Security Configuration

This guide covers security configuration and hardening for Anava deployments.

Security Overview

Security Layers

Security Principles

Principle	Implementation
Defense in Depth	Multiple security layers
Least Privilege	Minimal required access
Zero Trust	Verify all connections
Encryption	All data encrypted

Authentication

User Authentication

Anava supports multiple authentication methods:

Method	Use Case	Configuration
Email/Password	Standard users	Default
Google SSO	Enterprise	OAuth configuration
SAML	Enterprise SSO	Identity provider setup

Password Requirements

Enforce strong passwords:

Requirement	Minimum
Length	12 characters
Complexity	Upper, lower, number, special
History	Last 5 passwords
Expiration	90 days (configurable)

Multi-Factor Authentication

Anava uses Google Identity Platform with TOTP-based MFA for enhanced security.

Supported MFA Method

Method	Status	Security
Authenticator App (TOTP)	✅ Supported	Recommended
SMS	❌ Not supported	Avoided due to SIM-swap risk

MFA Enrollment

Users enroll via a 3-step process:

1. Generate Secret - System creates TOTP secret
2. Scan QR Code - User scans with authenticator app (Google Authenticator, Authy, etc.)
3. Verify Code - User enters 6-digit code to confirm

┌─────────────────────────────────────┐
│ Set Up Two-Factor Authentication    │
├─────────────────────────────────────┤
│                                     │
│    ┌─────────────┐                  │
│    │ [QR CODE]   │  Scan with your  │
│    │             │  authenticator   │
│    └─────────────┘  app             │
│                                     │
│  Manual entry key:                  │
│  JBSW Y3DP EHPK 3PXP               │
│                                     │
│  Enter verification code:           │
│  ┌──────────────────────┐          │
│  │ 123456               │          │
│  └──────────────────────┘          │
│                                     │
│  [Verify and Enable]                │
└─────────────────────────────────────┘

Role-Based MFA Enforcement

Role	MFA Requirement
Admin	Required
Operator	Required
Viewer	Optional
Pending	Can enroll (enables enforcement on role upgrade)

MFA During Sign-In

When MFA is enabled, users see a challenge after password:

1. Open authenticator app
2. Enter current 6-digit code
3. Access granted

Administrator MFA Management

Admins can:

• View MFA enrollment status for all users
• Reset MFA for users who lose access (requires identity verification)
• Enforce MFA for specific roles

Session Management

Anava enforces automatic session timeouts to protect against unauthorized access from unattended workstations.

Session Timeout Settings

User Type	Timeout	Warning
Standard Users	30 minutes	5 minutes before
Admin Users	15 minutes	5 minutes before

Timeout periods are measured from last user activity (mouse movement, keyboard input, or API interaction).

Idle Detection

When a session approaches timeout:

1. 5-minute warning - Modal notification appears
2. User action - Click "Stay Signed In" to extend session
3. No action - Automatic logout at timeout

┌─────────────────────────────────────────────┐
│ Session Timeout Warning                      │
├─────────────────────────────────────────────┤
│                                             │
│   Your session will expire in 4:32          │
│                                             │
│   For security, inactive sessions are       │
│   automatically signed out.                 │
│                                             │
│   [Stay Signed In]    [Sign Out Now]        │
│                                             │
└─────────────────────────────────────────────┘

Configuring Session Timeouts

Session timeout settings are configurable per organization:

1. Go to Settings → Security
2. Under Session Management
3. Adjust timeout values:
   • Standard user timeout (15-60 minutes)
   • Admin user timeout (5-30 minutes)
   • Warning period (1-10 minutes)
4. Click Save

Organization-Level Customization

Setting	Default	Range	Description
Standard Timeout	30 min	15-60 min	Non-admin user inactivity limit
Admin Timeout	15 min	5-30 min	Admin user inactivity limit
Warning Period	5 min	1-10 min	Time before timeout to show warning
Extend on Activity	Enabled	On/Off	Reset timer on user interaction

Compliance Note

Session timeout enforcement supports compliance requirements:

Standard	Requirement	Anava Implementation
SOC 2 CC6.1	Session management controls	Automatic timeout with configurable limits
ISO 27001 A.11.2.8	Unattended user equipment	Idle detection with forced logout
PCI DSS 8.1.8	Idle session timeout (15 min)	Admin sessions default to 15 min
HIPAA	Automatic logoff	Configurable per organization

Organizations can adjust timeout values to meet specific compliance requirements while maintaining security best practices.

Role-Based Access Control

Built-in Roles

Role	Description
Admin	Full system access, user management, system settings
Operator	Event review, session management, camera operations
Viewer	Read-only access to sessions and dashboards
Pending	Awaiting role assignment (limited access)

Permission Matrix

Action	Admin	Operator	Viewer	Pending
View sessions	✓	✓	✓
Review events	✓	✓	✓
Verify alerts	✓	✓
Manage cameras	✓	✓
Create/modify skills	✓
Create/modify profiles	✓
Create/modify groups	✓
Manage users	✓
System settings	✓
View audit logs	✓
Approve devices	✓	✓

Group-Level Access

Restrict users to specific groups:

1. Go to Users → Select user
2. Under Group Access
3. Select allowed groups
4. Save

User only sees assigned groups.

Custom Roles

Create custom roles for specific needs:

Custom Role: "Shift Supervisor"
Permissions:
  - View all sessions
  - Verify alerts
  - Manage operators in assigned groups
  - Generate reports
  - Cannot modify skills or profiles

Camera Security

IEEE 802.1AR

Anava uses Axis Device ID for camera authentication:

• Hardware-backed device identity
• Factory-provisioned certificates
• Automatic trust establishment

Edge Vault

Secure key storage on cameras:

Feature	Description
Hardware Security	TPM-protected keys
Certificate Storage	Private keys never exposed
Attestation	Prove device identity

Firmware Security

Maintain camera security:

1. Keep firmware updated

   • Apply security patches
   • Check firmware.axis.com

2. Enable signed firmware

   • Prevents unsigned code

3. Secure boot

   • Verify firmware integrity

Network Security

Required Ports

Port	Protocol	Direction	Purpose
443	HTTPS	Outbound	Cloud API
8883	MQTTS	Outbound	MQTT broker
80/443	HTTP(S)	Inbound	Camera access

Firewall Configuration

Outbound Rules (Camera → Internet):

Allow TCP 443 to *.anava.ai
Allow TCP 8883 to mqtt.anava.ai

Internal Rules (Management → Camera):

Allow TCP 80/443 from management network
Allow TCP 554 from VMS (RTSP)

Network Segmentation

Recommended network architecture:

┌─────────────────────────────────────────┐
│                Internet                  │
└────────────────────┬────────────────────┘
                     │
              ┌──────┴──────┐
              │  Firewall   │
              └──────┬──────┘
                     │
     ┌───────────────┼───────────────┐
     │               │               │
┌────┴────┐   ┌─────┴─────┐   ┌─────┴─────┐
│ Camera  │   │Management │   │Corporate  │
│  VLAN   │   │   VLAN    │   │   VLAN    │
└─────────┘   └───────────┘   └───────────┘

TLS Configuration

All connections use TLS 1.3:

Connection	Certificate
Camera → Cloud	Axis PKI (mTLS)
Browser → Console	Public CA
API Access	Public CA

Data Security

Encryption at Rest

All stored data encrypted:

Data Type	Encryption
Images	AES-256-GCM
Configurations	AES-256-GCM
Logs	AES-256-GCM
Database	Firestore encryption

Encryption in Transit

All network traffic encrypted:

Protocol	Encryption
MQTT	TLS 1.3
API	TLS 1.3
Storage	TLS 1.3

Data Retention

Configure retention policies:

Data Type	Default	Configurable
Sessions	30 days	7-365 days
Images	30 days	7-365 days
Audit logs	1 year	1-7 years
Configs	Indefinite	N/A

Audit Logging

Architecture

Anava implements a dual-write audit logging system for compliance:

User Action
    ↓
AuditService.log()
    ├──→ Firestore audit_logs (HOT - 90 days, UI access)
    └──→ Cloud Logging → BigQuery (COLD - 365 days, compliance)

What's Logged

Event Category	Examples	Count
Authentication	Login, logout, MFA challenge, login failed	10+ types
Configuration	Profile/skill/group create, update, delete	15+ types
Device Management	Approve, reject, pause, reset, retire	12+ types
Credentials	Created, updated, accessed, synced	5+ types
Administrative	User management, role changes	8+ types

Log Format

Each audit event captures:

{
  "id": "audit_abc123",
  "timestamp": "2024-01-15T14:32:15Z",
  "eventType": "config.profile_updated",
  "actorUid": "user123",
  "actorEmail": "admin@company.com",
  "target": {
    "type": "config",
    "id": "profile_xyz"
  },
  "previousValue": { "trigger": { "type": "Motion" } },
  "newValue": { "trigger": { "type": "Object" } },
  "correlationId": "req_456",
  "source": "ui"
}

Storage Tiers

Tier	Location	Retention	Purpose
Hot	Firestore audit_logs	90 days	Admin UI queries
Cold	BigQuery anava_audit_logs	365 days	Compliance archive
Login Events	Firestore login_signals	1 hour	Real-time monitoring

Accessing Logs

Via Admin UI:

1. Go to Admin → Audit Logs
2. Filter by date, user, event type, severity
3. Export to CSV for compliance

Via BigQuery (Compliance):

SELECT * FROM `project.anava_audit_logs.audit_events`
WHERE timestamp > TIMESTAMP_SUB(CURRENT_TIMESTAMP(), INTERVAL 30 DAY)
AND actorEmail = 'user@company.com'
ORDER BY timestamp DESC

Compliance Coverage

Standard	Requirement	Implementation
SOC 2 CC7.2	System operations logging	✅ 40+ event types
ISO 27001 A.12.4	Logging and monitoring	✅ Dual-tier storage
PCI DSS 10.2	Audit trail requirements	✅ Immutable BigQuery
GDPR	Data access logging	✅ Credential access tracked

API Security

API Keys

For programmatic access:

1. Go to Settings → API Keys
2. Click Generate New Key
3. Set permissions scope
4. Set expiration
5. Store key securely

Key Best Practices

Practice	Description
Rotate regularly	90 days maximum
Minimal scope	Only needed permissions
Secure storage	Never in code
Monitor usage	Alert on anomalies

Rate Limiting

API rate limits protect the system:

Endpoint Type	Limit
Read operations	100/minute
Write operations	30/minute
Bulk operations	5/minute

Secret Management

Proper secret and key management is critical for maintaining security posture. This section covers the inventory, rotation schedules, and procedures for all secrets in the Anava platform.

Secret Inventory

Secret Type	Location	Rotation Schedule	Auto-Rotate	Risk Level
Firebase API Keys	Firebase Console	Annual	No	Medium
Service Account Keys	GCP IAM	90 days	No	High
MQTT Broker Credentials	Secret Manager	90 days	No	High
OAuth Client Secrets	GCP Console	180 days	No	High
User API Keys	Firestore	90 days	No	High
Webhook Signing Keys	Secret Manager	90 days	Yes (via rotation function)	Medium
TLS Certificates	Secret Manager	90 days before expiry	Yes (Let's Encrypt)	Critical
EMQX Admin Password	Terraform state	180 days	No	High

Rotation Policy

90-Day Rotation (High-Risk Secrets):

These secrets MUST be rotated every 90 days or immediately if compromised:

• Service account keys
• MQTT broker credentials
• User-generated API keys
• Webhook signing keys

180-Day Rotation (Medium-Risk Secrets):

