In this blog post, I outline common security challenges that IT departments are facing today and the security capabilities built into RapidBIZ to efficiently secure application environments.
Security experts know that Availability, Integrity, and Confidentiality (AIC) based on a Quality Model is the foundation of good security practices. Unfortunately, trained security professionals are in short supply making identifying and implementing security requirements difficult. Additionally, lack of time and resources are forcing IT departments to implement software quickly, limiting the amount of time available for researching best practices for implementation.
Today’s IT security challenges include ensuring that:
- Application security is optimized based on the role of the application.
- Privileged decisions are made on the server side and not the client side, in client server applications.
- Execution environments are not running as privileged users.
- Encryption keys are not stored on the system that has access to the encrypted data.
- Government auditing & reporting requirements are implemented for user activity.
- Customer passwords and confidential data are protected.
- Software interfaces with existing infrastructure and identity services.
- Multi-level security and data compartmentalizing is in place to protect against human error.
With RapidBIZ, we simplify your security activities with a rich set of security features that are available out-of-the-box, or with minimal configuration.
- Runs on an optimized SELinux enabled operating system, preventing many intrusion attempts.
- Executes code as a non-privileged system user, compartmentalizing application execution environment from privileged system users.
- Execution engine is compiled in C++ with native OS libraries, increasing application availability and quality of service.
- Features the common Discretionary Access Control, but can be adapted for Mandatory Access Control for flexibility in security models for higher security environments.
- Command and control and privileged decisions are implemented on the server side, preventing many attack attempts.
- Allows segmenting data into organizations for compartmentalization that denies by default, but can be configured to share data with other organizations.
- Core code and APIs are tested using a Quality Model, the code is developed, tested, revised and revisited, to prevent common programming mistakes, and save developer time.
- Provides access logs of the users logging in by IP, date/time, user, and the browser, as well as user activity logging, allowing auditing, and tracking.
- Provides immediate notification to users on security events such as password resets and failed login attempts, included by default when using our standard security model complying with many regulations.
- Has a secure configurable password policy, or can be configured to work with your LDAP or SAML enabled identity services, allowing integration with your current infrastructure.
- Passwords are never stored in plain text, most commonly they use a SHA one-way hash to encrypt the passwords. Completely preventing your company from being responsible for compromising user passwords.
- Passwords are transmitted and compared with a rolling double SHA hash to make eavesdropping and man in the middle attacks harder.
- Uses standard TLS 1.0,1.1,1.2 configured to use high encryption cipher suites by default, just add your certificate, to protect your data, and comply with the in-transmit requirements of most regulations.
- Uses multiple encryption protocols as well as multiple keys for back-end communication to compartmentalize communications.
- Uses full path encryption, encrypting data from the client site through connection, into storage, and even in backups, without storing the keys on the server, protecting your data.
- By default stores data in a standards based SQL database, and can connect to multiple JDBC enabled databases, allowing your data to be available to other applications.
- Contains pretested libraries that save time in data validation, encryption, data access, and much more, allowing design of your regulation compliant application such as HIPAA, FIPS, and 21 CFR 11
- Designed to be portable to physical, and virtual environments allowing it to move from one hosting provider to hosting provider, or private networks.
RapidBIZ managed environment includes:
- A proxy with firewall, firewall on the system, configured to deny everything by default with minimum of exceptions.
- Daily backups configured in a five working day rotation, to protect data from being altered maliciously or accidentally by users.
- Optional weekly off-site backup and disaster recovery, to fulfill disaster recovery requirements for HIPAA, with regular validation to make sure they are running and meaningful.
- Host Intrusion Detection (HIDS), to fill the Intrusion Detection (IDS) requirements of regulations like HIPAA.
- Malware detection to make sure that the system does not have compromised files.
- Monitors for system resources, to help troubleshoot or identify abnormal function of the server.
- Intrusion prevention to actively block persistent/prolonged attack attempts against a server.
- A system administration activity log.
- Periodic vulnerability scans, to assess current vulnerabilities and catch newly occurring vulnerabilities.
- Operating System updates are applied after being tested for compatibility, and periodically.
- Application Platform updates are applied after being testing and with compatibility in mind.
I hope you can see how important security is to RapidBIZ. If you have further questions, please don’t hesitate to contact me, Louis Seifert, VACAVA Chief Security Officer.