Introduction
Taranis is committed to providing its customers with a highly secure and reliable environment for our data operations and cloud-based applications. We have therefore developed a multi-tiered security model that covers all aspects of hosted and cloud-based Taranis systems. The security model and controls are based on international protocols and standards and industry best practices.
As part of the company’s focus on security issues, Taranis employs security-oriented management staff including a Chief Technology Officer, a VP R&D and a Chief Innovation Officer as well as cloud platform and data & services team with responsibility for:
Applying the security model to all system tiers
Monitoring and analyzing the infrastructure for suspicious activities and potential threats
Issuing security reports to Taranis management
Dynamically updating the security model and addressing new security threats
In addition, a Taranis joint committee, including representatives from product management and R&D is committed to:
Systematically examining the organization's information security risks, considering threats and vulnerabilities
Designing and implementing a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address the risks that are deemed unacceptable
Adopting an overarching management process to ensure that the information security controls continue to meet the organization's evolving information security needs
Taranis utilizes private storage “buckets” in the Google Cloud Platform. Additional Google Cloud security, privacy and compliance policies can be found here:
The Taranis service agreement ensures that all pilots must possess and be current with an FAA Part 107, Commercial Drone Pilots License or other local equivalent in other countries of operation. The Drone Service Providers (DSP) are responsible to ensure currency and compliance with FAA regulations. To ensure compliance, Taranis verifies and confirms all pilots licenses during training.
Additionally, Taranis issues the Operations equipment (Drone kit, Pilot Kit) to the DSP to ensure operational continuity and adherence to company policies. The DSP is responsible for all equipment. For example, in the case of the DJI 300 drones, the Operations Kit includes the following items.
Drone Kit:
M300 Case w/ M300 drone, Remote Controller, H20 camera, 2x drone batteries, 2x remote controller batteries
2x Battery Charging Cases -- cases and 16 drone batteries
Pilot Kit:
Landing Pad
Computer
T-shirts
Reflective vests
Various charging cables and connecting cables
SD and Micro-SD Cards
Card Adapters
Power adapters
Taranis has implemented a strict set of procedures throughout the entire data life-cycle, to ensure all captured data is security processed, stored and made available only to authorized users. These include:
Drones or planes taking images in the field based or precalculated routes, and the captured imagery is stored only on a local memory card.
At the end of the flight, the certified pilot uploads the images using a Taranis provided laptop as well as using a secured Taranis-developed application.
The data is uploaded into predefined, Taranis owned, private buckets in the Google Cloud Platform (GCP).
Stored data in the Google Cloud Platform can be accessed only via a dedicated secured service and made available to customers using the Taranis web and mobile interface based on individual user permissions.
The following items are relevant for the application access control:
Access control – Access to the Google Cloud Platform buckets is limited, based on role and responsibility and is only available to permitted users for maintaining and supporting customers
Authentication – Taranis also enforces a Google based multi-factor authentication including a strict role-based password policy. For Taranis web and mobile apps, user passwords are stored in an encrypted form, using a one-way encryption method based on an industry-standard hash algorithm. Only the application is able to compare the hashed and entered passwords.
Data encryption: based on the Google Cloud platform, it encrypts data in transit between our facilities and at rest, ensuring that it can only be accessed by authorized roles and services with audited access to the encryption keys. Additional details provided below.
Taranis uses the Google Cloud Platform for storage.
Google Cloud encrypts all customer content stored at rest, without any action from the customer, using one or more encryption mechanisms.
Google Cloud encrypts all customer content stored at rest, without any action required from the customer, using one or more encryption mechanisms.
Data for storage is split into chunks, and each chunk is encrypted with a unique data encryption key. These data encryption keys are stored with the data, encrypted with ("wrapped" by) key encryption keys that are exclusively stored and used inside Google's central Key Management Service. Google's Key Management Service is redundant and globally distributed.
All data stored in Google Cloud is encrypted at the storage level using AES256, with the exception of a small number of Persistent Disks created before 2015 that use AES128.
Google uses a common cryptographic library, Tink, which incorporates our FIPS 140-2 Level 1 validated module, BoringCrypto, to implement encryption consistently across almost all Google Cloud products. Consistent use of a common library means that only a small team of cryptographers needs to implement and maintain this tightly controlled and reviewed code.
Detailed information can be found here: https://cloud.google.com/docs/security/encryption/default-encryption
Google employs several security measures to help ensure the authenticity, integrity, and privacy of data in transit.
For the use cases discussed in this whitepaper, Google encrypts and authenticates data in transit at one or more network layers when data moves outside physical boundaries not controlled by Google or on behalf of Google. All VM-to-VM traffic within a VPC network and peered VPC networks is encrypted.
Depending on the connection that is being made, Google applies default protections to data in transit. For example, we secure communications between the user and the Google Front End (GFE) using TLS.
Google Cloud customers with additional requirements for encryption of data over WAN can choose to implement further protections for data as it moves from a user to an application, or virtual machine to virtual machine. These protections include IPSec tunnels, Gmail S/MIME, managed SSL certificates, and Istio.
Google works actively with the industry to help bring encryption in transit to everyone, everywhere. We have several open-source projects that encourage the use of encryption in transit and data security on the Internet at large including Certificate Transparency, Chrome APIs, and secure SMTP.
Google plans to remain the industry leader in encryption in transit. To this end, we dedicate resources toward the development and improvement of encryption technology. Our work in this area includes innovations in the areas of Key Transparency and post-quantum cryptography.
Detailed information can be found here: https://cloud.google.com/docs/security/encryption-in-transit