Protecting people, places, things, and data is at the core of everything Cradlepoint builds — from wireless edge endpoints to the NetCloud platform that drives them. Just as our customers use actionable security information through NetCloud platform to make informed security decisions regarding their network, Cradlepoint has foundational processes and strategies in place to ensure everything we do is secure.
Our developers are trained in and implement secure coding best practices, ensuring security is baked into our software development lifecycle. They utilize static and dynamic analysis during the development process, implementing a development framework to evaluate code in real time against a constantly updated library of attack vectors, flagging risky code for further review and revision.
From incident response to acceptable use, Cradlepoint’s documented IT policies, baselines, and procedures meet and often exceed industry standards. Under NDA, our security team collaborates with customers’ security teams, and answering security questionnaires and penetration tests.
Cradlepoint’s unique model leverages purpose-built networking endpoints that are managed via a cloud service. While moving an organization’s distributed network configuration data to the cloud can provide a significant ROI in terms of reduction of IT man-hours, configuration errors, and downtime, this shift includes a valid concern of how secure the “cloud” can be.
NetCloud Manager is a control-plane solution and customer data that traverses our devices is never sent to the cloud, leaving customer data under the full control and ownership of our customers. However, because NetCloud Manager orchestrates the control of distributed networks, the security controls used to secure NetCloud Manager are of paramount importance to both Cradlepoint and our customers.
Cradlepoint’s cloud services are stored and operated within Amazon Web Services US Regions, providing physical security, redundancy, and recovery capabilities of a world-class cloud service provider, such as SOC2 audited data centers, continuous monitoring, multiple availability zones, and offsite backups.
Leveraging cloud services is a shared responsibility model. While Cradlepoint inherits infrastructure security from AWS, we are responsible for the security of the NetCloud platform itself. Access to the backend systems that run NetCloud Manager is restricted to authorized DevOps engineers utilizing multi-factor authentication and originating within the Cradlepoint network.
NetCloud Manager is engineered for high availability, being clustered and distributed across different geographical zones with the ability to auto-scale, while confidentiality of customer network configuration data is maintained via encryption at rest using AES 256-bit encryption and encrypted in transit using Transport Layer Security version 1.2.
Additionally, our NetCloud Manager achieves a annual PCI DSS Attestation of Compliance that can be shared with customers under NDA. Although NetCloud Manager does not store, process or have access to cardholder or financial information our customers are often subject to PCI audits and implementing the security controls in line with PCI help reduce risk and expediate the auditing process.
While the infrastructure security inherited through Amazon Web Services ensures NetCloud is physically secure and highly available, a customer’s account is a far more common avenue of attack when it comes to cloud services. Leveraging cloud services is a shared responsibility mode. While Cradlepoint is responsible for the security of NetCloud as a whole, customers are responsible for the security of their NCM account. NCM provides optional, although highly recommended, user configurable security options:
With a pedigree in cellular connectivity and Software-Defined WAN, Cradlepoint understands the challenges and limitations of centralized control of distributed networks. Therefore, we developed a secure stream protocol that is far more efficient and scalable than SNMP, allowing our devices to securely communicate with NetCloud Manager across several layers of Network Address Translation.
This management stream is client initiated, meaning our devices don’t require a publicly routable address or an external facing open port to establish connection to NetCloud. The connection is secure because it is certificate-based — providing authentication, authorization, and accountability of our devices — and is encrypted using Transport Layer Security version 1.2.
Once the secure client-initiated session is established, both NetCloud Manager and the device send periodic session keep alive packets allowing bi-directional real-time communication. If the session is dropped, the Cradlepoint endpoint will continue to attempt to re-establish the connection across any available WAN interface, minimizing downtime.
Using the principle of secure by default, the moment a Cradlepoint device goes online, customers are already taking advantage of a secure configuration that blocks inbound traffic and uses unique default credentials on every device. NetCloud OS (NCOS) is the operating system that resides on Cradlepoint endpoints, allowing centralized orchestration through NetCloud Manager. The security of our devices is just as important as the security of our cloud services, but it’s NetCloud OS that provides the security features that enable our customers to develop a secure network configuration. However, before a customer even logs into NCOS, there are several security measures already baked into our hardware:
Cradlepoint recognizes the importance of security and privacy, and we take security issues very seriously. We report and address security issues in a timely and proactive manner in order to offer the greatest level of protection. Whether you’re a user of Cradlepoint solutions, a Cradlepoint employee, a software developer, or a security specialist, you’re an important part of this process, and Cradlepoint is committed to a transparent process in how we react to potential vulnerabilities.
Here is the Cradlepoint vulnerability process flow: