Security

IronFlock is designed for industrial and enterprise IoT environments where security is not optional. The system follows a zero-trust architecture with defense-in-depth across every layer — from device connectivity to data isolation.

No Open Ports on Devices

Edge devices running IronFlock do not expose any open ports. The device agent initiates all connections outbound to the WAMP message router. This means:

No inbound firewall rules are needed on the device network.
Devices are not discoverable or directly addressable from the internet.
Remote access works through reverse tunnels — the device connects out, not the other way around.

This eliminates an entire class of attack vectors common in IoT deployments where devices listen on open ports (SSH, HTTP, MQTT).

Authentication

IronFlock uses OpenID Connect (OIDC) for user authentication.

Multi-Factor Authentication

All accounts support TOTP-based two-factor authentication (Time-based One-Time Password). Users can enable 2FA in their account settings using any standard authenticator app (Google Authenticator, Authy, 1Password, etc.).

API Keys

For programmatic access, users generate API keys that authenticate against the REST API. API keys are validated on every request through the backend before any operation is executed.

Device Authentication

Devices authenticate using WAMP-CRA (Challenge-Response Authentication) with per-device credentials. Each device receives a unique secret during the flashing process that is stored on the device and used for all subsequent connections.

Encrypted Transports

All communication in IronFlock is encrypted:

Connection	Protocol	Encryption
Browser to IronFlock	HTTPS	TLS 1.2+
Device to router	WSS (WebSocket Secure)	TLS 1.2+
Service to service	WSS	TLS (internal)
Database connections	PostgreSQL SSL	TLS
Remote access tunnels	Reverse proxy over TLS	TLS

There is no plaintext communication path in the entire system.

Messaging Isolation

IronFlock uses WAMP (Web Application Messaging Protocol) for all real-time communication. The message router enforces strict isolation between projects:

Separate Realms

Each project-app combination gets its own messaging realm on the WAMP router. A realm is a completely isolated namespace — messages published in one realm are invisible to all other realms.

This means:

Devices in Project A cannot see messages from Project B.
App X installed in Project A has a different realm than App X installed in Project B.
Even if the same app is installed in two projects, the data flows are completely separate.

Realm Authentication

Every realm connection requires authentication. Devices, backend services, and UI clients must present valid credentials to join a realm. Unauthorized clients cannot subscribe to topics or call procedures.

Database Isolation

Each project gets its own dedicated database resources in FleetDB (PostgreSQL):

Separate tables — Each project-app combination has its own set of time-series tables. There is no shared table where data from different projects could leak.
Separate credentials — Each data backend has unique connection credentials. Apps can only access their own project’s data.
No cross-project queries — The database layer enforces that queries cannot span project boundaries.

This isolation is enforced at the infrastructure level, not just the application level. Even a compromised app cannot access data from another project.

Privilege System

IronFlock enforces a per-asset privilege model where every project, device, group, app, dashboard, and data backend has its own access control:

The owner of an asset has full control and can grant permissions to other users.
The project owner automatically has full control over all assets within that project.
Each permission is a discrete boolean flag — there are no broad “admin” roles that grant unbounded access.
All privilege changes are recorded in an immutable audit trail.

See Privileges for the full list of permissions per asset type.

Architecture Overview


┌──────────────┐          ┌───────────────────────────────────────┐
│   Browser    │──HTTPS──►│            Load Balancer               │
└──────────────┘          │              (TLS)                     │
                          └──────────┬────────────┬───────────────┘
                                     │            │
                               ┌─────▼─────┐ ┌───▼───────┐
                               │   WAMP    │ │  Backend  │
                               │  Router   │ │ Services  │
                               │ (realms)  │ │           │
                               └─────┬─────┘ └───┬───────┘
                                     │            │
                               ┌─────▼────────────▼──────┐
                               │     PostgreSQL /         │
                               │     TimescaleDB          │
                               └──────────────────────────┘
                                     ▲
                                     │ WSS (TLS)
                               ┌─────┴──────┐
                               │ Edge Device │
                               │  (outbound  │
                               │   only)     │
                               └─────────────┘

Key points:

All device connections are outbound only — no inbound ports.
The WAMP router enforces realm isolation between projects.
Backend services authenticate via WAMP-CRA with system secrets.
The database is only accessible from backend services, never directly from devices or browsers.

Compliance

IronFlock’s security architecture supports compliance with:

IEC 62443 — Industrial automation and control systems security
ISO 27001 — Information security management
SOC 2 — Service organization controls for data security
GDPR — Data stored in EU data centers (configurable), audit trail for data access

The combination of encrypted transports, authentication, per-project data isolation, granular privileges, and comprehensive audit logging provides the controls required by these frameworks.