Application security
Identity management
We encourage our customers to use the option of Single sign-on (SSO) with Pulse and do not recommend the usage of password-based authentication. Pulse uses signed access and refresh tokens (JWT) with a public/private key pair (RSA 2048) per customer. The private key is stored encrypted through an additional AWS KMS key inside the customer database. Access tokens expire after 15 minutes, the lifetime of refresh tokens can be adjusted per customer.
Identity federation and single sign-on
Pulse provides the customer with the ability to use existing customer identity management system trough identity federation. Federated IDs and associated assets are created, owned, and controlled by the customer’s IT department. Pulse integrates with most SAML 2.0-compliant identity providers. Please contact us for detailed information on how to migrate and integrate your customer identity provider.
Password based authentication
For customer evaluation phases, password-based authentication is available. The following password policy applies:
- Passwords without one or more special characters must be at least 12 characters long
- Passwords containing at least one special character must be at least 8 characters long
Passwords are stored salted and hashed with bcrypt (version= 2a, cost factor = 10). As an additional layer of security, after five login attempts a user is locked out for five minutes. The customer’s Pulse administrator can revoke access to users through the Pulse admin section of the application.
Solution architecture of Creaholic Pulse Feedback
Customer data storage
All customer data is encrypted at rest and in transit. For encryption in transit, the application uses the industry-standard Transport Layer Security (TLS) protocol for all internet-facing traffic, in conjunction with the appropriate HTTP headers (HSTS, etc.). All certificates are managed by AWS Certificate Manager and issued by Amazon’s certification authority.
Customer data is primarily stored inside a dedicated MongoDB database per customer on our MongoDB Atlas Cluster. This database is encrypted at rest (AES-256). For an additional layer of security, the symmetric encryption key per database is derived from and managed through AWS KMS in our own account.
Binary data (currently profile pictures and the Excel user list) is stored in two Amazon S3 Buckets, of which both are encrypted (AES-256) with an AWS KMS derived key, and for which public access blocking is enabled. The content is prefixed per customer. Profile pictures are accessible trough the Cloudfront distribution by the web client only through a secure random generated keyname (256 bit length). The Redis Cluster used for caching of data is also encrypted at rest (AES256) by an AWS KMS derived key.
Data centre locations and your data
All data – including customer data and backups – are stored in the European Union in AWS data centres that are located in Dublin (IE) and Frankfurt (DE).
Infrastructure security
Cloud and infrastructure services
All components of Pulse are currently hosted on Amazon Web Services (AWS), including AWS Fargate, AWS Lambda, MongoDB Atlas, SES and Amazon S3, in the European Union (EU).
The AWS platform provides services in accordance with industry-standard practices and undergoes regular industry-recognized certifications and audits. You can find additional information about AWS and Amazon’s security controls on the AWS security site and can obtain a list of all certifications on the AWS compliance programs site.
Operational responsibilities of AWS and Creaholic
As the hosting and service provider, AWS operates, manages, and controls components from the runtime to the hypervisor virtualisation layer all the way down to the physical security layer of the facilities in which Pulse runs. AWS is responsible for the guest operating system and runtime (including updates and security patches). In turn, Creaholic assumes responsibility for and management of the application software, as well as the configuration of the AWS-provided security group firewall.
Secure management
Creaholic and their Subcontractor use Secure Shell (SSH), Virtual Private Network (VPN) and Secure Sockets Layer (SSL) for management connections to manage the hosting infrastructure.
Geographic location of customer data on AWS network
Customer Data uploaded to Pulse are generally stored in the AWS Frankfurt (DE) region (eu-central-1). If a service is not yet available in the Frankfurt region, we use the Dublin (IE) region (eu-west-1). For more details, please consult the AWS security white paper.
Isolation of customer data/segregation of customers
AWS uses strong tenant isolation security and control capabilities. As a virtualised, multi-tenant environment, AWS implements security management processes and other security controls designed to isolate each customer from other AWS customers. Creaholic uses AWS Identity and Access Management (IAM) to further restrict access to compute and storage services.
