SAAS Security Model
Security and access are key questions for companies looking to utilize a web application. These issues have been largely accommodated in the internet world since 2000 via multi-layer defense or defense in depth. The layers are explained in this document. Polonious implement all of these layers and have options to add extra defenses for particular customers should they be required.
When a user logs onto the Polonious web application the web browser will put a small padlock in the bottom right hand of the page. This indicates that all transmissions of data between the web browser and our server application are encrypted. The certificate locking down the application is 128 bit encrypted (256 bit encryption can also be used if required). This sort of security is used by banks and shopping sites to protect your credit card details from theft.
For more information on SSL, see http://en.wikipedia.org/wiki/Transport_Layer_Security
Complex Password rules, Lockout, Expiration and History
In Polonious complex password rules, lockout, password expiration and password history are implemented to increase security of user accounts. All of these rules can be easily configured in the server to meet your requirements.
By default the password rule is configured to only allow passwords with 8 to 16 characters, at least one upper case character and one special character. By default a user account gets locked after 5 unsuccessful attempts. Password expiration can be configured for different security roles. A history of passwords is maintained and users are not permitted to repeat any previous password.
In Polonious all passwords are encrypted with SHA-512.
In cryptography, SHA-2 is a set of cryptographic hash functions (SHA-224, SHA-256, SHA-384, SHA- 512) designed by the National Security Agency (NSA) and published in 2001 by the NIST as a U.S. Federal Information Processing Standard. SHA stands for Secure Hash Algorithm. SHA-2 includes a significant number of changes from its predecessor, SHA-1. SHA-2 consists of a set of four hash functions with digests that are 224, 256, 384 or 512 bits.
For more information on SHA-512 see http://en.wikipedia.org/wiki/SHA-2
Further Network options
Polonious can configure the customer instance to only accept connections from particular IP addresses. This means if you are always accessing the site from one office, we an ensure that only that office can get to the application. All others receive a ‘time out’ message in the web browser.
All of our sites are monitored once a minute to report systems down, potential problems and suspicious activity. All exceptions are reported back to the support team via email for immediate action.
All of our customer instances are separated into their own virtual environment. This isolates the data for each customer and improves isolation security. With improved customized firewalls and daily backups, plus generous bandwidth, the applications and policies of your “neighbors” have absolutely no effect on your server performance. Your data is safe.
Many attacks occur if the software exposed to the internet is not ‘patched’ regularly for security issues. Polonious have a procedure in place to ensure this happens daily.
All customer data is backed up, encrypted and sent off-site to a server remote to the main server pool. We can restore a customer to the end of previous day operations should the need arise. We regularly check the backups for completeness as part of our support business processes here at Polonious.
Viruses and Spyware
Polonious deploy all our application servers using the Linux operating system. There are no know viruses and spyware that affect this environment due to the way the operating system has been architected.
Background checks are conducted on all our staff and each signs an Agreement with Polonious. They realize that any compromise to our customer’s privacy will result in legal action and dismissal.
Polonious has all of its servers custom built to specification by a trusted supplier so there is no compromise in the quality and security of our servers. We do not use third party bulk hosting solutions or cheaper cloud options which means your data is stored in a known controlled environment in an appropriate jurisdiction.
As we own the hardware we can control where your data is physically located which means that you can be assured that if there was ever an issue it would be able to be addressed in an appropriate legal framework. For US customers we host on servers located in Washington, Virginia and Washington D.C. For Australian and New Zealand customers we have several server locations in NSW.
All of the hosting locations have the highest standards of physical security and access is only available to approved personnel. Security measures include Live monitored surveillance 24x7x365. Biometric access control systems ensure that only vetted technicians and Polonious representatives ever have access to your servers. Smoke detectors, fire detectors, and surveillance cameras are kept in top operating condition.
Polonious customers have independently engaged security experts to conduct penetration tests, to the level of Bank Grade Security, on our application and we have successfully passed those tests and retain those customers to this day.
For more information on penetration testing see http://en.wikipedia.org/wiki/Penetration_test
The DoD Information Assurance Certification and Accreditation Process (DIACAP) is the United States Department of Defense (DoD) process to ensure that risk management is applied on information systems (IS). DIACAP defines a DoD-wide formal and standard set of activities, general tasks and a management structure process for the certification and accreditation (C&A) of a DoD IS that will maintain the information assurance (IA) posture throughout the system’s life cycle.
For more information on DIACAP see
Polonious has several compensation and health insurance clients and are regularly reviewed in relation to HIPAA compliance.
For more information on HIPAA see http://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Act
CompTIA Security TRUSTMARK + certified
PCI – Plastic Card Industry Penetration tested
For more information on PCI see here.
For more information on SSAE16 see here.