Our Security Management Program takes each of our customers’ security requirements into consideration and arrives at a set of requirements and initiatives unique to us and our environment.
We don’t look at security as a destination to reach — it’s an ongoing journey. We continually strive to improve our software development and internal operational processes with the aim of increasing the security of our software and services. The secure way should be the easy way, and that’s why security is built into the fabric of our products and infrastructure. Here are a few ways we build security in as part of the way we work, day-to-day.
Security is front of mind when designing our applications, networks, and business processes
The Invarosoft Cloud security architecture is designed with consideration of a broad range of industry standards and frameworks and in tandem with our internal threat modeling process. It’s designed to balance the need for flexibility with the need for effective controls to ensure confidentiality, integrity, and availability of our customers’ data.
App dev security, data security & information lifecycle management.
Crypto & encryption, threat and vulnerability management, security incident management.
Asset management, access control, operations, communications security.
Data center & offices
Physical and environmental security.
Security governance, organization of security, personnel security, supplier & third-party data management, mobile security, business continuity, audit/compliance, privacy.
The security controls that inform our architecture are designed to align with a number of different standards.
We have strict network controls with a focus on the sanctity of the “production” environment
Traditional network security theory separates the world into “inside“ and “outside” and focuses on the control points between the two areas. While we maintain strict control between our internal networks and the internet, we focus primarily on the delineation between our “production” and “non-production” environments.
We control access to our sensitive production networks through the use of strict firewall rules and require multi-factor authentication and encrypted connections. We’ve also implemented intrusion detection and prevention systems in both our office and production networks to identify potential security issues.
Threat modeling is used to ensure we’re designing in the right controls for the threats we face
During the product planning and design phase, we use threat modeling to understand the specific security risks associated with a product or feature. Generally speaking, threat modeling is a brainstorm session between engineers, security engineers, architects, and product managers of an application or service. Threats are identified and prioritized, and that information feeds controls into the design process and supports targeted review and testing in later phases of development.
We utilize threat modeling early and often and can ensure that relevant security configuration and controls are designed to mitigate threats specific to each product or feature we develop.
The criticality of our products will vary from customer to customer. From talking to our customers, we know that products like ITSupportPanel often end up being part of key business processes. We run our business on our own product suite, so we understand the importance of reliability and recoverability.
We operate in Tier 1 data centers
We host the Invarosoft platform with industry-leading services such as Amazon Web Services, resulting in optimal performance with redundancy and failover options globally. These data centers have been designed and optimized to host applications, have multiple levels of redundancy built in, and run on a separate front-end hardware node on which application data is stored.
We care about high availability of your data and services. We focus on product resiliency through standards and practices that allow us to minimize downtime. Our cloud hosting partners resiliency practices are based on SOC2, ISO 27002 and ISO 22301. Key principles guiding our Disaster Recovery (DR) Program include:
1.Continual improvement. We strive to ensure our improvements to resiliency grows through operational efficiencies, automation, new technologies and proven practices.
2.Assurance through testing. We only know it works if we test it. With regularly scheduled testing and continual improvements, we are able to keep our DR Program at an optimum.
3.Dedicated resources. Invarosoft has dedicated teams to ensure our customer-facing products get the attention they need to make the Disaster Program possible.
We have an extensive daily and weekly backup regime
In addition to platform-wide resiliency, we also have a comprehensive backup program for our Software-as-a-Service (SaaS) offerings.However, restore and recovery of these backups will only be provided on our own platform.
We have comprehensive, tested business continuity and disaster recovery plans
We are determined to maintain strong Business Continuity (BC) and Disaster Recovery (DR) capabilities to ensure that the effect on our customers is minimized in the event of any disruptions to our operations.
Our Disaster Recovery Program consists of a few key practices to ensure the appropriate levels of governance, oversight, and testing:
1.Governance. Leadership involvement is key to how we run our DR Program. With leadership involved, we have both business and technical drivers accounted for in our strategy for resilience.
2.Oversight and maintenance. We take a disciplined governance, risk, and compliance approach when monitoring and managing our DR program. It enables us to operate more efficiently and effectively when monitoring, measuring, reporting, and remediating key activities within our DR program. Site Reliability Engineers are committed to ongoing Disaster Recovery meetings and represent their critical services. They discuss identified DR gaps with the risk and compliance team and focus on the appropriate levels of remediation as necessary.
In addition to assurance of resiliency through governance, oversight, and testing, Invarosoft emphasizes on continual improvement throughout the DR Program.
