Security Standards, Compliance, and Penetration Testing
At QSC, we take security very seriously. QSC is focused on providing quality solutions that are secure and safe to use in your business, school, or organization. We take a blended approach to securing the Q-SYS Ecosystem so that you can rest assured that your communications and data are protected.
- People – The best employees in the industry work at QSC. Our employees are knowledgeable, skilled, and dedicated to developing, building, and protecting the Q-SYS Ecosystem of today and tomorrow.
- Protection – We utilize industry leading solutions for infrastructure and software to thwart attacks and malicious activity. From the ground up and from the inside out, Q-SYS has been developed and engineered to work in tandem with IT best practices around security and safety.
- Prevention – We constantly evaluate trends and technologies to determine best-of-breed solutions to protect the Q-SYS Ecosystem.
- Protocol – We use proven QSC methodology to develop, enhance, and evolve the Q-SYS Ecosystem. Our Software Development, Product Management, and Internal IT Operations Team work closely together and follow an extensive playbook to protect and secure your data.
QSC uses the following industry standards and recognized best practices to strengthen and validate security throughout the Q-SYS Ecosystem.
Layers, Standards, and Processes
Security layers
A Q-SYS system exhibits security in layers founded in the development process and maintained through to system configuration during on-site deployment. Those layers include:
- Peer review on code submissions
- Static code analysis throughout the development process
- Internal security testing using black-box and white-box methodologies
- Cryptographic code-signing on firmware images
- Highly restricted access to system data from customer systems stored in the cloud
- Geographically disparate, redundant server locations for cloud services
- Symmetric keys, secure key stores, and regular key rotation for all data stored in the cloud
- Annual penetration testing using external cybersecurity professionals
- Security-oriented documentation for a variety of user personas
Cryptographically signed firmware
To increase the security and integrity of the Q-SYS OS, Q-SYS Designer Software v9.1.0 and later implements cryptographic code signing for Q-SYS Core firmware images to ensure their authenticity. Once a Core is updated to version 9.1.0 or later, it will inspect subsequent firmware updates for a digital signature and, by default, will only install firmware that is signed by QSC. This protects the Core against illegitimate or potentially compromised firmware.
Hosted Services
QSC utilizes Google Cloud and Microsoft Azure for cloud infrastructure hosting and services. Google Cloud and Microsoft Azure are fully compliant with multiple SOC and ISO regulations. QSC also operates within a colocation data center that is fully SOC and ISO compliant. You can find more info here:
Penetration Testing
QSC partnered with cybersecurity specialists as part of its ongoing commitment to security within the Q-SYS OS. Part of that engagement included specialists for third-party penetration testing. With access to Q-SYS source code, the cybersecurity specialists performed white-box tests against the Q-SYS Platform, Q-SYS Reflect cloud, and supporting QSC IT infrastructure.
A report from the cybersecurity specialists is available for customer review under NDA. Please contact your local QSC Sales Director for more information.
Data Security
QSC has implemented multiple layers of data security in the form of policies, physical protections, and technical solutions to ensure that customer data is always protected and treated with the highest respect.
Encryption
QSC implements encryption for data transport and storage across key Q-SYS areas using recognized IT security industry best practices. There are some areas of the Q-SYS platform where encryption is not yet used but will be added in the future. There are also some areas where encryption, necessarily, cannot be used.
Where is encryption used?
- All Q-SYS management software application to Q-SYS Core communications
- Communication between Q-SYS Core processors and web browsers
- Communication between Q-SYS Core processors and the Q-SYS Reflect cloud
- Data stored in the Q-SYS Reflect cloud
- HDMI content distribution using Q-SYS NV Series endpoints
- Q-SYS User Control Interface (UCI) communications between Q-SYS Core processors and the iOS Control App v3.4 or later
- UCI communications between the Core and the Windows UCI Viewer application
- Custom Lua scripts leveraging HTTPS or SSH
Where is encryption not used but will be added in the future?
- Audio and control communications between Q-SYS Core processors and hardware devices
- Control communications between the Core and Q-SYS touch screen controllers.
What Q-SYS capabilities do not offer encryption?
- Q-SYS Discovery Protocol (QDP)
- Audio distribution using AES67 and Dante
- WAN media streams
- Media Stream Transmitters and Receivers
- Dolby Atmos digital audio interface
- Control components that can send unencrypted data, including Command Buttons, Control Link (servers and clients), Ping, SNMP Query, Block Controller, Control Script v2, and Text Controller
- Any Q-SYS plugin or extension that is not known to use secure, encrypted communications
- External control from a third-party control system may not be encrypted
