By Hoony Youn, CTO of MackeyRMS
A 2017 study by Schneider Electric revealed that 78 percent of IT professionals, 70 percent of education professionals, and 52 percent of finance professionals trust the security of cloud-hosted technology. Despite the cloud’s reputation for superior security, companies that provide cloud-based SaaS, or software-as-a-service, need to ensure that they prioritize data integrity and security. When it comes to protecting customer data, service providers must remain vigilant 24/7.
One of the core offerings of our business from day one has been a cloud service, and over many years we’ve gained valuable experience on security concepts, procedures, policies, and technology. We take responsibility for the security of our technical platform in order to protect our customers’ proprietary research and intellectual property.
At MackeyRMS, we go beyond standard software security best practices with custom “Defense in Depth” strategies that protect our customers against cyber-thieves. Some may call us paranoid, but we think of ourselves as wildly over-prepared. And that’s a good thing –substandard security measures put everyone at risk and can result in significant reputational and financial losses.
“Defense in Depth” – Mackey’s Best Practices
‘Defense in Depth’ is a concept with multiple layers of security controls to provide redundancy in case a control fails or is exploited. The controls can be divided into three areas: Physical Controls, Technical Controls and Administrative Controls.
Below we break down some of the key security controls and best practices we deploy at MackeyRMS and how they fit into our ‘Defense in Depth’ strategy.
1. Physical Controls
- Physical Controls are considered anything that physically limits or prevents access to computer systems, including security fences, security staff, camera monitors, and guard animals. We also host AWS. This is the de-facto leader in the cloud hosting space, used by organizations like Netflix, Samsung, Spotify, the US Department of State, and UK Ministry of Justice.
2. Technical Controls:
- Data Encryption: Data in motion should use the highest level of SSL transmission, TLS v1.2. We’re able to use it because work closely with our customers and understand the deployment environment.
Data at rest should also be encrypted with a 128 or 256 bit key. As a point of reference, it takes modern hardware around 500 billion (yes billion) years to crack a 128-bit key.
- Improved Secure Authentication: We enforce a strong password policy internally and for our users, but sometimes having a strong password is not enough. With our advanced authentication service introduced in 2017, we have further enhanced our authentication process.
- With our built-in 2-Factor Authentication feature, customers can be assured to have a virtually unbreakable authentication process.
- We have been supporting SAML 2.0 for several years now. This is a huge benefit for our customer’s IT department as it helps mitigate password proliferation, as well as provides more control for administering user accounts. We have active deployments using Microsoft’s ADFS, Duo Security, and Okta products. Duo Security also offers their own 2FA solution with could further secure the authentication process.
Biometrics: Fingerprint readers are becoming ubiquitous, and nowadays most mobile devices have them built in. Soon, MackeyRMS will release fingerprint support on our mobile apps as an added security measure.
- Firewalls and Access: Unlike other cloud providers, every customer runs on a separate system - this allows us to custom-configure the security rules exactly to the desired level. Our systems run in a Virtual Private Cloud with strict firewall rules. Not taking any chances, we also implement redundant firewalls. This precaution is in place not only to protect incoming traffic from potentially attacking our cloud, but also to prevent any unintended outflow of data to unapproved destinations.
Additionally, because we can limit the traffic to just our customers’ network, we create a greater level of protection for their data.
- Threat Detection and Preparation: Cyber attacks happen all the time. It’s not a question of if, but when. What happens if you get attacked, and what if your backup server goes down? You need to be able to detect the threat and neutralize it ASAP. Our systems use a best-in-class Intrusion Protection System that dynamically monitors all traffic and events and responds appropriately by altering firewall rules.
If you do go down, don’t panic and follow the DR and BCP plan. During normal times, plan, prepare and practice. Write out a good DR plan. Don’t worry about making it perfect. Practice makes perfect. Understand what to expect if such an event is to occur and document it. Run a vulnerability test, both static and dynamic. There are many good products and services out there. We chose not to re-invent the wheel and go with leading class provider, Veracode.
3. Administrative Controls:
Administrative controls are an organization’s policies and procedures. Their purpose is to ensure that there is proper guidance available when it comes to security and that regulations are met.
- Documentation and training – It goes without saying that at the core, before any technology is deployed, all staff should understand the objective and goals of cloud and data security as it relates to their job and the service offering. In particular, we document and train our staff for policies pertaining to data storage, data handling, and data deletion just to name a few.
- Role Based Access Control: For accessing systems and data, permission is granted according to least privilege. This not only prevents accidental incidents, but greatly reduces the attack surface. We believe in this 100% and live by it.
Feeling Secure in the Cloud
MackeyRMS has completed and passed security audits with some of the largest and most well-respected financial services companies in the world.
These audits have included a review of the overall MackeyRMS application architecture, data centers, security controls, security policies and procedures, adherence to the controls outlined in various information security models, etc. They have also included testing that required vulnerability scans and in-depth security scans of our application’s source code.
While research management is the foundation of what we do, security has and will always be our top priority. And with the effective security approaches mentioned here, we like to say we’re at the forefront of SSaaS — or “secure software-as-a-service.”
Get in Touch
If you’re interested in learning how MackeyRMS can enhance your research management firm’s client data security, contact us. We look forward to connecting with you and helping your firm meet its data and security needs.