Sentry AI Information Security Architecture

Last Modified: January 15, 2022

1.   Purpose and Scope

Purpose is to describe the high-level Information Security Architecture of Sentry AI.

The scope is to give an overview of the Security for Customers, Partners and anyone else who are interested.

2.   Reference Documents

Sentry AI Privacy Policy

3.   Overview

Sentry AI provides the AI services to customers using the SaaS model. The software system has well-defined input and output interfaces to receive images/clips and send the Intelligent Alerts to customers. In addition to I/O interfaces, Sentry AI also provides a lightweight Web based Interface (“Customer Portal”). Following sections explain different areas of Security and how it is handled in the Sentry AI.

4.   Cloud Systems (Infrastructure) Security

Sentry AI’s Software infrastructure is currently hosted in the AWS and Azure Cloud Ecosystems. This includes the elements such as Database, Storage, Authentication and AI Computational Engines.

Sentry AI restricts the access to the infrastructure only to those who are authorized to do so. Only designated users will have the login enabled to AWS console. Different roles (Admin, User, Guest, etc.) are defined based on the access level the users are entitled to. The security policies are in line with AWS’s Well-Architected Framework (https://wa.aws.amazon.com/index.en.html) and have been reviewed with the experts’ team from AWS security.

Some of the policies that are implemented to guarantee high degree of security include:

    1. Multi Factor Authentication (MFA) enabled Cloud Access (Both AWS and Azure)
      1. Logging of the Users activities
      1. Alerts are set up for intrusion detection and unusual access detection
      1. The Access Keys are rotated on regular basis
      1. No Sentry AI passwords/credentials stored in any format. The password management is handled by AWS Cognito.
      1. User Images/Clips are stored in encrypted format.
      1. The Image/Clips and metadata are stored separately, and the Image/Clips does not contain any metadata with them.

        1. The images and Clips are stored with deletion policy. All the Images/Clips are destroyed after 60 days and not accessible for anyone, including Sentry AI.

5.   Information Security

The Information Security deals with securing the customer information that is shared with Sentry AI. The interface to Sentry System is through the APIs. Some of the security details are below.

5.1 User APIs

The User APIs are meant for sending the image or clips for further processing. These APIs use HTTPS, and are protected by API Keys, which are rotated on a regular basis. These are also throttled and rate limited. The APIs support OAuth2 based authentication schemes.

5.2 EEN APIs

The Eagle Eye Network (EEN) APIs use Token based authentication, wherein the tokens are obtained from logging into the EEN cloud. The Username/Password are stored in encrypted format in Sentry AI DB.

5.3 Customer Portal APIs

Sentry AI Customer Portal is built to provide an interface to processing system with different controls. This portal uses OAuth2 based authentication with AWS Cognito as the backend. The User creation flow adheres to the methods prescribed by AWS Cognito.

Some of the policies and procedures that are used for Portal security:

    1. All users are required to have User ID and Password to login to the Portal. All the passwords should conform to AWS Cognito password requirements.
      1. The Login ID is unique for each customer account.
      1. New users can be added only by invitation by Authorized users (“Admins”).
      1. The Portal is built with Transport Layer Security (TLS) and uses HTTPS
      1. Users belong to different groups with specific roles assigned to them.
      1. User access are logged and can be used for forensics at a later point of time.

        1. Open ID Connect is used when there is a cross-Cloud resource Access (E.g.: Cognito for Authorization and Azure for Backend)

6.   Backup and Disaster Recovery

Data Backup and Disaster Recovery is an important aspect to make sure that we can recover from catastrophic failure with minimal damage. Here are some of the procedures Sentry AI follows to this end:

    1. The Databases are backed up on daily basis and stored in encrypted format. The backups are stored for last 15 days in cyclic fashion with latest one replacing the oldest one. The backed-up data includes Customer and Account details, Camera information, Applied features, etc.

    1. The processing pipeline is designed to be Stateless and process the incoming image/clip streams without the knowledge of historical data.

    1. The Sentry AI processing servers are designed with redundancy. The servers are snapshotted and can be started at any point without having to worry about previous state

End of document