Security

Security of Skylight can be considered across the following areas:

  • Device Security

  • Data Security

  • Authentication

  • Authorization

Device Security

All Skylight device clients follow industry standard best security practices. This includes management of usernames, passwords, and API tokens to ensure data at rest and data in transit is always encrypted. Device clients can be installed and managed using mobile device management (MDM) solutions such as AirWatch for an extra layer of security.

Data Security

Data in transit to and from the Skylight services stack is encrypted via TLS 1.2. This includes communication between the platform and the device client, Skylight Web, and API communication with external systems.

Data sent during Skylight Live calls utilizes a service provided by Twilio where all data is encrypted during transport, briefly decrypted in memory in Twilio's cloud, and then immediately re-encrypted before being sent to other call participants. Decrypted media is not written to any persistent storage or sent across the network. All decryption and re-encryption happens in a single media server process in Twilio's cloud. A separate process is created for each call.

Each participant in a call negotiates its own DTLS/SRTP connection to Twilio's media servers, and all media published to or subscribed from the call is transported through this secure connection. WebRTC requires this, as it does not allow the negotiation of a single set of DTLS keys between more than two peers.

Authentication

All Skylight device clients communicate with the Skylight platform via the Skylight API through a standard REST interface and a real-time MQTT connection used for push notifications. Both communication mediums rely on an access token for authorization to specific skylight resources. Skylight access tokens are based on the JSON web token standard (RFC 7519). Access tokens have a short "time to live" (TTL) before the platform requires a new one to be generated. The TTL for Skylight authentication tokens can be set on a per-domain basis to meet security requirements per user. As with any token-based authentication system, shorter TTL values are more secure.

Authorization

Skylight provides a standard set of roles when adding users to the platform. Skylight Access Tokens contain a set of authorization "scopes" that are then validated for each API resource the client is requesting to perform operations on. Skylight roles determine the set of scopes that get assigned as part of access token generation so that every API interaction is authorized explicitly.