Embed Size (px)
Citation preview
Alcatraz AI Autonomous Access Control Information Security Guide
Table of Contents
Purpose of this document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Alcatraz Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Alcatraz Company Privacy Policy . . . . . . . . . . . . . . . . . . . . . . . . 3
System Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Cloud-Hosted Network Requirements . . . . . . . . . . . . . . . . . . . . . 6
On-Premise Appliance Network Requirements . . . . . . . . . . . . . . . . 8
Cloud Alliance CAIQ Questionnaire . . . . . . . . . . . . . . . . . . . . . . .10
3rd Party Pen Test Security Assessment . . . . . . . . . . . . . . . . . . .10
Alcatraz Certifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10
2
##......
??
3
Purpose of this document:The purpose of this document is to provide information required for a successful Information Security Review . The system architecture of the Alcatraz AI solutions: Cloud-Hosted and On-Premise, along with the network requirements are included . A comprehensive section of questions and answers are compiled to provide the
necessary information to facilitate the Information Security Review process .
Alcatraz Overview:We enable our customers to make their buildings more safe and secure while bringing a frictionless experience to the user . The Alcatraz solution is scalable, fast, easy to integrate and works with existing access control systems . Our technology leverages artificial intelligence to make powerful real-time decisions at the edge . Whether the Rock is cloud-hosted or on-premise, the Rock provides capabilities to enroll effortlessly and is easily configurable in a number of modes to meet the security needs of your organization . Our mission is to accelerate adoption of facial identity while staying focused on simplicity, security and privacy .
Alcatraz Company Privacy Policy:Alcatraz values the privacy of our users and individuals in the environments in which our products operate . The Alcatraz platform is not designed for covert surveillance . The system provides configurable image and data retention settings to allow customers to comply with corporate governance and local legislation . The collection of enrollment data for the Alcatraz platform requires the user to interact with the Alcatraz hardware installed in the field . The system uses this data to create a profile that is fused with a users badge data for identity authentication . The Alcatraz profile does not include information such as name, birthdate, email address, etc . Profiles can be deleted at any time . All logs, configurations and profiles are encrypted using industry best practices including AES-128 encryption .
The Alcatraz Administration Portal collects personally identifiable information from its registered users . This may include email address, name, physical address, and telephone number, only for users that have created accounts in the Alcatraz platform . Information about the computer hardware and software used to access the Alcatraz platform is automatically collected by Alcatraz . This information includes: IP address, browser type, domain names, access times, and referring website addresses . This information is used by Alcatraz for the operation of the service, to maintain quality of the service, and to provide general statistics regarding use of the Alcatraz Administration Portal .
The Rock does not store or collect personally identifiable information such as names, birthdates, etc .
For all deployments, data is secured from end to end .
Enrollment with the Rock creates biometric profiles that are anonymous .
The Rock is not designed for surveillance and does not collect data for non-enrolled users .
Data is encrypted using AES-128 encryption .
Deletion of profiles can be performed at any time .
5ft (1 .5m) from floor
Badge reader mounted at standard height
4
System Architecture
Deployment Options AvailableAlcatraz Rock
Badge Reader
Access Control Panel
PoE+ Ethernet
Wiegand / OSDP
Wie
gan
d /
OS
DP
Network Switch
System Architecture Options
Rock Setup
Install on door opening side
Cloud Hosted
On-Prem Appliance
On-Prem CustomerInfrastructure
PoE +
PoE +
PoE +
5
Dealer
Customer
Admin Portal runs in Web Browser on
Dealer Managed PC
Admin Portal runs in Web Browser on
Customer Managed PC
Alcatraz Rock Devices Installed at Customer Site
AWS
Corporate network
Platform Architecture: Kubernetes (micro-services in containers)
Device OS: Custom Linux Derivative
Encryption: AES-128
Security Protocol: TLS 1 .2
Rock Power: PoE+ (802 .3at Type 2) 30W
Cloud Hosted
6
Cloud-Hosted Network Requirements
The Alcatraz Cloud-Hosted system includes one or more Rocks and a customer provided computer for accessing the Alcatraz Admin Portal .