One of our industry’s challenges is to ship secure products while maintaining a healthy speed to market. Our goal is to achieve the right balance between speed and security. There are a range of security controls we implement to keep our products and your data safe.
All data sent between our customers and our applications is encrypted in transit
All data for our services is encrypted in transit over public networks using Transport Layer Security (TLS) 1.2+ with Perfect Forward Secrecy (PFS) to protect it from unauthorized disclosure or modification. Our implementation of TLS enforces the use of strong ciphers and key-lengths where supported by the browser.
We believe we can rely on the physical controls and management at AWS, as well as transit-level encryption to protect customer data. A minimum of 128-bit Advanced Encryption Standard (AES) is used for attachments.
We take innovative approaches to building quality software
We step outside the traditional realm of Quality Assurance (QA) to ensure new features are introduced quickly and safely by adopting the notion of Quality Assistance.
While we consistently strive to reduce the number of vulnerabilities in our products, we recognize that they are, to an extent, an inevitable part of the development process.
We have both internal and external security testing programs with our bug bounty
Our approach to vulnerability management for our products consists of internal and external security testing.
This approach spans planning, development and testing phases, each test building on previous work and progressively getting tougher.
In the development phase, we focus on embedding code scanning to remove any functional and readily identifiable, non-functional security issues.
In the testing phase, both our development and security engineering team switch to an adversarial approach to attempt to break features using automated and manual testing techniques.
Our security engineering team has developed a wide range of security testing tools to automate common tasks and make specialized testing tools available to our product teams. These tools are beneficial for the security team and they empower developers to “self-serve” security scans and take ownership of the output.
Once a release moves to production, external testing takes over. This approach is built around the concept of “ongoing assurance”; rather than relying solely on a point-in-time penetration test, we have an always-on, always-testing model through the use of a public, crowd-sourced bug bounty model.
When a vulnerability is identified by one of our users during standard use of a product, we welcome notifications and respond promptly to any vulnerabilities submitted.
Specialist security consultants are used to complete penetration tests on high-risk products and infrastructure, like a new infrastructure architecture (e.g., our cloud environment), a new product, or a fundamental re-architecture (e.g., the extensive use of micro-services.)
As much as securing our products is a priority, we also understand the importance of being conscious of the way we conduct our internal day-to-day operations. The concept of “building security in” is the same philosophy we use with our internal processes and influences how our business is conducted.
Access to customer data stored within applications is restricted on a ‘need to access’ basis
Within our SaaS platform, we treat all customer data as equally sensitive and have implemented stringent controls governing this data. Awareness training is provided to our internal employees and contractors during the on-boarding / induction process which covers the importance of and best practices for handling customer data.
Within Invarosoft, only authorized Invarosoft employees have access to customer data stored within our applications.
Unauthorized or inappropriate access to customer data is treated as a security incident and managed through our incident management process. This process includes instructions to notify affected customers if a breach of policy is observed.
Physical access to our data centers, where customer data is hosted, is limited to authorized personnel only, with access being verified using biometric measures. Physical security measures for our data centers include on-premise security guards, closed-circuit video monitoring, man traps, and additional intrusion protection measures.
Our support teams will only access customer data when necessary to resolve an open ticket
Our global support team has access to our cloud-based systems and applications to facilitate maintenance and support processes. Hosted applications and data are only able to be accessed for the purpose of application health monitoring and performing system or application maintenance, and upon customer request via our support system.
Our security training and awareness program doesn’t just check compliance boxes but results in a genuine uplift in knowledge across the company
Our awareness program is built on the premise that security is everyone’s responsibility. These responsibilities and the training and awareness program is used as the primary vehicle for communicating these responsibilities to our staff.
We strive to hire the best
Just like any company, we want to attract and hire the best and the brightest to work for us. During recruiting, we perform employment, visa, background and financial checks. On acceptance of an offer, we ensure each new hire has a 90-day on-boarding plan and access to on-going training based on their role.
We acknowledge that there is always margin for error. We want to be proactive in detecting security issues, which allows us to address identified gaps as soon as possible to minimize the damage.
Security Incident Management
Incidents will happen, but our speed and efficiency in response will keep the impact as low as possible
We use specialist security consulting firms to complete penetration tests on high-risk products and infrastructures. Examples of this might include a new infrastructure set up for us (e.g. our Cloud environment), a new product (e.g. Stride), or a fundamental re-architecture (e.g. the extensive use of micro-services).
Internal processes are in place to review any reported vulnerabilities and act on them. The process includes predefined SLAs for patching vulnerabilities based on CVSS severity level.
The security statements made above are made on the basis our partners agree to our Terms of Service.