- 30 Oct 2024
- 4 Minutes to read
- Print
- DarkLight
Cloud security
- Updated on 30 Oct 2024
- 4 Minutes to read
- Print
- DarkLight
Data encryption and isolation
Board Cloud secures data both in transit and at rest using strong encryption algorithms.
Data at rest is encrypted through AES 256-bit encryption, one of the strongest block ciphers available, and is FIPS 140-2 compliant. All backups of customer information are also encrypted.
Data in transit is protected with at least TLS 1.2 using a 2048-bit RSA certificate with SHA256.
Board SaaS also supports BYOK, which further increases confidentiality at the application server layer. Keys and certificates are saved in vaults within the tenant and inherit isolation.
Customer Data and records are protected through access controls, encryption, and secure storage solutions. Retention policies ensure that data is preserved as required and securely disposed of when no longer needed.
Risk assessment
Board performs a continuous assessment of the security posture of cloud workloads and receives recommendations from threat intelligence solution and partners for reducing exposure.
By regularly monitoring dashboards and analyzing potential impact of reported vulnerabilities on infrastructure, according to well-known MITRE CVE frameworks, Board is able to prioritize security operations and remediations.
Additionally, Board performs regular tests and hacking simulations on its SaaS to find gaps in security. Board also values customers who report their own tests and strives to help those with strict requirements meet their internal policies, when possible.
By doing so, Board capitalizes on these opportunities to enhance security measures and ensure alignment with industry standards.
Board has established procedures and documentation to ensure that penetration tests are conducted securely and in accordance with relevant guidelines:
Board Group Internal Procedure: how to manage customer's Penetration Test request
Board Customer Engagement Rules Penetration Test
Upon identification of any security vulnerability, Board can exercise commercially reasonable efforts to address the vulnerability in accordance with the following policy:
Rating | CVSS Score | Time Guideline | Versions |
---|---|---|---|
Low | 0.1 – 3.9 | Best effort | Latest version |
Medium | 4.0 – 6.9 | 180 days | Latest version |
High | 7.0 – 8.9 | 90 days | Latest version & all supported versions |
Critical | 9.0 – 10.0 | 30 days | Latest version & all supported versions |
* Rating is established based on the current version of the Common Vulnerability Scoring System (CVSS) 4
Cyber controls and network architecture
The network is segregated on multiple levels. A virtual network is the cornerstone of the Board Cloud networking model and provides isolation and protection.
Only selected Board employees who signed ad-hoc clauses for administrators have access to customer data file system, for maintenance and operational reasons: all employee access is tracked and frequent audits are performed.
Reverse proxies and WAF are configured at the edge of Board Cloud infrastructure like incoming traffic controllers and support TLS on ingress for secure access. They leverage containerization and are deployed to any adopted Azure region.
DDoS Protection
DDoS (Distributed Denial-of-Service) Protection is a standard service that provides enhanced DDoS mitigation capabilities for Board SaaS applications. This includes dedicated monitoring along with machine learning that automatically configures DDoS protection policies.
Detection and response
According to our defense strategy, intrusion detection systems collect signals from either the internet and private networks, turn them into detections, and provide automatic responses or trigger Board internal SOC, a team of security experts that are responsible for monitoring, detecting, and investigating threats and vulnerabilities and, consequently, to improve and enforce Cloud systems.
Secure Coding
Secure Coding refers to a set of principles and fundamentals that guide the developer to write safe code, introducing a first line of defense against potential security risks. The basics of good security practices are:
Access control, which includes authentication and authorization
Enforcing strong cryptography, according to standard algorithms
Board has adopted a multi-layer security approach, adhering to the defense-in-depth principle. This strategy involves building a secure software development lifecycle (SDLC) and integrating secure programming practices and code quality into the software development process. Applications are created and maintained at every stage, from initial requirements gathering to development, testing, deployment, and maintenance. Additionally, Board has implemented a secure coding initiative, utilizing automated and interactive tools to periodically perform Static Application Security Testing (SAST), Software Composition Analysis (SCA), and Dynamic Application Security Testing (DAST) on the source code and its platform.
Information security incident management
The company follows a specific procedure to trace, manage, and monitor any security related incident or events. The primary aim is to ensure that the best possible levels of information security and highest level of service quality and availability are maintained.
This is achieved through the following:
Defining adequate management structure to prepare, mitigate, and respond to adverse events. This is made effective and impactful by a defense and protection system capable of applying corrective actions and promptly engaging the SOC team
Appointing suitable personnel to respond to incidents with the necessary responsibility, authority, and competence to handle an accident and maintain the security of information
Developing and approving documented plans, response, and recovery procedures detailing how the organization must handle an adverse event and how the security of information is maintained at a predetermined level.
Each event requires further investigation by the SOC team to classify the alert and then take appropriate actions based on the scenario, following a specific remediation plan.
Upon the conclusion of each event, a detailed incident report is always created, outlining all necessary information for a clear understanding of the event. Additionally, potential improvements to systems, resources, and policies are identified and studied.
In accordance with the SaaS agreement, Board will notify the customer of any ongoing incident within the specified timeframe.
In the event of an incident requiring investigation (e.g., security breaches or legal inquiries), Board will take reasonable steps to preserve relevant digital evidence, including:
activity logs, system logs, and audit trails
access records
backup data and other pertinent records.
This evidence will be securely retained to prevent alteration, destruction, or loss during the investigation or as legally required. If Board receives a request for information (e.g., court orders or regulatory inquiries) related to Customer Data or Board SaaS Services, it will:
notify the Customer, unless legally prohibited, allowing them to contest or seek protective measures
disclose evidence only as required by law and limit the disclosure to the minimum necessary.