• OAuth client secrets
• EMQX admin password
• Third-party integration tokens

Annual Rotation (Low-Risk Secrets):

• Firebase web API keys (public, restricted by domain)
• Analytics API keys

Rotation Procedures

Service Account Keys:

# 1. Create new key
gcloud iam service-accounts keys create new-key.json \
  --iam-account=SA_NAME@PROJECT_ID.iam.gserviceaccount.com

# 2. Update Secret Manager
gcloud secrets versions add SA_KEY_SECRET --data-file=new-key.json

# 3. Deploy updated functions/services
firebase deploy --only functions

# 4. Verify services are healthy
curl -I https://YOUR_FUNCTION_URL/health

# 5. Delete old key (after 24h grace period)
gcloud iam service-accounts keys delete OLD_KEY_ID \
  --iam-account=SA_NAME@PROJECT_ID.iam.gserviceaccount.com

# 6. Securely delete local key file
shred -u new-key.json

User API Keys:

1. Go to Settings -> API Keys
2. Click Rotate next to the key
3. Copy and securely store the new key
4. Update integrations within 24 hours
5. The old key remains valid for 24 hours, then auto-expires

MQTT Broker Credentials:

# 1. Generate new credentials
NEW_PASS=$(openssl rand -base64 32)

# 2. Update Secret Manager
echo -n "$NEW_PASS" | gcloud secrets versions add mqtt-broker-password --data-file=-

# 3. Update EMQX configuration
# SSH to MQTT broker VM, then:
emqx_ctl conf load /etc/emqx/new-auth.conf

# 4. Update camera credentials in Firestore (via admin script)
npx tsx scripts/rotate-mqtt-credentials.ts --project PROJECT_ID

# 5. Verify camera connectivity
# Check MQTT dashboard for reconnection success

TLS Certificates:

TLS certificates are managed automatically via Let's Encrypt with 90-day validity. Manual intervention required only for:

• Custom domain certificates
• Axis PKI certificates (managed by device)

# Check certificate expiry
echo | openssl s_client -servername mqtt.anava.ai -connect mqtt.anava.ai:8883 2>/dev/null | openssl x509 -noout -dates

# Force renewal (if needed)
certbot renew --force-renewal

Auto-Rotation Configuration

Some secrets support automatic rotation via Secret Manager:

# Secret Manager rotation config (example)
rotation:
  rotation_period: "7776000s"  # 90 days
  next_rotation_time: "2024-04-15T00:00:00Z"

# Cloud Function trigger on rotation
resource "google_secret_manager_secret_iam_member" "rotation_invoker" {
  secret_id = google_secret_manager_secret.webhook_key.secret_id
  role      = "roles/secretmanager.secretAccessor"
  member    = "serviceAccount:${google_service_account.rotator.email}"
}

Monitoring Secret Expiration

Cloud Monitoring Alert Policy:

# Alert when secrets are expiring within 14 days
display_name: "Secret Expiration Warning"
conditions:
  - display_name: "Secret expires soon"
    condition_threshold:
      filter: 'resource.type="secret_manager_secret" AND metric.type="secretmanager.googleapis.com/secret/version_count"'
      comparison: COMPARISON_LT
      threshold_value: 14
      duration: "0s"
notification_channels:
  - "projects/PROJECT_ID/notificationChannels/CHANNEL_ID"

Manual Expiration Check:

Run monthly to audit all secrets:

# List all secrets with creation dates
gcloud secrets list --format="table(name,createTime,replication.automatic)"

# Check service account key ages
gcloud iam service-accounts keys list \
  --iam-account=SA@PROJECT.iam.gserviceaccount.com \
  --format="table(name,validAfterTime,validBeforeTime)"

# Identify keys older than 90 days
gcloud iam service-accounts keys list \
  --iam-account=SA@PROJECT.iam.gserviceaccount.com \
  --filter="validAfterTime<'-P90D'" \
  --format="value(name)"

Firestore API Key Expiration Query:

