FAQ Serstech ChemDash
Architecture & Deployment
Q: What is the ChemDash solution?
A: Serstech ChemDash is a set of tools to manage information, assist collaboration and drive decision making in the chemical arena. It acts as a platform to interconnect chemical sensors and data, people, organizations as well as external IT systems into one ecosystem. Serstech currently have particular focus on use cases within the Security market, e.g. first responders, border control, police forensics, drugs, bomb disposal and military.
Q: Which are the main benefits I gain from using ChemDash?
A: Serstech is continually adding new capabilities but the most fundamental functions include the following.
• Real time monitoring and configuration of all your Serstech 100 Indicator devices
• Automatic upload and backup of all measurements made with your Indicators
• View, print and share measurement reports
• Create your own spectra libraries from our own measurements or mix with licensed spectrum data available in ChemDash
• Download spectra libraries to your Indicator to customize and enhance your detection capabilities
• Add your own substance information in any language to libraries to customize result displays (GHS or custom formats)
• Manage your system user accounts
Q: How can I be sure the ChemDash solution is future-proof?
A: Our goal has always been is to offer a truly future-proof, flexible and high value service. One important ingredient is the ability to add your own data to the system and work with it. The Serstech solution supports this in several ways:
• You can create your own spectral databases locally, in the instrument. These can then be used as a reference in any of the embedded scan methods. You can use your own data separately, or mix it with licenced data while sampling.
• The ChemDash system lets you collect all your data and assemble your own packages, complete with customised chemical information messaging, which can be displayed locally in the Indicator whenever a match is found. Additionally, you can download your databases to one or several Indicators to ensure they are always up-to-date. Serstech’s experts are always on hand to assist you in setting up the system and aligning it fully with your needs.
• The Serstech 100 Indicator’s user interface features multi-language support and new languages are added on a regular basis.
• We also continuously improve existing features and develop new ones. These improvements are released as firmware updates, available to all our customers.
• Since ChemDash is a SaaS service new functionality will be available to you on a continual basis. There is no need for the customer to install any software to benefit from ChemDash, which minimizes overhead. New functions in ChemDash as well as any firmware updates to your Serstech 100 Indicators will be visible to you as soon as they are available for download to your devices.
Q: What is SaaS?
A: Software as a Service (SaaS), or “Cloud applications”, is software that is owned, delivered and managed remotely by one or more providers. The provider delivers software based on one set of common code and data definitions that is consumed in a one-to-many model by all contracted customers.
US National Institute of Standards and Technology (NIST) defines several characteristics that it sees as essential for a service to be considered “Cloud.” These characteristics include:
• On-demand self-service. The ability for an end user to sign up and receive services without the long delays that have characterized traditional IT
• Broad network access. Ability to access the service via standard platforms (desktop, laptop, mobile etc.)
• Resource pooling. Resources are pooled across multiple customers, also known as Multi-tenant
• Rapid elasticity. Capability can scale to cope with demand peaks
• Measured service. Billing is metered and delivered as a utility service
Q: Will ChemDash force us to rely on a specific cloud hosting provider?
A: No, even if the standard edition runs on the Microsoft Azure platform ChemDash is very portable. We have taken great pains not to use any cloud infrastructure feature which would make it hard to move the platform to another provider at a later date. The same approach is also required in order to be able to run the solution or parts of it within a closed and private network, as required by some customers.
Q: We realize ChemDash provides state of the art security and encryption. But we cannot run a service such as this with internet access due to our security protocols. Will this stop us from using the solution completely or can we e.g. run the platform in our own private network?
A: The ChemDash architecture is made to flexible in this regard. It is designed from the ground up to be able to run in various deployment scenarios. This includes private and hybrid hosting options. Please contact Serstech for further discussion on your specific needs.
Q: Will my data be secure in ChemDash?
A: The standard ChemDash platform is using Microsoft Azure Trusted Cloud infrastructure. Azure meets a very broad set of international as well as regional and industry-specific compliance standards, such as ISO 27001, FedRAMP, SOC 1 and SOC 2. This ensures security for your data. Please contact us for more detailed information.
Q: Can you describe the ChemDash security design model in more detail?
Yes, there are a number of key security design patterns which should be enforced by any SaaS service. ChemDash by design enforces the following such patterns.
