. NNNCo maintains access to metadata to ensure it meets its regulatory compliance and to ensure the highest standard of operation of devices over the NNNCo network.
No payload data is stored or maintained without the express approval of the device (data) owner. N2N-DL employs a group-based data sharing architecture which is fully managed and mandated by the owner of data. NNNCo has also defined that the region of operation is within Australia and all data will reside and remain in Australia. At no time will any customer-owned data be shared with any third party within or outside of Australia without express written permission of data owners.
Access control measures
All workstations issued to NNNCo personnel are configured by NNNCo to comply with our standards for security. These standards require all workstations to be properly configured, updated, and to be tracked and monitored by NNNCo endpoint management solutions. NNNCo’s default configuration sets up workstations to encrypt data at rest, have strong passwords, and lock when idle.
Workstations run up-to-date monitoring software to report potential malware, unauthorised software, and mobile storage devices. Mobile devices that are used to engage in company business are required to be enrolled in the appropriate mobile device management system, to ensure they meet NNNCo’s security standards.
Principle of least privilege
To minimise the risk of data exposure, all elements of the NNNCo network including N2N-DL adheres to the principles of least privilege and role-based permissions when provisioning access. Workers are only authorised to access data that they reasonably must handle in order to fulfill their current job responsibilities.
To further reduce the risk of unauthorized access to data, N2N DL supports multi-factor authentication for all access to the platform with highly classified data, including our production environment, which houses our customer data.
Development security policy
NNNCo maintains a policy that addresses development security for employees and contractors.
All our developers are trained at least annually in the OWASP Top Ten vulnerability threats and are bound by clear KPIs in terms of overall security of the code committed.
All our internal code reviewers are specifically trained to identify and prevent insecure code from being committed into production. Every single line of code of N2N-DL is reviewed by at least two other developers with appropriate seniority.
All our deployments are authorised by a senior stakeholder and each line of code is 100% traceable and auditable.
Network Core Upgrade
The NNNCo network core is held separately from all security access via public and internal stakeholders. Access to the network core is restricted to NNNCo network team and support personnel and all access and changes are tracked by user. NNNCo operates two mirrored networks for maintaining security and data resilience. All upgrades on the network core are completed on the Pre-Production network to eliminate any potential bug or security flaws. Thorough testing is completed prior to the upgrade of the production network server.
Disaster Recovery and Business Continuity Plan
NNNCo utilises services deployed by its hosting provider (AWS / Google Cloud) to distribute production operations across multiple separate physical locations. These locations are within one geographic region, but protect all elements of the NNNCo network for and N2N-DL service from loss of connectivity, power infrastructure, and other common location-specific failures.
In addition NNNCo has a comprehensive Business Continuity Plan for the ongoing operation of the business including support infrastructure in the event of a business interruption event.
Security incidents response
NNNCo strives to catch all vulnerabilities in the design and testing phases, in the event of an error or network exposure, all identified vulnerabilities are validated for accuracy, triaged, and tracked to resolution. The NNNCo Security and data resilience program ensure there is a discovery phase post any event occurring on the network to ensure all vulnerabilities are exposed and eliminated.
NNNCo has established policies and procedures for responding to potential security incidents. The policies define the types of events that must be managed via the incident response process and classifies them based on severity. In the event of an incident, affected customers will be informed via email as soon as it is technically possible. Incident response procedures are tested and updated at least annually.
NNNCo engages independent entities to conduct application-level and infrastructure-level penetration tests at least annually. Results of these tests are shared with senior management and are triaged, prioritised, and remediated in a timely manner. Executive summaries of these activities can be requested from your account executive. Specific results from a typical penetration test is not provided to NNNCo customers however the results are acted upon within a priority time frame which is then audited as a follow on from an initial Penetration and Vulnerability Test.
About the author
Tony Tilbrook is COO / CTO at National Narrowband Network Co (NNNCo), an Australian telecommunications carrier providing a scalable fully managed service to deliver lighting solutions that can service local communities in a consistent and secure manner. Tony works closely with a wide range of Council and city partners to build secure carrier-grade digital infrastructure for cities.