Security

Depending on the functionality of each gate, TC3 IoT Data Agent supports several security mechanisms to secure data communication, for example the encryption of messages and client/server authentication.

The following table gives an overview of the different security mechanisms in each supported Gate.

Gate

Security mechanisms

Description

ADS

none

ADS communication should be treated as none secure.

OPC UA

Client/Server authentication

Username/password authentication

Authorization

Data encryption

Depending on the functionalities of the OPC UA server that the TC3 IoT Data Agent should connect to, the following security mechanisms may can be used:

  • Client/Server authentication can be used via X.509 certificates (public/private key) and establishing a trust relationship between the communication participants.
  • Username/password authentication can be used by an OPC UA client to connect to an OPC UA server.
  • Authorization can be used on the server to define access levels on OPC UA nodes to configure which user identity may access which nodes on an OPC UA server.
  • Data encryption can be used to encrypt OPC UA messages on the wire.

MQTT

Client/Server authentication

Username/password authentication

Authorization

Data encryption

Depending on the functionalities of MQTT message broker that the TC3 IoT Data Agent should connect to, the following security mechanisms may be used.

  • Client/Server authentication can be used via X.509 certificates (public/private key) and establishing a trust relationship between the communication participants (client and message broker)
  • Username/password authentication can be used by a client to connect to the message broker
  • Authorization can be used on the message broker to define access levels on topics in order to configure which user identity may access which topic on the message broker
  • Data encryption can be used to encrypt messages on the wire.

The TC3 IoT Data Agent uses TLS version 1.2 for securing the communication channel.

Microsoft Azure

IoT Hub

Device authentication

Data encryption

Every Azure IoT Hub client needs to be registered as a device on the IoT Hub instance. During device registration, a DeviceId and SharedAccessKey is generated, which need to be used during connection establishment for authenticating the device to the IoT Hub instance. In addition, messages are encrypted on the wire.

AWS IoT

Device authentication

Authorization

Data encryption

Every AWS IoT client needs to be registered as a “thing”. A thing/device is configured with X.509 certificates that authenticates the device at AWS IoT and can also be linked with security policies to authorize the device to perform certain actions. In addition, messages are encrypted on the wire. TLS version 1.2 is used to secure the communication channel.