Onboard Security Brief

Built on Linux Ubuntu. Clients benefit from a Linux distribution with enterprise-grade, industry leading security practices, and Ubuntu’s powerful file system permissions, user management, control groups, and firewall.
VMware Version 14 or later (recommended). Onboard deploys its software on a virtual machine as standard. Clients enjoy an isolated environment, easier scaling, and a higher level of security and uniformity, aligned with their organization’s standards and processes.
Read Only. Onboard software only performs READ operations from a building’s network. The software does not provide WRITE operations to a building’s network.
Importance of Physical Security. Edge software, deployed on any machine, still requires physical security. This is standard for any access point to a building’s network. Any physical device can be tampered with, therefore, we strongly recommend any device connected to a building’s network be under lock and key.

SSH. Onboard accesses the deployed edge software on your site through SSH. Security settings are set as recommended by SSHAudit. Onboard’s virtual machine software is restricted to prevent tampering. Clients access a web interface hosted by Onboard’s cloud servers to monitor the status of their edge software connection.
Network Traﬃc, Ports. Onboard's edge software pushes building data to Onboard’s cloud server via HTTPS (TCP Port 443), which uses TLS for encryption. Onboard’s edge software is configured using UDP port 1501.
VPN & Cryptography. Onboard employs WireGuard® as its secure VPN tunnel for data transmission. WireGuard® uses state-of-the-art cryptography for end-to-end encryption. This includes the noise protocol framework, Curve25519, ChaCha20, Poly1305, BLAKE2, SipHash24, and HKDF. More performant than OpenVPN, WireGuard® is designed as a VPN for running on embedded interfaces as well as supercomputers, and has a minimal attack surface as compared to Swan/IPsec or OpenVPN/OpenSSL.

Data is stored encrypted at-rest. Clients can request that Onboard store data up to 2 years or Clients can also request data deletion.
Data loss prevention due to intermittent or communication outage from edge software to cloud. Onboard edge software stores time-series data during a communication outage to prevent data loss. Depending on the volume of data, Onboard can store 2 to 3 weeks worth of data (Onboard provides hardware recommendations to ensure this capability)

Multi-factor Authentication. Onboard software and its APIs provide RESTful JSON APIs over HTTPS, with authorization & authentication handled by JWT or account-linked and resource-scoped API keys. Multiple-factor authentication is provided by TOTP or WebAuthn. APIs are documented with OpenAPI v2.
Single-Sign On (SSO). Onboard can provide SSO as an add-on for its clients. Onboard has provided this feature for enterprises with a dedicated data team and large real estate footprint.

Software and deployment heartbeats, user logins, user requests, data uploads and other events are all tracked in auditable logs within the software. These logs are permanently stored for review if necessary.