This article addresses questions from users about how secure Nx Cloud is from hacks, and the level of access Network Optix has to users’ systems.
Does Nx have access to users' private data (e.g. authentication, archive, or databases)?
It is reasonable for users of a product to wonder how secure their data is from others, even from the company that made the product. Users can use Nx Witness confidently knowing that we does not have access to their private data due to the following security practices:
- Network Optix does not store or have access to unencrypted passwords.
- The Nx Cloud database stores user passwords as a complex multi-level salted hash.
- Nx Witness does not create or store any API keys for accessing a particular VMS installation.
To learn more about how we use encryption to protect your data, see our “How secure is Nx Witness?” support article.
Can Nx developers somehow gain access to users' private data?
Network Optix designed Nx Witness with “the enemy knows the system” principle in mind, so our developers and outside parties can NOT gain access to the system without the users’ unencrypted passwords.
There are no universal passwords, no backdoors, and no stored passwords that Network Optix developers can use to gain access to users’ systems, even if they wanted to.
Can traffic be intercepted on the relay server or other cloud components?
The user traffic exchange between Nx Desktop/Nx Mobile and Nx Server is performed directly between each other. The cloud mediator service is used to help Nx Desktop/Nx Mobile and Nx Server establish a TLS-over-UDP connection. User traffic and credentials are NOT sent to the cloud mediator.
If the UDP hole punch cannot be established, Nx Witness uses relay servers to proxy TLS-encrypted traffic between Nx Desktop/Nx Mobile and Nx Server. Encryption keys are known only to Nx Desktop/Nx Mobile and Nx Server. Nx Witness relay servers do not receive the encryption keys, so there is no way this traffic can be decrypted and analyzed on a relay server.
The user traffic between Nx Cloud Portal and Nx Server is TLS-encrypted and proxied through an Nx Witness relay server. Afterwards, the TLS connection is terminated by the relay server. Similar to how any other website operates, user traffic to a website can be viewed if an intruder has physical access to the website server
In all cases, authentication requests are handled the exact same, by the Nx Server at the user's site and never by the relay or mediator. The Nx Server does not distinguish between requests that were received through a public TCP port or a relay. For more information, see our “Cloud Connect” support article.
Does Nx Witness software change firewall rules?
No, it is impossible for Nx Witness to change users’ firewall rules. For information about Nx Witness related outgoing connections, see our “Firewall Pass List” support article.
Has Nx Witness software undergone an independent cyber security audit?
Yes, Nx Witness is designed to be secure from the ground-up and has completed comprehensive white-box penetration testing. For more information on our approach to security, see our “Cyber Security and Nx Witness” support article. Please contact support to obtain more information about the penetration testing that Nx Witness undergoes.