Abound Security Policy
At Carrier, system and operational security is integral. To ensure the security posture of products and offerings manufactured at Carrier, research and development teams leverage the domain expertise of our own world class secure architecture domain experts to design for security and continuously analyze, identify, and improve our offerings. Carrier’s processes and standards ensure the appropriate methods and controls are proactively applied through all phases of the development and product support lifecycle. Rigorous testing and analysis capabilities are continuously implemented to ensure our products meet and exceed international standards of cybersecurity assurance, and Carrier’s own demanding requirement for customer mission success. The Carrier Way also ensures that customers and end users are responsibly supported for cybersecurity assurance throughout the life of our offerings.
Our team is comprised of highly experienced and credentialed veterans; diverse and dynamic cybersecurity domain experts who’ve maintained prominent roles and responsibilities in designing, building, and operating highly secure complex systems at companies ranging from startups to large public companies.
Carrier endeavors to adhere to the following security principles in every product, offering or service development, deployment, support and/or maintenance activity:
Application and implementation of the appropriate proactive and reactive security controls is a necessity throughout all phases of the Secure Product Development and Support Lifecycle, in accordance with industry standards and best practices for cybersecurity, and in a manner that ensures Carrier and customer mission success.
Processes and support services shall align with and, where possible, exceed appropriate industry best practices, codes, and standards, in a manner that transcends fundamental security maturity norms in a manner that ensures Carrier and customer mission success.
Security requires teamwork, situational awareness, domain expertise, context, collaboration, transparency and continual analysis, improvement, and vigilance.
Comprehensive identification and proactive management of all cybersecurity risk in an repeatable and consistent manner is foundational to support the Carrier standard for security maturity.
World class capabilities, practices and activities shall be maintained in the cybersecurity domain areas of secure deployment, threat intelligence, monitoring, and cybersecurity incident response, to consistently provide responsible and effective cybersecurity channel support and transparency.
Technical Security Standards
Certificate based authentication
Abound devices are required to support standards compliant and commercial grade authentication leveraging device issued certificates. Certificates that are resistant to a brute force attack shall be implemented. Certificate management capabilities shall support certificate rotation and replacement.
Client login shall support commercial grade single sign on (SSO) that meets industry compliance standards. SSO shall balance the scalability and flexibility to adapt to the support requirements of unique customer use cases. Identification of malicious login attempts is required to provide critical and actionable threat intelligence. Commercial grade password complexity rules shall be compliant with top industry security compliance standards and guidelines, such as NIST SP 800-63 Digital Identity Guidelines.
Identity Access Management (IAM) shall be enabled to manage access to services and resources. Roles and groups shall be defined such that permissions may be configured to deny access to Abound resources by default but are granted based upon relationships. Identity and Access Control will enable the definition and management of user identity, access policies and entitlements. Identity access management shall enforce security governance through the constructs of user authentication, and authorization and assists in the enforcement of least privilege.
Abound devices shall comply with top industry encryption compliance standards and guidelines, such as NIST Special Publication (SP) 800-52 Revision 2. Devices communication to the cloud shall leverage TLS v1.2, or better. All communication while in-transit shall be encrypted by leveraging TLS version 1.2, or better. For MQTT, TLS encryption shall be leveraged to support the connection between the device and the broker. TLS client authentication shall be leveraged to identify devices. Data at rest shall reside within secured buckets and the information shall be restricted and held confidentiality. Abound shall leverage database and storage technologies that support server-side and client-side encryption, with access control features that are leveraged to block unauthorized users from accessing data.
For more information about the technical specification and security requirements of Abound, please contact firstname.lastname@example.org.
Updated by Carrier, April 2021.
Copyright © Carrier Corporation 2021. All rights reserved.