The presence and use of multiple agents should never compromise the security of the device or the customer's data.
- A device should not store any data related to personal customer information. Any required storage of personal data should be minimized and encrypted.
- All customer data in the cloud should be handled in a secure manner (eg.access control, automatic logging, encryption, multi-factor authentication).
- A device should have hardware and software security capabilities that include secure boot, a trusted compute boundary, an anti-roll-back mechanism, and should support hardware-based cryptographic engines.
- A device should implement sufficient hardening and access control techniques to limit system access to authorized users, processes, or applications.
- A device should implement adequate authorization, authentication, and input sanitization mechanisms.
- A device should implement a secure software update process to apply all security patches.
- A device should implement secure transmission of data between a device and the cloud, such as use of latest TLS, certificate validation of cloud endpoints.