■ If you have Captive Portal Login, it must be disbled ■ These ports are required to be open outbound:
� TCP 80 - Redirect to TCP 443 � TCP 443 - UI and Events � TCP 3310 - Profile Sync � TCP 3334 - Device On-Boarding � TCP 8443 - Firmware Updates � TCP 9000 - Firmware Updates � UDP 53 - DNS � UDP 123 - NTP � UDP 1194 - Troubleshooting
■ These URLs are required to be whitelisted: � https://platform .alcatraz .ai:443 � https://logs .alcatraz .ai:443 � https://storage .alcatraz .ai:443 � https://sync .alcatraz .ai:3310 � https://mender .alcatraz .ai:8443 � https://mender .alcatraz .ai:9000 � https://onboarding .alcatraz .ai
■ From VMS To Rock (ONVIF Only): � TCP 80 - ONVIF Agent � TCP 554 - RTSP Streaming � UDP 554 - RTSP Streaming � UDP 3702 - ONVIF Discovery � Other Multicast Ports as defined by the VMS
7
Customer Managed
Alcatraz Appliance
Customer Admin Portal runs in Web Browser on
Customer Managed PC
Alcatraz Rock Devices Installed at Customer Site
Corporate Network
Appliance OS: Windows Server 2019 Essentials
VM OS: CentOS 7
Platform Architecture: Kubernetes (micro-services in containers)
Device OS: Custom Linux Derivative
Encryption: AES-128
Security Protocol: TLS 1 .2
Rock Power: PoE+ (802 .3at Type 2) 30W
On-Premise Appliance
PoE +
PoE +
PoE +
8
On-Premise Appliance Network Requirements
The Alcatraz system includes one on-prem appliance, one or more Rocks, and a customer provided computer for accessing the appliance Alcatraz Admin Portal .
On-Prem ApplianceThe appliance is a standard 1U short-depth, rack-mount server with three ethernet ports .
■ ENO2 - Connects to the Device LAN for communicating to the Rock(s) and a computer for accessing the Alcatraz Admin Portal .
■ IPMI (OPTIONAL) - Can be connected to any network and used for maintenance access to the server . Typically not needed for a pilot .
■ ENO1 - Not used .
Rock(s)The Rock(s) connects to the Device LAN via a PoE+ switch port or PoE+ injector .
Appliance Admin Portal The Alcatraz Admin Portal resides on the appliance and provides system management and reporting functions via a web interface . In order to access the Admin Portal the customer must have a computer that is able to resolve https://login .alcatraz .int & https://platform .alcatraz .int to the IP address assigned to port ENO2 on the appliance .
Basic Network Diagram: IPv4 Static Network
LOCATION
IP ADDRESS DHCP* or STATIC
SUBNET MASK DHCP* or STATIC
DNS SERVER** DHCP* or STATIC
IPMI ENO2
ENO1
Alcatraz On-PremAppliance
OptionalMaintenance Access
Device LAN
PoE +
Rock(s)
* DHCP provided by customer (if needed) .
** Admin PC needs DNS to appliance . ■ login .alcatraz .int ■ platform .alcatraz .int
9
Networking / Port RequirementsIf ALL components are not on the same subnet, the following ports must be open to the on-prem appliance:
■ These ports are required to be open outbound: � TCP 80 - Redirect to TCP 443 � TCP 443 - UI and Events � TCP 3310 - Profile Sync � TCP 3334 - Device On-Boarding � TCP 8443 - Firmware Updates � TCP 8800 - Update UI � TCP 9000 - Firmware Updates � UDP 53 - DNS � UDP 123 - NTP � UDP 1194 - Troubleshooting
■ These URLs are required to be whitelisted: � https://platform .alcatraz .ai:443 � https://logs .alcatraz .ai:443 � https://storage .alcatraz .ai:443 � https://sync .alcatraz .ai:3310 � https://mender .alcatraz .ai:8443 � https://mender .alcatraz .ai:9000 � https://onboarding .alcatraz .ai
■ From VMS To Rock (ONVIF Only): � TCP 80 - ONVIF Agent � TCP 554 - RTSP Streaming � UDP 554 - RTSP Streaming � UDP 3702 - ONVIF Discovery � Other Multicast Ports as defined by the VMS
Custom Appliance Configuration
Appliance Provided DNS Server
The appliance will provide DNS services . The Rock(s) and computer used to access the Alcatraz Admin Portal will need to be configured so that their DNS IP address is set to the appliance IP address assigned to ENO2 .
Appliance Provided NTP Server
The appliance will provide NTP services on ENO2 . In this scenario the Rock(s) will need to be configured so that their NTP IP address is set to ENO2 .
The appliance can also access an NTP server provided by the customer .
10
Cloud Alliance CAIQ Questionnaire:
Provided upon requestThe Consensus Assessments Initiative Questionnaire (CAIQ) v3 .1 . offers an industry-accepted way to document what security controls exist in IaaS, PaaS, and SaaS services, providing security control transparency . It provides a set of Yes/No questions a cloud consumer and cloud auditor may wish to ask of a cloud provider to ascertain their compliance to the Cloud Controls Matrix (CCM) . It is created and maintained by the Cloud Security Alliance (CSA) whose members include companies such as Accenture, Adobe, Atlassian, Dell, Dropbox, Google, HP, IBM, McAfee, Microsoft, Oracle, Raytheon, etc .
3rd Party Pen Test Security Assessment:Carve Systems was engaged to assess the Alcatraz components for threats . Further info on the successfully completed audit can be requested .
Alcatraz Certifications:Alcatraz incorporates the highest of standards in designing our platform which is why we seek certification from a variety of professional organizations . We have been certified by national and international testing standards .
