Security Fundamentals

Outbound only and why this is important

Outbound internet access might raise concerns at first, but it’s a standard and secure requirement for modern building infrastructure. Novant devices use an outbound-only communication model designed to prioritize network security. This means:

• All connections are initiated from inside your network - the device makes the request.
• External systems cannot initiate connections into your network or the device.
• Each device connects only to a single endpoint: the Novant Cloud.

This approach makes the system safer than allowing inbound access, because the internal network remains invisible to the outside world.

Why this is important:

• Ensures secure firmware updates
• Prevents outside systems from probing or attacking your network
• Reduces the approval burden for IT (only one outbound rule is needed)
• Keeps critical building protocols local while still enabling cloud management

Maintenance Updates

Just like your phone or computer, Nodes need regular updates to stay secure and reliable. Updates provide:

• Security fixes to protect against new threats
• Feature improvements for better performance and functionality
• Bug fixes to keep systems running smoothly

Because our devices use an outbound-only model, updates are securely downloaded from Novant’s cloud and verified with digital signatures before installing.

Questions IT might ask:

“Do we need to allow outbound Internet access to the Novant Cloud?”

Yes we do, because we need to:

• Ensures secure firmware updates
• Prevents outside systems from probing or attacking your network
• Reduces the approval burden for IT (only one outbound rule is needed)
• Keeps critical building protocols local while still enabling cloud management

“Who will be responsible for monitoring updates — IT or the site team?”

The Novant plan fee includes updates for edge nodes and cloud software.

Hardware Security

Novant hardware nodes are built with security at the core. Each device uses digitally signed firmware and secure boot to ensure only trusted software runs on the device - protecting against both remote attacks and physical tampering.

Digitally Signed Firmware

Think of it like a tamper-proof seal on a package.

• When Novant creates firmware (the software that runs on the device), we “seal” it with a unique digital signature.
• When the device downloads the firmware, it checks that seal before installing.
• If the seal is broken, missing, or invalid, the device knows the file was altered or not from Novant — and refuses to install it.

Secure Boot

This works like a bouncer at the door every time the device powers on.

• At startup, Secure Boot verifies the integrity and authenticity of the system software.
• If the software lacks a valid digital signature, the device blocks it from running.
• This ensures malware or tampered code can’t sneak in during startup.