Security objectives and constraints

A cyberimmune information system is a system that guarantees the fulfillment of specific security objectives in all possible scenarios of system usage as stipulated by the developers.

One prerequisite when developing a cyberimmune information system is to identify its security objectives and the security constraints under which the system will operate.

Security objectives are the particular requirements imposed on a cyberimmune information system that must be fulfilled to ensure that the system operates securely in any possible usage scenario with consideration of the necessary security constraints.

Security constraints are the additional restrictions placed upon the system operating conditions that either simplify or complicate the fulfillment of security objectives.

Security objectives

Kaspersky IoT Secure Gateway 1000 has the following security objectives:

• Kaspersky IoT Secure Gateway 1000 provides a secure (confidentiality and integrity) communication channel from a device to digital platforms (Yandex IOT Core, Microsoft® Azure IoT hub) to transfer data received from IoT devices located in the internal network.
• Kaspersky IoT Secure Gateway 1000 provides for secure updates of the system version. Only updates signed by Kaspersky can be installed, including when updates are obtained through untrusted communication channels.
• Kaspersky IoT Secure Gateway 1000 ensures that system settings and configuration files are securely received (from a trusted source) and securely stored.
• Kaspersky IoT Secure Gateway 1000 accumulates and securely stores security events of a device (Secure audit: restart, update, information security events) and securely transmits them to Kaspersky Security Center.
• Kaspersky IoT Secure Gateway 1000 provides the capability for system administration from the internal network after user authorization via certificate when a secure channel is established.

Security constraints

The security constraints of Kaspersky IoT Secure Gateway 1000 are as follows:

• Kaspersky IoT Secure Gateway 1000 can be deployed in two ways:
  • With support for management through Kaspersky Security Center residing in the internal or external network. Kaspersky Security Center is a trusted source for receiving settings and configuration files of Kaspersky IoT Secure Gateway 1000.
  • Without support for management through Kaspersky Security Center. During deployment, you must compile a list of certificates that can be used by the administrator to connect to the Kaspersky IoT Secure Gateway 1000 web interface. The Kaspersky IoT Secure Gateway 1000 web interface is a trusted source for receiving settings and configuration files of Kaspersky IoT Secure Gateway 1000.
• Initial configuration of Kaspersky IoT Secure Gateway 1000 settings must be conducted under conditions that eliminate any possibility of a compromised Kaspersky Security Center.
• Kaspersky Security Center is considered to be trusted if Kaspersky IoT Secure Gateway 1000 is configured to interact with Kaspersky Security Center using a Kaspersky Security Center server certificate. Threats associated with a compromised Kaspersky Security Center are not considered.
• The device on which Kaspersky IoT Secure Gateway 1000 is installed has separate ports for connecting to the internal network and external network.
• The device on which Kaspersky IoT Secure Gateway 1000 is installed is operating in an environment that completely eliminates the possibility of any physical access by a cybercriminal, including their inability to directly connect to the device.
• A medium level of threat (basic elevated) from the external network is assumed.
• A low level of threat (basic) from the internal network is assumed.

  For more information on assessing the information security threat level, please refer to the website of Federal Service for Technical and Export Control of Russia.

• Threats associated with a vulnerability of the hardware platform are not considered.
• Threats associated with breached confidentiality, violated integrity or loss of data during its transmission from devices in the internal network to Kaspersky IoT Secure Gateway 1000 are not considered.
• The following threats associated with breached availability of the infrastructure are not considered:
  • Communication channels between the sides of network interaction
  • Kaspersky Security Center server
  • Digital platforms

Page top