Kamea security brief

Current security features

The following security features are already included in the current version of Kamea.

The users and devices are systematically authenticated when interacting with Kamea. User authentication is performed using the OAuth 2.0 protocol, thus delegating user authentication and identity management delegated to an external identity provider (such as Azure B2C for instance).
The authorization relies on tenants that are a built-in feature of Kamea.
The tenant system allows for isolation of data, resources and devices between users of different organizations while being hosted in the same Kamea instance. The customer can configure precisely which level of visibility and interaction users from a tenant have over other tenants.
Using multiple tenants in the same instance rather than multiple instances simplifies the maintenance (including cybersecurity patching).
Access rights management is based on a Role-Based Access Control (RBAC) that can be set up at different granularity levels.

Witekio is certified according to the ISO 27001 standard. This certification includes Witekio's software development process which includes best-practices such as peer-reviewing, segregated development and production environments, ...
The software developments that can have significant security impact are systematically reviewed by experts of the Witekio cybersecurity team, which is an independent team inside of Witekio. The Witekio cybersecurity team can also be consulted if needed by the development team.
All third-party source code that is integrated into Kamea is thoroughly reviewed and selected, ensuring proper security of the Kamea Solution with regard to open source vulnerabilities and supply-chain attacks.

Kamea design and attack surface is monitored by the developers and the Witekio cybersecurity team.
All control and data flows between internal and external components are identified and documented, together with their security properties (authentication, encryption, protocols, ...).
A compliance assessment to relevant items of the OWASP ASVS has been performed.
The output of this analysis is shared with our customers, so it can be used to bootstrap the security analysis of the system built on top of Kamea.

Kamea code is continuously audited using internal static analysis tools and continuously tested with > 80% of code coverage.

The following security features are planned for upcoming releases of Kamea.

A complete Software Bill of Materials (SBoM) will be provided with Kamea, containing names, versions, licences and known vulnerabilities of the software and dependencies used in Kamea.

Vulnerabilities will be constantly monitored and fixed by Witekio within a specific timeframe (depending on their criticity).

Kamea will be provided with complete cybersecurity documentation, including guidance on how to securely configure Kamea, and how to perform sensitive actions on the system in a secure way.
A dedicated section of the cybersecurity documentation will provide some examples of potential misconfigurations that could be considered as vulnerabilities, with guidance on how to correct them.

A reference Kamea implementation will be periodically pen-tested to ensure that it is always at the adequate security level.

Kamea will log all security sensitive operations performed on resources or devices in a dedicated space.
Integration to an existing SIEM (security information and event management) system to centralize and audit the operations will be setup.

The following security features are out of Kamea's scope.

Kamea doesn't provide an Identity Provider (IdP) system, but relies on the capabilities of an external IdP for user management and authentication.
Kamea doesn't provide a built-in PKI management system. If a PKI is required (e.g., to manage products identity) it shall be delegated to another system (like Azure IoT Hub DPS).