Security at SALTO KS

Building trust and confidence, data security, as well as security of the locking hardware is critical to everything we do at SALTO KS.

Security 1

Secure unlocking

We use industry best practices to keep you and your users safe. Find out how our hardware and software communicate by hovering-over the below elements:

Mobile Key, PIN,Tag ⟷ Locks

Mobile Key

SALTO KS uses PKI (Public Key Infrastructure) to transfer keys. A public key infrastructure is overarching everything that is needed to manage Mobile Keys and their encryption such as policies, hardware, software and procedures. Mobile phones hold a private key and communicate a public key. The only one who can decrypt the public key is the one with the private key, this is called ‘Asymmetric Encryption’. The messages are signed by the secured SALTO KS server.

PIN

This keyless entry provides a high level of enhanced security as well as convenience. The fixed pin code is generated through the KS app and it’s unique for every single user. We generate PIN by using SHA-2 (Secure Hash Algorithm 2) which is a set that consists of six hash functions with values. The value we choose to use for hashing is the SHA-256: SHA-256 generates an almost-unique 256-bit (32-byte) and is one of the strongest hash functions available, and has never been compromised.

Tag

A Tag is a physical device (contactless key fob) that works based on RFID (Radio-frequency identification). With the built-in secured chip that uses electromagnetic fields, an opening is triggered by directly presenting the Tag (hardware token) to the Lock. The Tag contains electronically stored information which is secured with MIFARE® DESFire EV2 which makes copying or hacking transponders implausible.

Locks ⟷ IQ

The IQ is the central hub a.k.a. the ‘brain’ of your Site. It receives all changes and settings from the SALTO KS application and ensures that all Locks are updated within seconds. The maximum distance from the IQ to the electronic Lock is 10 meters. All remote commands that are influencing direct communications between the IQ and Hardware are secured with OTP (One Time Password). These commands will be adhering to the same end-to-end encryption as the Mobile Key feature.

ZigBee Locks

ZigBee is mainly used for two-way communication between a sensor and a control system. ZigBee is a short-range communication and offers connectivity up to 100 meters similar to Bluetooth and Wi-Fi. Adopted on top of ZigBee is AES Communication security, this is the encryption protocol based on ZigBee.

BLE (Bluetooth Low Emission) enabled Locks

Bluetooth Low Energy is designed to cater to lower power consumption and costs than regular bluetooth. BLE offers several features for securing communication between devices. When the IQ initiates the connection with the Lock and connect, a pairing process begins where the two devices exchange necessary information to build the encrypted connection. Each BLE device is identified using a device address. These addresses are similar to the MAC addresses used in other communications protocols. Since BLE enabled Locks use cryptographic keys to unlock they are highly secure.

IQ ⟷ Cloud

The IQ connects the wireless Locks to the cloud with either:

  • Global cellular connection 3G/4G (via USB) - backwards compatible with 3G/2G

  • Wi-Fi

  • Ethernet cable

The default communication between the IQ and the KS Core API is secured and enforced with TLS 1.2 (Transport Layer Security: A cryptographic protocol designed to administer communications security over a wide variety of applications). The communication between the IQ and KS Core API is authenticated based on the x509 certificate (a standard that determines public key certificate arrangements). All data travelling within this TLS tunnel is encrypted. In fact, there is no data travelling outside this tunnel. In the absence of certification, it is not possible to impersonate either the IQ or the KS Core API.

In other words, it becomes improbable to perform MITM (man-in-the-middle) attacks.

Cloud ⟷ Web, Mobile, Remote opening

The SALTO KS mobile app and web interface allows you to manage access to your locations. All the hardware is managed via an app/ web interface. This can either be a custom integration of access control, where you can enjoy your own user interface or a ready-built solution like SALTO KS. Single sign-on / open ID for user login is an industry best practice. The password doesn't transfer over the wire. One needs to login into our server, load the page on our server and then log in, which is more secure.

Infrastructure & Operational quality

At SALTO KS infrastructure gets updated and is maintained continuously. This results in a very high percentage of uptime. We secure our unassembled and reliable infrastructure by high-end security practices that consist of multiple security layers.

Our standard for creating the best experience for our customers is high. This results in frequently cultivating infrastructure, support, documentation, security and underlying technologies.

We can make these bold statements, because of our:

  • Trustworthiness: With an uptime SLA of 99.97%. we continue to be not only a market leader but also the most trustworthy cloud-based access control provider.