Secure network architecture
AWS employs network devices, including firewall and other boundary devices, to monitor and control communications at the external boundary of the network and at key internal boundaries within the network. These boundary devices employ rule sets, access control lists (ACL), and configurations to enforce the flow of information to specific information system services. ACLs, or traffic flow policies, exist on each managed interface to manage and enforce the flow of traffic. The Amazon Information Security team approves all ACL policies and automatically pushes them to each managed interface using the AWS ACL-Manage tool, helping ensure these managed interfaces enforce the most up-to-date ACLs.
Network monitoring and protection
AWS uses a variety of automated monitoring systems to provide a high level of service performance and availability. Monitoring tools help detect unusual or unauthorized activities and conditions at ingress and egress communication points. The AWS network provides significant protection against traditional network security issues:
- Distributed Denial of Service (DDoS) attacks
- Man-in-the-Middle (MITM) attacks
- IP spoofing
- Port scanning
- Packet sniffing by other tenants
You can find more information about network monitoring and protection in the AWS: Overview of Security Processes white paper.
Logging
Creaholic conducts server-side logging of Pulse customer activity to diagnose service outages, specific customer problems, and reported bugs. The logs are stored inside AWS CloudWatch and only store Client IDs to help diagnose specific customer issues and do not contain personal identifiable data or secrets. Only authorised Creaholic technical support personnel, key engineers, and select developers can access the logs to diagnose specific issues that may arise.
Service monitoring
AWS monitors electrical, mechanical, and life support systems and equipment to help with the immediate identification of service issues. In order to maintain the continued operability of equipment, AWS performs ongoing preventative maintenance.
Data storage and backup
Creaholic stores all Pulse content in MongoDB Atlas (on EBS), and binary Data on S3, both of which provide a storage infrastructure with high durability.
Change management
AWS authorizes, logs, tests, approves, and documents routine, emergency, and configuration changes to existing AWS infrastructure in accordance with industry norms for similar systems. Amazon schedules updates to AWS to minimize any customer impact. AWS communicates with customers either via email or through the AWS Service Health Dashboard when service use is likely to be adversely affected.
Patch management
AWS maintains responsibility for patching systems that support the delivery of AWS services, such as the hypervisor, guest operating systems (OS), runtime and networking services. Creaholic is responsible for patching its applications running in AWS.
AWS physical security and environmental controls
Physical facility security
AWS data centres utilise industry-standard architectural and engineering approaches. AWS data centres are housed in nondescript facilities and Amazon controls physical access both at the perimeter and at building ingress points using professional security staff, video surveillance, intrusion detection systems, and other electronic means. Authorised staff must pass two-factor authentication (2FA) a minimum of two times to access data centre floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorised staff. AWS only provides data centre access and information to employees and contractors who have a legitimate business need for such privileges. When an employee no longer has a business need for these privileges, their access is immediately revoked, even if they continue to be an employee of Amazon or Amazon Web Services. All physical access to data centres by AWS employees is logged and audited routinely.
Fire suppression
AWS installs automatic fire detection and suppression equipment in all AWS data centres. The fire detection system utilises smoke detection sensors in all data centre environments, mechanical and electrical infrastructure spaces, chiller rooms and generator equipment rooms. These areas are protected by either wet-pipe, double-interlocked pre-action, or gaseous sprinkler systems.
Controlled environment
AWS employs a climate control system to maintain a constant operating temperature for servers and other hardware, preventing overheating and reducing the possibility of service outages. AWS data centres maintain atmospheric conditions at optimal levels. AWS personnel and systems monitor and control both temperature and humidity at appropriate levels.
Backup power
AWS data centre electrical power systems are designed to be fully redundant and maintainable without impact to operations, 24 hours a day, seven days a week. Uninterruptible Power Supply (UPS) units provide back-up power in the event of an electrical failure for critical and essential loads in the facility. Data centres use generators to provide back-up power for the entire facility.
Video surveillance
Professional security staff strictly controls physical access both at the perimeter and at building ingress points for AWS data centres using video surveillance, intrusion detection systems, and other electronic means.
Disaster recovery
AWS data centres include a high level of availability and tolerate system or hardware failures with minimal impact. Housed in clusters in various global regions, all data centres remain online 24/7/365 to serve customers; no data centre is “cold.” In case of failure, automated processes move customer data traffic away from the affected area.
Core applications are deployed in an N+1 configuration so that in the event of a data centre failure, there is sufficient capacity to enable traffic to be load-balanced to the remaining sites. You can find more information about AWS disaster recovery protocols on the Amazon Security website.