How Secure is DW Cloud?
Affected Roles: All Users
Related Digital Watchdog Product: DW Cloud™
Last Edit: May 1, 2023
Frequently Asked Questions
Digital Watchdog customers will occasionally inquire about the cybersecurity and integrity of the DW Cloud connection service. It is understandable for users to wonder how secure their data (e.g., authentication, archive, databases, etc.) is from others, including the company that makes the product. The following article will answer some of the most frequently asked questions regarding the DW Cloud connection service.
Does Digital Watchdog Have Access to Private User Data?
No, Digital Watchdog and its staff cannot intercept or lookup user video streams, video archives or server databases.
DW does not have access to private user data for DW Spectrum IPVMS or DW Cloud due to the following security practices:
- Digital Watchdog does not store or have access to unencrypted passwords.
- The DW Cloud database stores user passwords as a complex multi-level salted hash.
- DW Spectrum does not create or store any API keys for accessing a particular installation location.
To learn more about how encryption is used to protect your data, see our “How Secure is DW Spectrum?” support article.
Can DW Spectrum Developers Gain Access to Private User Data?
No, DW Spectrum and DW Cloud was designed with the Kerckhoff Principle in mind, where a secure system should be designed with the assumption that your opponent understands it in detail.
Developers and outside entities cannot gain access to a user’s system without acquiring their password.
As so, there are no universal passwords, backdoors, or stored passwords that developers can use to gain access to users’ systems, even when accounting for “bad faith actors”.
Can Network Traffic Be Intercepted on the Relay Server or with Other DW Cloud Components?
The user traffic exchange between instances of the DW Spectrum Client and DW Spectrum Mobile applications with DW Spectrum Server is performed directly between each other. These software programs use a cloud mediator service to establish a TLS-over-UDP connection (UDP hole punch). User traffic and credentials are NOT sent to the cloud mediator.
If the UDP hole punch cannot be established, DW Spectrum uses relay servers to proxy TLS-encrypted traffic between remote DW Spectrum Client/Mobile instances and the DW Spectrum Server. Encryption keys are kept private and known only to the authorized client connection and the hosting server. DW Spectrum relay servers do not receive the encryption keys and this traffic cannot be decrypted and analyzed through a relay server.
The user traffic between the DW Cloud Portal and DW Spectrum Server is also TLS encrypted and proxied through a DW Spectrum relay server. Once the client instance has been closed, the TLS connection is terminated by the relay server. Like other secure websites, DW Cloud user traffic can only be viewed if someone has physical access to the web server.
In all cases, authentication requests are handled the same, by the DW Spectrum Server at the Owner user’s site and never by the relay or mediator. The DW Spectrum Server does not distinguish between requests that were received through a public TCP port or a relay. For more information, see our “DW Cloud Overview” support article.
Does DW Spectrum Software Change Firewall Rules?
No, it is not possible for DW Spectrum to change a user’s firewall rules. For information about outgoing connections related to DW Spectrum, please see our “DW Spectrum – FQDN or Allowlist for DW Cloud Access” support article.
Has DW Spectrum Software Undergone an Independent Cybersecurity Audit?
Yes, DW Spectrum is designed to be secure from the ground up and has completed comprehensive white-box penetration testing. For more information on our approach to security, see our “Cyber Security and DW Spectrum” support article.
For More Information or Technical Support
DW Technical Support: 866.446.3595 (option 4)
DW Sales: 866.446.3595 [email protected]