  • Promise of limited downtime, even if we launch new services.

  • Developers portal: Our customers get to build with the backbone and support they deserve.

SALTO KS commits to its customers by prioritizing the reliability of its services by constantly updating its platform, have consistent uptime and have the necessary security practices in check. This is why we expanded our cloud with state-of-art security delivered in Azure data centers globally.

https://azure.microsoft.com/en-us/overview/trusted-cloud/

Transparency & Privacy

We have policies and management functions in check to protect your data against unauthorized access. This is our responsibility, not yours.

A data breach might be the most painful way to lose customers. This is why SALTO KS has a solid privacy policy in place so you can be assured all your data to be safe and secure.

For our customers that are operating globally we take scaling their business into account:

  • We offer the same amount of security in different regions and countries, even though there might be other IT governance rules

  • We possess a great amount of knowledge regarding the ever-changing regulations around the world and will act accordingly

SALTO KS’s cloud-based access control is a trusted solution by industry leaders on a global scale by offering a set of safeguards, including

  • Achieving the ISO 27001 certification SALTO KS reduced the risks of an information security breach.

  • Mitigating risk and ensuring our services meet regulatory and security compliance obligations.

  • An ecosystem that encourages secured sharing and transparency.

  • API-driven privacy guidelines: Our API docs include personal information processing required to build communication applications with a smarter, more privacy-aware approach.

Building trust, transparency and confidence, data security, as well as security of the hardware is critical to everything we do.

Compliance certifications

SALTO KS is able to help you reach your regulatory and policy goals by taking actions to achieve security, privacy and compliance. These actions are continuously being monitored by independent organisations. We understand the importance of ensuring the privacy of all personally identifiable information, this is why we are ISO 27001 and GDPR certified.

The ISO 27001 is a specification for an information security management system (ISMS), which is a framework for an organisations information risk management processes. This certificate is a confirmation of running a business that has a permanent focus on information security. This means all sensitive information is stored safely.

The GDPR compliance is an ongoing effort and we are committed to continuing investing significant resources in maintaining compliance for the long-term.

GDPR Certification Stamp ISO 27001 Certification Stamp

Infrastructure & Operations

At SALTO KS infrastructure gets updated and is maintained continuously. This results in a very low percentage of downtime. We secure our unassembled and reliable infrastructure by high-end security practices that consist of multiple security layers.

Transparency & Privacy

We have policies and management functions in check to protect your data against unauthorized access. This is our responsibility, not yours.

Compliance certifications

SALTO KS is able to help you reach your regulatory and policy goals by taking actions to achieve security, privacy and compliance. These actions are continuously being monitored by independent organization

Salto KS Security Features

Here’s a look at some of our most significant and highly requested security features.

Password policy controls
SSL (Secure socket layers)
Data encryption in transit and at rest
User provisioning (SCIM)
Granular app management
Support for Data Loss Prevention
SAML-based SSO
SCIM provisioning
More coming soon

Availability & Continuity

SALTO KS is hosted by Microsoft Azure: A trusted cloud computing service created by Microsoft for building, testing, deploying, and managing applications and services through Microsoft-managed data centres. Azure provides high availability and network performance. Azure’s infrastructure is designed from facility to applications for hosting millions of customers simultaneously, and it provides a trustworthy foundation upon which businesses like SALTO KS can meet their security requirements. We assure high availability in terms of resources and continuity that are met in any case due to our well thought through strategy for maintaining our continuity targets.

Redundancy
 

How is SALTO KS ensuring our app will always work no matter what happens to the cloud’s infrastructure? Most cloud providers offer to automatically protect your data by running independent and geographically distinct data centers, so that your infrastructure will continue running even if one of their data centers fails. SALTO KS maintains a redundant system across multiple availability zones. We do that with daily backups and disaster recovery with the intention of increasing reliability and avoiding our infrastructure to stop running. In other words: If the connection goes down our operations don't stop.

Pen-testing & reliability

SALTO KS uses external specialist security consulting firms to complete penetration tests on our products and infrastructure. To test security breaches in (new) infrastructure, architecture and/or products we do consistent audits and pen-testing by an expert and neutral third party: FOX IT, the leading security company in the Netherlands.

Security 2
“We do not believe in security by obscurity but in security by architecture”

We value your judgment. Any questions, vulnerabilities or additions regarding security at SALTO KS are very much appreciated at [email protected]