Prophix takes the responsibility of protecting your data very seriously
Prophix Cloud is delivered as a true web application which requires no elevation of privileges on the client machine to install additional software.
Role-based application level security is a core component of Prophix Cloud which permits the assignment of functional roles to users by application administrators. Prophix Cloud administrators can designate specific application functions to users based on roles and define data access permissions.
Prophix Cloud also enforces minimum password length, complexity, and reusability rules by ISO 27001 standards. All failed login attempts are logged with mechanisms in place to prevent brute force attacks by locking down accounts after multiple failed login attempts.
Logical Data Separation
The data of every customer is completely separate from another customer. This includes all application data, databases, log data, and backup data. This total separation makes it impossible for one customer to inadvertently access another customer’s data.
Prophix Cloud uses industry standard SSL/TLS encryption for data in transit. All connections from the web browser to the application are via secure HTTPS TLS 1.2 connections. Key exchanges done via the web browser are based on 2048-bit certificates (SHA256).
Industry leading AES 256-bit encryption is used for data at rest, including any replicated archived backup data. Encryption keys are rotated on a regular basis and are under continuous monitoring.
Backups, Redundancy and Recovery
All application data in the Prophix Cloud is automatically backed up at least twice daily to multiple regions. Full system level backups are performed daily and weekly with 14 days of retention to ensure a recovery point objective (RPO) of no more than 12 hours.
In the unlikely event of a total service disruption in an entire AWS region, an alternate geographic region can be used to provide continuity of services. A full system recovery at the alternate disaster recovery region will take place in no more than 6 hours (Recovery Time Objective, RTO).
Infrastructure Best Practices
The Prophix Cloud production infrastructure has been hardened against baselines established by the Center for Internet Security (CIS). Active anti-virus software is deployed and regularly updated to ensure the latest malware is detected. Regularly scheduled patching of the OS and dependent application software is practiced.
Strict controls are in place to limit access to the Prophix Cloud production infrastructure. Prophix incorporates the concepts of
- least privilege access
- separation of duties
- information classification as part of its information access and control policy.
Advanced Threat Detection, Monitoring and Alerting
A dedicated security team monitors all network and system activity in the Prophix Cloud. An advanced Security Information and Event Management (SIEM) system is leveraged to provide full visibility into the Prophix Cloud infrastructure. The collected data is correlated and analyzed in real-time against known and emerging threats to provide total security awareness.
As the SIEM is operating in real-time, any anomalous activity is immediately highlighted and security personnel alerted to conduct further analysis. For example, if a Prophix Cloud user is known to log in from a particular geographical location and on the same day logs in from another location, the SIEM generates an alert which is investigated by the security team.
Prophix Cloud utilizes a layered network security architecture which includes perimeter/edge firewalls, instance-based firewalls, and intrusion detection systems (IDS). Firewalls are set to deny traffic by default, and will only accept traffic on designated open ports and whitelisted IP addresses.
Prophix implemented extensive operational controls to address requirements for the timely execution of activities and the ability to review operational effectiveness. Operational controls include:
- Up-to-date documentation and run books on critical processes and procedures.
- A formal change management process based on ISO27001:2013 ISMS standards with a dedicated change review board.
- Fully isolated production, pre-production, and UAT infrastructures with strict access controls prevent unauthorized or accidental changes being propagated to production.
- Automated and scheduled tasks.
- Continuous infrastructure, application, and task monitoring.
- Extensive employee background checks and mandatory security awareness training.
Penetration and Vulnerability Prevention
Prophix leverages a variety of technologies, tools, and techniques to provide broad coverage against various types of threats. The Prophix Cloud environment and application code base is regularly scanned for vulnerabilities. Third-party vendors are also contracted to perform regular security vulnerability assessments and annual penetration testing on the Prophix Cloud infrastructure.
Physical Data Center Security
Located in highly secure, non-descript facilities, AWS data centers are strictly controlled 24/7 both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means.