Technical discription
-
The Moniott solution helps businesses track where their mobile assets such as machines, manufactured goods, are at a given moment in time. Indoor and on the move. We have designed an engaging solution, we planned the technical architecture to be a true Real Time Monitoring Solution By utilizing the power of AWS and keeping everything in the Cloud, we ensured the minimal IT overhead requirement.
​
-
A key decision was opting for Serverless approach to ensure maximum possible scalability. Further security was ensured by using AWS Cognito and a huge amount of data intake we ensured by connecting AWS IoT service on the intake level, Amazon Kinesis to ensure streaming consistency.
-
Moniott Smart Business logic and ETL is done using .NET Core AWS Lambdas. All the data ends up with a blend of DynamoDB and RDS, to keep the data costs minimum and yet offer real-time OLAP functionalities. We envisioned ELT processes using AWS Glue and AWS Athena as a full-blown OLAP. Alongside a REST API available to integrate the platform with 3rd party solutions or mobile apps we built a rich Angular web application.
-
On top of that, we built a bespoken JIRA Service desk solution providing full 24/7 support for Moniott and its end-client, ticketing solution, and phone service.
​
The Components Security Overview
(Aim of the document is to describe the major components of the Moniott system and underlying security configurations)
​
Tags
-
The data is advertised using standard BLE Advertising format as described by Bluetooth specification. Part of the advertising frame of the payload is proprietary. The generated data consists of the encrypted cryptogram which is encrypted using the AES 128 where all the sensitive information (sensory data) is stored. The cryptogram is also guarded against spoofing attacks and replay attacks using random bytes paddings and counters. Thus ensuring that if the data is captured it’s useless to the attacker. The decryption of the data is never done on-site and is always relayed to the platform
​
BLE Locators
-
The BLE Locators scan for BLE advertising packages and relay them as they are to the Platform. Firmware on the Locator devices is protected via code-signing and secure-boot, ensuring only Moniott's issues firmware can be flashed. Our BLE Locators communicate with the platform by using the TLS 1.2 encrypted MQTT messages. All communication between the Locator and the platform is encrypted by the X.509 certificate and each of the devices is identified by having a unique X.509 certificate, thus in an event of unlikely certificate breach and extraction from the device, it can be safely isolated.
​
-
Moniott data entry point to the platform is implemented by using AWS IoT service, which is based on an MQTT protocol using TLS encrypted communication. Each Locator device is provisioned in the platform under a unique Client Identifier and having a dedicated X.509 certificate for singing all the communication on the device side. X.509 certificates are issues by the AWS IoT service itself thus having the CA directly guarded and maintained by Amazon itself. All data is stored encrypted in Amazon’s RDS and Dynamo DB services, with limited and audited access to these environments.
​
APIs
-
Communication of UI, mobile apps or third-party integrators is done using the REST API exclusively done under TLS communication transport e.g. HTTPS. Individual clients are authenticated and authorized to the platform in the form of requesting and being issued unique JWT tokens, time-framed to 1 hour. Ensuring that only data authorized to the user can be obtained.
​
​