Reacts Security Overview

1. CONNECTION ENCRYPTION
2. VIDEO, VOICE AND TEXT EXCHANGE ENCRYPTION
3. TWO-FACTOR AUTHENTICATION AND ROBUST PASSWORD
4. DATA AT REST SECURITY
5. LOCAL STORAGE ENCRYPTION
6. DATA BACKUPS
7. AUDIT LOGS
8. INDEPENDENT AUDITS
9. DATA FLOW MAP
10. SINGLE SIGN-ON (SSO)
11. HOSTING

 

1. Connection Encryption

Encryption Requirements

All external access points to the Reacts APIs and services require secure connections using Transport Layer Security (TLS). All internal access points between Reacts services require secure connections using industry standards encryption methods.

 

2. Video, voice and text exchange encryption

Audio/video communications are established via WebRTC and utilize the DTLS-SRTP security context to encrypt and decrypt streams from end to end.

The signaling channels are completely separated from the media transport and are TLS secured. The certificate fingerprints are sent through this secure connection, reducing the possibility of MITM attacks. Every connection and session use unique keys.

For environments where Peer to Peer ("P2P") connections are not possible due to infrastructure and firewall restrictions, Philips provides access to its hosted TURN services. TURN acts as a relay service to connect parties together in places where only outbound connections are allowed. The DTLS-SRTP allows secure end to end protected sessions over either UDP or TCP. Given that UDP provides higher performance and lower bandwidth requirements, it is the preferred alternative.

Text messaging is always transmitted via the signaling service and is thus secured with TLS.


Philips' implementation of WebRTC prioritizes audio/video stream connections as follows:

  1. P2P UDP;
  2. P2P TCP;
  3. TURN UDP;
  4. TURN TCP.

Therefore, if an institution’s firewall allows P2P via UPD and/or P2P via TCP, the stream connection will be established in P2P. If an institution’s firewall blocks P2P connections, the stream will be established via TURN UDP or TCP with TLS encryption.

3. Two-factor authentication and robust password

Reacts allows the use of two-factor authentication. The current implementation uses the principles of "Something you know" and "Something you have".

  • Something you know: Username and password. The password is expected to remain confidential
  • and hard to guess.
  • Something you have: Philips uses a TOTP standard algorithm implementation of "Something you
  • have".

There are many free applications that can be used to calculate a token based on a secret the user stores in his/her device. The token is required if the user configures his/her Reacts account for two-factor authentication.

The two-factor authentication reduces enormously the chances of success of many types of exploits. Just to mention the most common ones, social engineering, brute force and dictionary attacks become extremely hard to succeed when a two-factor authentication is enabled. In the case a malicious individual gets access to a password, the "thing you know", it will be very difficult for such person to produce the right token, "something you have". In the contrary case, if the malicious user gets access to the device using "something you have", it will still be needed to figure out the "something you know" factor.

Upon registration, the user must provide the following security information:

  • An email address;
  • A robust password (8 characters minimum, including one upper-case, one lower-case and one
  • number);
  • When a user will have chosen the two-factor authentication, it will also be needed to register
  • Reacts in an application that can generate the TOTP tokens his/her device.

In order to access Reacts for the first time, the user will receive an activation key via email or

text message, allowing him/her to validate the ownership of the e-mail account.

 

4. Data at rest security 

  • The database and database backups are encrypted at rest using "Transparent Data Encryption" (TDE) with AES 256.
  • The servers used for storage are located in a sub-network that is not exposed to the internet. Only the computers and the Reacts services that require it as well as a restricted group of users have access to this network.
  • The stored user files are encrypted using Azure blob services using AES 256.
  • Access to encrypted information by Philips or Philips suppliers is strictly prohibited by security and access policies as well as by implemented security mechanisms
  • Access to the storage servers is strictly regulated by Philips’s internal policies and service agreements.

5. High availability (HA)

The Reacts platform infrastructure is designed with high availability (HA) and Service Redundancy.

 

6. Data backups

1-Level Data Backup System

1. Active online backup: 0 data loss - Philips' primary database is actively replicated to a secondary server via a high-availability database cluster.

2. Passive online backup: +/- 1 hour of potential data loss - Philips performs passive backups on the primary database server. These backups don't automatically overwrite, allowing Philips to minimize data loss in case of corruption. The database backup files are stored on a secure and georedundant Azure storage account.

3. Persistent daily backups are performed on all virtual machine disks, and provide an extra layer of protection. They are stored to an Azure Recovery Services Vault following Philips' retention policies.

 

2-Backup Encryption

Encrypted data remains encrypted when backed up and is subject to Philips' security and remote

access policies.

 

7. Audit logs

Reacts logs operations performed by users. These logs contain the following information:

• Date and time for each type of operation;
• Type of operation;
• Connection success;
• Connection failure;
• Session request;
• Session accepted;
• Session aborted;
• Document shared;
• Password reset;
• Password changed;
• Requester (user identifier);
• Message (description of operation type);
• Room ID (identifier of a session between users);
• Additional fields (other fields helping to read the log entry).

Log data is available upon request of the owner of the account.

 

8. Independent audits

Philips is dedicated to upholding its security and confidentiality policies as well as the higher standards of quality for its solution.

In addition, Philips is committed to undergoing an annual IT pentesting of its Reacts solution in order to ensure that the quality and security of the Reacts platform as well as the IT network are maintained.

 

9. Data flow map

Reacts_flow.png

More details are available upon request.

 

10. Single sign-on (SSO)

Partner integration with SSO can be possible upon request.

 

11. Hosting 

Philips' servers are hosted in a localized instance of Microsoft Azure Cloud Services (Canada East and Central Regions).

François-Xavier Brunet -
Was this article helpful?
0 out of 0 found this helpful

Comments