Introduction
This page outlines the security measures and best practices aligned with the SOC 2 framework of Digitalized Software, for ensuring robust application and data security. Digitalized Software employs Amazon AWS infrastructure to embrace the scalability and flexibility of the cloud along with implementation of architectural best practices for designing and operating reliable, secure, efficient, and sustainable systems.
1. IT Infrastructure
1.1. AWS Infrastructure: The IT infrastructure that AWS provides to its customers is designed and managed in alignment with best security practices and a variety of IT security standards. The following is a partial list of assurance programs with which AWS complies:
- SOC 1/ISAE 3402, SOC 2, SOC 3
- FISMA, DIACAP, and FedRAMP
- PCI DSS Level 1
- ISO 9001, ISO 27001, ISO 27017, ISO 27018
1.2. AWS Resource: Digitalized Software employs a set of AWS resources running within Amazon Virtual Private Cloud (Amazon VPC), such as
- Amazon Elastic Compute Cloud (Amazon EC2)
- Amazon Simple Storage Service (Amazon S3)
- Amazon DocumentDB
- Amazon Relational Database Service (Amazon RDS)
- Amazon MQ
- Amazon Elastic Load Balancing
2. Identity Management
2.1. Authentication and Authorization: Digitalized Software utilizes a strong authentication mechanism using IdentityServer as identity provider for ASP.NET Core application and Authorization Code Flow with Proof Key for Code Exchange (PKCE) for server communication with React Single Page Application (SPA).
Identity Server is an OpenID Connect and OAuth 2.0 framework for ASP.NET Core. Identity Server enables the following security features:
- Authentication as a Service (AaaS)
- Single sign-on/off (SSO) over multiple application types
- Access control for APIs
- Federation Gateway
Authorization roles and permissions are granularly defined to ensure that only authorized users can access specific resources within the application.
2.2. Multi-Factor Authentication (MFA): Digitalized Software enforces the use of multi-factor authentication for privileged accounts and sensitive operations. This adds an extra layer of security by requiring users to provide additional verification beyond their passwords.
2.3. Secure Password Policies: Digitalized Software utilizes LastPass password manager and enforces robust password policies based on LastPass standards and best practices, including complexity requirements, expiration, and lockout mechanisms, to prevent brute-force attacks and unauthorized access.
3. Network Security
3.1. Network Security: Digitalized Software configures security groups and network access control lists (ACLs) to restrict incoming and outgoing traffic to necessary ports and services only. Least privilege principles are implemented to limit exposure and potential attack vectors.
3.2. Patch Management: Digitalized Software regularly monitors the operating system and software on the EC2 instance as needed to address known vulnerabilities and improve overall security with updates and patches.
3.3. Instance Hardening: Digitalized Software follows AWS best practices for instance hardening, such as disabling unnecessary services, using strong encryption for communication, and employing intrusion detection/prevention systems.
4. Server Security
4.1. Access Control: Digitalized Software implements fine-grained access control using S3 bucket policies and IAM roles, and restricts access to the S3 server to authorized users and applications only.
4.2. Encryption: Digitalized Software utilizes AWS S3, which applies server-side encryption with S3 managed keys to protect data at rest in the S3 bucket.
4.3. Data Classification and Lifecycle Policies: Data is classified based on sensitivity and appropriate lifecycle policies are applied to automatically delete or archive data when it’s no longer needed.
5. Transport Security
5.1. SSL/TLS: Digitalized Software enforces the use of SSL/TLS encryption for data transmission between clients, the ASP.NET Core application, and the private S3 server to prevent eavesdropping and data tampering.
6. Logging and Monitoring
6.1. Audit Logging: Digitalized Software implements comprehensive audit logging to track user activities, authentication events, and access to sensitive resources. Logs are stored securely and are regularly reviewed for suspicious or unauthorized activities.
6.2. Intrusion Detection: Digitalized Software has set up intrusion detection and monitoring mechanisms to detect and respond to potential security breaches promptly.
7. Incident Response
7.1. Plan: Digitalized Software has an incident response plan that outlines the steps to take in case of a security incident, including communication, containment, eradication, and recovery.
7.2. Regular Testing: Digitalized Software conducts regular security assessments, penetration testing, and vulnerability scanning to identify and address potential weaknesses.
8. Employee Training and Awareness
8.1. Security Training: Digitalized Software provides regular security training for employees and stakeholders to ensure they are aware of security best practices and potential risks.
9. Browser Requirements and Security
9.1. Supported Browsers: It is recommended to run applications on Google Chrome however, Mozilla Firefox, Microsoft Edge, and Apple Safari are acceptable.
9.2. Secure Communication: Communication between the user’s browser and the application server is encrypted using SSL/TLS protocols. Strong encryption ciphers and key lengths to prevent eavesdropping, man-in-the-middle attacks, and data tampering. Regular audits and updates to the SSL/TLS configuration to stay current with best practices and emerging security standards.
9.3. Content Security: Content Security Policy (CSP) controls which sources of content (e.g., scripts, styles, images) are allowed to be loaded and executed within the browser. CSP helps mitigate cross-site scripting (XSS) attacks by preventing the execution of unauthorized scripts and resources.
9.4. Cross-Origin Resource Sharing (CORS): Utilize CORS headers to define which origins are permitted to access resources on your application’s domain. CORS policies prevent unauthorized cross-origin requests and data exposure while enabling legitimate interactions with external services.
9.5. Cookie and Session Management: Using secure cookie settings to protect user session data. The “Secure” and “HttpOnly” flags for cookies ensure they are transmitted over secure channels only and are inaccessible to JavaScript, reducing the risk of session hijacking and XSS attacks. Implement proper session expiration mechanisms to minimize the exposure of inactive sessions.
9.6. JavaScript Security: Regularly update and patch JavaScript libraries and frameworks used within the application. Utilize the latest versions of JavaScript libraries that have addressed known security issues.
9.7. Browser Updates: Users must keep their browsers updated to the latest versions, as newer releases often include security fixes and enhancements.