• Gatekeeper design. To minimize the risk of clients gaining access to sensitive information and services, all hosts and tasks that expose public endpoints are decoupled from the code that processes requests and accesses storage. This is achieved using a façade or a dedicated task that interacts with clients and then hands over the request, through a protected interface, to the relevant hosts or tasks.
• Filtering. An intermediary layer between the user and the data source acts like a filter, so the information appears to the user as though it were the only data in the database.
• Permissions: The system uses an authentication mechanism to authenticate devices, the tenant, the user and the role of the user trying to access the system. It determines access level rights and controls what the user is allowed to do with the data, once authenticated. (see also connection security details below.)
• Encryption. The system can encrypt tenant data to prevent access to unauthorized parties, even if they come into possession of it, e.g. by intercepting data streams between users and system. (see also connection security details below.)
• Robustness. Another important security feature is that the system can handle server redundancy and application reliance to e.g. DoS (Denial of Service) attacks and infrastructure interruptions or breakdowns.
• Logging. Functions that support traceability and debugging throughout the system are also crucial from a security perspective. All activities in the system are therefore logged and stored, such as device or user log-in, failure to log in or out, database access etc. Logging data can also be used during development to ensure high code quality, e.g. by identifying the source of potential errors and trace them to a particular module of functionality.
• Deployment flexibility. For extremely security-aware tenants, it may not be an option to deploy the system as a public SaaS service accessible over the regular Internet infrastructure, regardless of the precautions described above. In-house (private) deployment may be the only option. We have therefore designed the ChemDash system for cost-effective integration in both public and private deployment scenarios.
In addition, all connections between your devices and the ChemDash system are protected by strong HTTPS over SSL encryption and associated authentication protocols. As a user, you connect to the system according to the same principles. This way of working offers the full security capabilities of SSL/TLS for all connections to and from the system. In addition, the use of standard security protocols enables interoperability with a wide range of computers and web browsers. It is therefore cost-efficient and easy to use.
The ChemDash servers are protected by Extended Validation (EV) SSL certificates. This is critical, since it offers protection from interception attempts (i.e. “man in the middle attacks”) between users and the ChemDash system. Note that any cloud service without an EV certificate (as indicated by the “Green bar of trust” in your browser address field) cannot be fully trusted in this regard.
Q: Can multiple customers use the same software?
A: Yes, the solution is designed for multi-tenancy. Data separation and protection is ensured since each tenant will have their own private database. This means each customer can only ever access their own data.
Secure Coding and Code Management
Q: Was ChemDash developed with secured coding and code management best practices
A: Yes. During development team utilize industry standard secured coding best practices. The code is reviewed and tested for security vulnerabilities and also audited by external security experts.
Q: Can I set up a VPN to access ChemDash?
A: It depends. VPN tunneling is indeed technically possible and desired for e.g. certain hybrid deployment scenarios. But since individual requirements likely differ an evaluation will have to be done on a case-by-case basis. ChemDash uses REST-based connection protocols and always over HTTPS/SSL AES/TLS 256-bit encrypted links. The same protocols are used for connections to chemical sensors (such as the Serstech 100 Indicator) as well as to client browsers. This means the level of security is very high even before any VPN tunneling.
Q: Are inbound connections to my network required to connect devices and users to ChemDash?
A: No, all connections are initiated by the client, regardless if it’s the users’ browser or a sensor device such as the Serstech 100 Indicator. Having said that, your firewall will have to accept data transfers using the HTTPS protocol. This is done over TCP port #443. This port is normally left open for outgoing connections but if it has been completely blocked in the firewall you will not be able to connect to the system. If this is the case due to your network security policies there may be other solutions, such as VPN tunneling or private system deployment. In this case, please contact Serstech for a more in-depth discussion about your needs.
Q: Are there any special network ports required to connect Serstech 100 Indicator devices to ChemDash?
A: No, all connectivity is realized over the HTTPS protocol (TCP port #443).
Q: Which are the options for connecting Serstech 100 Indicator devices to ChemDash?
A: There two main ways to connect your devices. One option is to use a USB cable between the Indicator and your computer. The Indicator will become visible as a network interface on your host PC and if the PC has internet access it will gain access using your computer as a router. This of course requires the computer to be on and connected to the internet as long as the Indicator shall be connected to ChemDash.