// Admin SDK query for expiring user API keys
const expiringKeys = await db.collection('api_keys')
  .where('expiresAt', '<=', new Date(Date.now() + 14 * 24 * 60 * 60 * 1000))
  .where('expiresAt', '>', new Date())
  .get();

// Send expiration warnings
expiringKeys.forEach(doc => {
  sendExpirationWarning(doc.data().userId, doc.data().expiresAt);
});

Emergency Key Revocation

If a secret is compromised:

1. Immediate Actions:

   • Revoke the compromised key/secret immediately
   • Create replacement credentials
   • Deploy updates to all affected services

2. Investigation:

   • Review audit logs for unauthorized access
   • Check for data exfiltration
   • Document timeline of exposure

3. Notification:

   • Notify affected users if their data may be impacted
   • File incident report per security incident procedure

# Emergency: Revoke all service account keys
gcloud iam service-accounts keys list \
  --iam-account=SA@PROJECT.iam.gserviceaccount.com \
  --format="value(name)" | xargs -I {} \
  gcloud iam service-accounts keys delete {} \
  --iam-account=SA@PROJECT.iam.gserviceaccount.com --quiet

# Create fresh key
gcloud iam service-accounts keys create emergency-key.json \
  --iam-account=SA@PROJECT.iam.gserviceaccount.com

Compliance Coverage

Standard	Requirement	Implementation
SOC 2 CC6.1	Logical access security	90-day rotation for high-risk secrets
ISO 27001 A.9.2.4	Secret information management	Inventory, rotation schedules, monitoring
PCI DSS 3.6	Key management procedures	Documented rotation procedures
NIST 800-53 IA-5	Authenticator management	Automated expiration monitoring

Secret Management Checklist

Monthly:

• Review secret expiration dates
• Verify auto-rotation is functioning
• Check for unused API keys
• Review Secret Manager access logs

Quarterly:

• Rotate all high-risk secrets
• Audit service account key usage
• Update rotation documentation
• Test emergency revocation procedure

Annually:

• Full secret inventory audit
• Review rotation policies
• Update compliance documentation
• Penetration test for secret exposure

Security Monitoring

Security Alerts

Configure alerts for security events:

Event	Alert
Failed login (5+)	Email admin
New admin user	Email all admins
API key created	Email admin
Bulk export	Email admin

Dashboard Monitoring

Security dashboard shows:

• Active sessions
• Failed login attempts
• API usage
• Configuration changes

Regular Reviews

Review	Frequency
User access	Monthly
API keys	Quarterly
Audit logs	Monthly
Security settings	Quarterly

Compliance

SOC 2

Anava supports SOC 2 compliance:

• Access controls
• Audit logging
• Encryption
• Monitoring

GDPR

Data protection features:

Feature	Implementation
Data minimization	Configurable retention
Right to erasure	Data deletion tools
Access logs	Audit trail
Encryption	All data encrypted

HIPAA

For healthcare deployments:

• BAA available
• Access controls
• Audit logs
• Encryption

Security Checklist

Initial Deployment

• Enable MFA for all admins
• Configure RBAC roles
• Set up audit log exports
• Configure firewall rules
• Document access procedures

Ongoing Maintenance

• Review user access monthly
• Rotate API keys quarterly
• Update camera firmware
• Review audit logs
• Test backup recovery

Annual Review

• Penetration testing
• Access review
• Policy updates
• Training refresh
• Compliance audit

Incident Response

Security Incident Procedure

1. Identify - Detect and confirm incident
2. Contain - Limit damage (disable accounts, keys)
3. Investigate - Review logs, determine scope
4. Remediate - Fix vulnerabilities
5. Report - Document and notify as required

Contact Security

For security issues:

• Security vulnerabilities: security@anava.ai
• Suspected breach: Call support immediately
• Compliance questions: compliance@anava.ai

Related Topics

• Installation - Secure deployment
• Upgrade Guide - Security updates
• Backup & Recovery - Data protection