We get it, data is the hot topic, in today's world it can seem more like; ‘when' not 'if’. We are passionate about your security and providing you with a solution that is far more powerful, scalable and secure than what you presently use.
Array employs the use of industry leading external solutions to identify vulnerabilities during the development and build process. This technology allows the Array team to remediate risks on the fly and prior to production. Combined with ‘Post-Production’ pen-tests performed periodically to weed out attack weaknesses, Array's internal Security Policies ensure a comprehensive and effective approach to data safety.
Array is very sensitive to what data is stored. Where used, payment information will not be stored directly on the Array platform. Sensitive data such as account passwords are hashed and never stored as clear text. The Array Internal Security Policy requires Array engineers to only communicate on DB infrastructure with authenticated secure connections, as well as read-only access unless given specific write access rights. All data access shall be logged in accordance with PCI Level 4 recommended security practices, as well as PCI Level 1 hosting infrastructure provided by AWS.
Who handles Penetration testing and how is it done?
Penetration Testing shall be performed periodically both internally and by a private 3rd party. Testing is not limited to penetration vulnerabilities but also port-scanning, vulnerability scanning/checks, exploitation, web application scanning, as well as any injection, forgery, or fuzzing activity. These assessments are not limited to the Software but also balanced against the Array cloud-based Infrastructure and Services.
What are the sign-on, access and authentication policies?
Validating a user for a business application and making sure they have access only to what they need, is the backbone of security protection. It is vitally important to enforce access on a need to know basis, particularly with remote access platforms. Array protects customers by using Identity Access Management (IAM) and Role Based Access Control (RBAC) combined with the enforcement of strong passwords and Single Sign-On (SSO). The principle of ‘least privilege’ account management is a strategy to safely manage account privileges for trusted users and administrators. Should the security authorisation in a particular part of the application become compromised, the strong Array authentication controls make it much harder for an intruder to move around the platform and reduces the likelihood of business-critical data being compromised.
What encryption policies will protect data as it is transferred, or when it is being stored?
Authentication Data, User Data as well as Business Data is transferred using a 256-bit level encryption. Further security layers are employed with the implementation of key hashed passwords, OAUTH2 protocol constantly performing checks for authorisation.
We use SSL to secure the communication between our endpoints, using TLS 1.2, a strong key exchange (ECDHE_RSA with P-256), and a strong cipher (AES_128_GCM) as well as housing all customer data on AWS servers located in Australia in a local VPN structure to ensure a high degree of security and abstraction from the outside world.
Is there a single tenant hosting option separated from that of other customers?
No, we do not support single-tenant hosting options.
Shared infrastructure leads to lower costs: SaaS allows customers to share infrastructure. There is no need to add applications and more hardware to a specific environment. Not having to provision or manage any infrastructure or software above and the required resources enables Array to drive down costs for our customers.
Multi-tenancy is just one of the many benefits of SaaS.
Who manages the application on the backend, and what policies are in place to thwart insider breaches?
The mismanagement of process involving privileged access, privileged data, or privileged users may pose a real and potentially harmful risk to businesses and their customers alike. Such mismanagement increases the vulnerability to internal threats that can be caused by simple human error or malicious deeds. Whilst viruses and malware are perceived to be the top security threat, human error represents another dimension.
Array ensures that administrative and application identities and passwords are changed regularly, highly guarded from unauthorised use, and closely monitored, including full activity capture and recording whilst monitoring and reporting actual adherence to the defined policies.
The Array privileged, application identities are scrutinised by internal and external audits, especially during PCI- and SOX-driven audits. Array must have effective control of all privileged identities, including application identities, to ensure compliance with audit and regulatory requirements.
What is the back up and disaster recovery plan?
At Array, we believe that business continuity depends on the efficient, uninterrupted flow of data for all customers. From Sales to Operations, even a small lapse in workload continuity could result in lost sales and operations disruption.
The causes of failure can be due to mechanical failure, human error or even natural disasters. Our customers demand a proactive Disaster Recovery Plan (DR Plan) that serve to maintain their business in the event any such disaster. We achieve this by leveraging state of the art cross region, disaster recovery redundancies for mission-critical services and workloads.
The Array DR Plan uses a two-pronged approach to achieve an incredibly high uptime. Backup and Restore and Multi-Region Warm Standby. Quick retrieval of files and a secure disaster recovery platform ensure reliable and scalable service.
How well does your security policy match ours?
Array enjoys a good challenge. We are confident that our level of security not only matches but improves on your own. If you have any unique requirements, we would love to hear from you to discuss.