A more flexible option is to use the Serstech network connection kit to enable the Indicator to connect to ChemDash without the need for a routing computer in between. The kit includes a custom USB cable to connect the device to a compatible network dongle, enabling native network connection capability and simultaneous charging of the Indicator internal battery.
Q: Can I manage all my Serstech 100 Indicator devices in ChemDash?
A: Yes, you can view all your devices and see if they are currently online or not. You can also configure them and download new spectrum matching libraries to your Indicators as needed. All measurements made with the Indicators will be automatically uploaded to ChemDash when they become online.
Q: Is ChemDash protected by firewalls?
A: Yes, the gatekeeper security design pattern built into ChemDash ensures isolation between connections and also prevents intruders to directly access backend services.
Q: Is ChemDash data isolated and secured from other customers running on Microsoft Azure?
A: Yes, this is assured by the fact that every ChemDash tenant have their own private database instance. This could potentially reside anywhere, including on the customers own servers.
Data Storage & Retention
Q: Is my data isolated?
A: Yes. Customer data is isolated and access is restricted to the data owner.
Q: Is my data encrypted?
A: Yes, all connections to and from the user’s browser are encrypted using HTTPS protected with a SSL EV certificate. This is indicated by the “green bar of trust” in your browser window. Similarly, connections to and from chemical sensors such as the Serstech 100 Indicator are also protected in the same way.
Q: How long does my data reside in ChemDash?
A: Customer data remains as long as the account is active. If the subscription term runs out the account will be put into a “limited” status. Users can still log on and view existing data but no new data can be added to the system until subscription is renewed. Then full service is restored and previous data is retained.
The account may also be de-activated and associated data deleted permanently, e.g. upon customer’s request to discontinue the service or if the account is delinquent according to Serstech ChemDash Terms & Conditions.
Q: Will you securely delete all of my data if in the future I decide to discontinue the service?
A: Yes, we will do this on your request.
User Authorization & Authentication
Q: How are users authenticated?
A: The system uses internal user authentication system to authenticate & authorize logins.
Q: Is my password stored encrypted in ChemDash?
Q: Does ChemDash support password complexity?
A: Yes, the system requires and enforces password policies.
Q: How are system users organized?
A: Each Tenant is assigned a separate master account. Within the Tenant several user accounts can be created to provide access to the system for stakeholders in the organization. The users can collaborate and work with the data coming in from the devices connected to the system (e.g. Serstech 100 Indicators).
Q: Are my user’s actions logged?
A: Yes, the system logs all user activities.
Q: How long are logs retained?
A: Logs are retained as long as your ChemDash account is active
Application Layer Security
Q: Does Serstech use 3rd party security expert to test the ChemDash platform & application?
A: Yes, security scanning and penetration test are performed both by internal security team and also 3rd party security assessment experts.
Q: As a user, I am very concerned about viruses and malware; what antivirus measures are implemented for the ChemDash platform?
A: Anti-virus software is a program or set of programs that are designed to prevent, search for, detect, and remove software viruses, and other malicious software like worms, Trojans, adware, and more. These tools are critical for users to have installed and up-to-date because a computer without anti -virus software installed will be infected within minutes of connecting to the internet. The bombardment is constant, with anti-virus companies update their detection tools constantly to deal with thousands of new pieces of malware created daily.
Protection against viruses/malware is a shared responsibility between any SaaS provider and the end user. It is extremely important that ChemDash users do their part by protecting their computers with an up-to-date anti-virus/anti-malware program. This responsibility is an important part of the Serstech ChemDash Terms & Conditions for use. As a SaaS provider, Serstech has deployed all appropriate and current security best practices to ensure that our ChemDash platform and the software applications running on it are not infected with viruses/malware that would damage the end user’s computer if he or she clicked on links or accessed features or software functionalities.
Q: My computer has antivirus software such as ESET Endpoint Security NOD32® anti-virus software running on it to protect it from viruses/malware; does this pose any compatibility issues with using ChemDash?
A: No. ChemDash services are SaaS based, which means there is nothing that needs to be installed on the end user’s computer to run it. Users simply need a web browser and internet connectivity to access and use our platform. Antivirus software that is installed on the end user’s computer will not have any compatibility issues with our platform as long as one of our supported web browser versions is used to access the system.