Foundational Security

Protecting people, places, things, and data is at the core of everything Cradlepoint builds — from wireless edge endpoints to the NetCloud platform that drives them. Just as our customers use actionable security information through the NetCloud platform to make informed security decisions regarding their network, Cradlepoint has foundational processes and strategies in place to ensure everything we do is secure.

Our developers are trained in and implement secure coding best practices, ensuring security is baked into our software development lifecycle. They utilize analysis tools during the development process, implementing a development framework to evaluate code against a constantly updated library of attack vectors, flagging risky code for further review and revision.

From incident response to acceptable use, Cradlepoint’s documented IT policies, baselines, and procedures meet or exceed industry standards, while our security team often collaborates with customers’ security teams to ensure our solutions meet their security requirements.

Cradlepoint’s unique model leverages purpose-built networking endpoints that are managed via a cloud service. While moving an organization’s distributed network configuration data to the cloud can provide a significant ROI in terms of reduction of IT man-hours, configuration errors, and downtime, this shift includes a valid concern of how secure the “cloud” can be.

NetCloud Manager is a control-plane solution and customer data that traverses our devices is never sent to the cloud, leaving customer data under the full control and ownership of our customers. However, because NetCloud Manager orchestrates the control of distributed networks, the security controls used to secure NetCloud Manager are of paramount importance to both Cradlepoint and our customers.

Cradlepoint’s cloud services are hosted within Amazon Web Services, which provides world-class physical security, redundancy, and recovery capabilities, incorporating features such as externally audited data centers, continuous monitoring, multiple availability zones, and offsite backups.

Leveraging cloud services is a shared responsibility model. While Cradlepoint does inherit infrastructure security controls from AWS, we are ultimately responsible for the security of the solution itself. NetCloud Manager is engineered for high availability, being clustered and distributed across different geographical zones with the ability to auto-scale, while confidentiality of customer network configuration data is maintained via encryption-at-rest and encryption-in-transit.

Additionally, NetCloud Manager and NetCloud OS adhere to PCI DSS standards, with Cradlepoint annually executing a PCI DSS Attestation of Compliance. Although NetCloud Manager does not store, process or have access to cardholder or financial information, our customers are often subject to PCI audits and implementing the security controls in line with PCI helps to reduce risk and expediate the auditing process.

While the infrastructure security inherited through Amazon Web Services ensures NetCloud is physically secure and highly available, a customer’s account is a far more common avenue of attack when it comes to cloud services. Leveraging cloud services is a shared responsibility model. Cradlepoint is responsible for the security of NetCloud as a whole, and customers are responsible for the security of their NCM access. NCM provides optional, although highly recommended, user configurable security options:

• Force Multi-Factor Authentication (MFA): Enabling Force MFA requires every user within the NCM account to configure and log in to NCM using an MFA application, such as Okta, Google Authenticator or other Time-based One Time Password (TOTP) application. This prevents an attacker from being able to access NetCloud Manager even with the compromised credentials of a valid NCM user.
• Federated ID/Single-Sign-On: Federated ID is for customers that want to use their organization’s Directory environment, such as Active Directory, to authenticate their NetCloud Manager users. This creates a transparent login experience for Active Directory users to access NCM services, while easing user administration overhead and allowing system administrators to enforce internal security policies on users.
• Enhanced Security Login: For customers that don’t implement Federated ID, they can still implement some basic account security features by enabling Enhanced Login Security, which additionally enforces user lockouts, automatic disabling of inactive users, password expiration and password history.
• Granular User Permissions: Administrators can implement the principle of least privilege by restricting users by role and subaccount and ensuring users have access only to the devices and groups to which they’ve been granted permission.
• Alerts: NCM provides several alert types that can be applied to groups and subaccounts that provide actionable security notifications regarding a customer’s distributed network, such as unauthorized configuration changes, device failed login attempts, WAN interface disconnections, and many more.

For more information regarding configurable security settings, review our Security Best Practices Knowledgebase Article.

With a pedigree of cellular connectivity and Software-Defined WAN (SDWAN), Cradlepoint understands the challenges and limitations surrounding centralized control of distributed networks. Therefore, we developed a secure stream protocol that is far more efficient and scalable than SNMP, allowing our devices to more efficiently and securely communicate with NetCloud Manager across multiple layers of Network Address Translation (NAT).

This management stream is client initiated, meaning our devices don’t require a publicly routable address or an external facing open port to establish connection to NetCloud. The connection is secure because it is certificate-based — providing authentication, authorization, and accountability of our devices — and is encrypted using current Transport Layer Security (TLS).

Once the secure client-initiated session is established, both NetCloud Manager and the device send periodic session keepalive packets allowing bi-directional real-time communication. If the session is dropped, the Cradlepoint endpoint will continue to attempt to re-establish the connection across any available WAN interface, minimizing downtime.

NetCloud OS (NCOS) is the operating system that resides on Cradlepoint endpoints, allowing centralized orchestration through NetCloud Manager. The security of our devices is just as important as the security of our cloud services, but it’s NetCloud OS that provides the features that enable our customers to set up a secure network configuration. However, before a customer configures a Cradlepoint endpoint, there are several security measures already baked into our hardware:

• Penetration Testing: Cradlepoint hardware and NCOS are regularly tested to quickly identify and remediate vulnerabilities.
• Secure Storage of NCOS User Passwords: NCOS user passwords are salted and hashed using strong, nonreversible encryption.
• Secure by Design default configuration:
  • Unique default passwords for every device
  • Stateful zone-based firewall with default deny for all unsolicited inbound traffic
  • Remote administration, GPS, and UPnP disabled by default
  • Ban-IP Address enabled by default, which temporarily blocks IP addresses after five failed login attempts into NCOS
• Signed NCOS Upgrades: All NCOS versions are signed by Cradlepoint and verified by the device before installation, preventing unauthorized, modified, and/or malicious installation of NCOS or other software.

For more information regarding configurable security settings, review our Security Best Practices Knowledgebase Article.

Cradlepoint recognizes the importance of security and privacy, and we take security issues very seriously. Cradlepoint is committed to communicating and working in a timely manner for any reported security vulnerability, whether from an employee, customer, partner, or other outside party.

Cradlepoint follows a responsible disclosure process for communicating vulnerabilities and asks submitters of vulnerabilities to follow our responsible disclosure process to minimize the risk to all customers and users of our technology. As such, we will first privately notify impacted customers and partners before any public disclosure in order to minimize risk to customers from exploitation of vulnerabilities.

To submit a vulnerability, send an email to security@ with the following information:

• Product and NCOS versions
• Steps taken to expose the vulnerability
• Contact information and preferences
• Copies of screen shots, code snippets, and logs related to the identification of the vulnerability

Cradlepoint vulnerability alerts can be reviewed on our Vulnerability Alerts page.