Simple Secure Identity Management

Cloud IDaaS for Internet End Users, Applications and Devices

   Security Infrastructure White Paper        Verviam Security Measures and Controls

Browser
Measure/Control Description Technology
Browser data cleared Form and javascript variable data cleared after use HTML and javascript methods to clear data variables executed in the browser after form/data submission
AES Field level encryption Encryption of all private data in the browser prior to transport The Advanced Encryption Standard (AES) is a specification for the encryption of electronic data established by the U.S. National Institute of Standards and Technology (NIST) in 2001. Verviam uses a 128 bit keysize for internet transport

Transport and Session

Measure/Control Description Technology
TLS 1.3 Transport layer encryption protocol from browser to the cloud Client-server applications use the TLS protocol to communicate across a network in a way designed to prevent eavesdropping and tampering
Encrypted payload Data is encrypted over the wire

Interception in TCP/IP sessions  are foiled by an ephemeral key which is only in operation during transit from browser to server. This AES key is discarded after the API Gateway


Network Perimeter
Measure/Control Description Technology
Network Flow Monitoring VPC flow logs capturing network IP addresses and network interface events, allow and deny status AWS VPC Flow Logs network flow monitoring log capture
DDoS protection Measures to protect from common DDoS attacks, such as SYN floods and UDP reflection attacks AWS Shield Edge of network DNS rules to prevent infrastructure (Layer 3 and 4) attacks
Network ACLs Network Access Conrol Lists are applied within the Virtual Private Cloud (VPC) AWS Firewall Stateless inbound and outbound rules, to allow or deny traffic ingress and egress to a VPC
Monitoring Analysis of aggregated network logs for potential threats AWS Guard Duty threat monitoring intelligence output from detection of patterns that may indicate attacks 

API Gateway
Measure/Control Description Technology
Web Application Firewall (WAF) Monitor HTTPS requests access to content based on conditions such as IP addresses  or the values of query strings AWS WAF Web ACL rules define criteria for handling web requests, with default actions to block or allow through requests that pass rules inspections.
CORS Cross-origin resource sharing (CORS) lets you control how your REST API responds to cross-domain resource requests.  CORS headers for Access Control Allow Origin whitelisted for the Verviam domain

Infrastructure
Measure/Control Description Technology
Continous infrastructure monitoring Monitoring of Verviam  instances to view, manage and control infrastructure performance AWS CloudWatch and CloudTrail

Identity Management

Measure/Control Description Technology
Identity Policies User, group and role based permissions to allow and deny access to cloud resources AWS IAM
Endpoint authentication Validation of signed JWT tokens prior to forwarding requests to endpoint services Verviam IDaaS
Multi-factor authentication Account, email, pin and password plus MFA code for sign up and sign in to configure account data Verviam IDaaS
User Account Management Browser encryption of credentials and protection of private data for sign up and sign in Verviam IDaaS
Privileged Access Management Browser encryption of credentials and protection of private data for sign up and sign in Verviam IDaaS

Application
Measure/Control Description Technology
Continous infrastructure monitoring Monitoring of Verviam  instances to view, manage and control infrastructure performance AWS Cloudwatch
Data encryption Application and database encryption of data in process, in transit and at rest Verviam IDaaS
Account Public Private KeyPair Each account issued an RSA 2048 bit PKI keys able to be rotated. Verviam IDaaS
Secrets Management Rotate, manage, and retrieve secrets throughout the lifecycle used to access resources protected by a Key Management Service  AWS Secrets Management

Compliance

GDPR

The GDPR is a regulation in EU law on data protection and privacy in the European Union and the European Economic Area. While primarily process-driven, there are a number of technical controls that can be followed.

Requirement Description Compliance
Article 25 - Data Protection by Design and by Default The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. yes

Article 30 - Records of Processing Activities

The controller shall maintain a record of processing activities under its responsibility.

yes

Article 32 - Security of Processing

The controller shall implement appropriate technical and organizational measures that consider the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

yes

PCI-DSS

Requirement  Description Compliance
Firewalls

Install and maintain a firewall configuration to protect cardholder data.

yes

Default passwords

No default passwords are supplied for system passwords and other security parameters.

yes

Cardholder Data

No cardholder data is stored.  A secure link is provided to the protected PayPal payment gateway.

yes

Encrypted Transmission

Encrypted link transmission of cardholder data across internet to PayPal payment gateway

yes

Anti-Virus and Malware

AWS WAF web application firewall that helps protect web applications and APIs against common web exploits. It is regularly updated.

yes

Secure Systems

Verviam systems development is aligned with best practice DevOps  security and maintain secure systems and applications.

yes

Restrict Access

There is no access to cardholder data and no cardholder data is stored 

yes

Identify Access

Identify and authenticate access to system components is enabled by default, using OAuth and IAM policy controls

yes

Physical Access

There is no physical access to cardholder data.

yes

Track Access

Logging and monitoring is enabled by default to track and monitor all access to network resources and cardholder data.

yes

Test Systems

Security testing is performed regularly for all systems and processes.

yes

Policy

An established and well maintained access policy that addresses information security is in place  for all personnel.

yes

AWS Well-Architected Framework - Security

The Well-Architected Framework is a set of AWS-provided guidelines for ensuring cloud excellence across five pillars, including security.

Measure/Control Description Compliance
Identity and Access Management Identity and access management are key parts of an information security program, ensuring that only authorized and authenticated users are able to access your resources, and only in a manner that you intend. yes

Detective Controls

Detective controls are an essential part of governance frameworks and can be used to support a quality process, a legal or compliance obligation, and for threat identification and response efforts.

yes

Infrastructure Protection

Infrastructure protection encompasses control methodologies, such as defense in depth, necessary to meet best practices and organizational or regulatory obligations.

yes

Data Protection

Before architecting any system, foundational practices that influence security should be in place. These methods are important because they support objectives such as preventing financial loss or complying with regulatory obligations.

yes

Incident Response

Even with extremely mature preventive and detective controls, your organization should still put processes in place to respond to and mitigate the potential impact of security incidents.

yes