Application and Platform Security¶
Application security is of the highest importance at FutureOn. In addition to apply agile principles to the Software Development Lifecycle (SDLC) we also apply the principles of Secure Development Lifecycle (SDL) methodology for all our software development. This allows us to discover and address security-oriented software defects more rapidly than in for longer release cycle development methodologies.
FutureOn with a continuous development and continuous integration approach allows us to quickly release and update our software. Patches that can impact end users will be applied as soon as possible but may necessitate end user notification and scheduling an appropriate service window. Thus, we can respond rapidly to both functional and security issues when and if they might occur. Our well-defined corporate change management policies and procedures determine when and how changes occur. This is central to the DevOps security principles and the development methodologies that have had FutureOn adopt them. We continuously strive to improve our DevOps practice in an iterative fashion with regular reviews.
All FutureOn staging and production infrastructure is hosted in our Cloud Service Provider (CSP) environments. Therefore, all physical and environmental security related controls which includes access to buildings, are managed by these CSP’s. Our selected cloud providers are certified to SSAE16 / ISAE 3402 Type II, SOC 1, SOC 2, SOC 3, ISO 27001, ISO 27017, ISO 27018, PCI DSS v3.1.
Please find more information here:
Any internal FutureOn services that require transport level security for network access requires us to individually authenticate our users by way of a central identity provider and uses two factor authentication. All FutureOn personnel undergo regular security and privacy awareness training for both technical and non-technical roles. Security training materials are developed for individual development and cloud operations roles to ensure employees are equipped to handle the specific security-oriented challenges.
Authentication and Access Management¶
FutureOn provide our clients the ability to log into our FieldTwin platform using an Identity Provider. We support Microsoft On-Premise AD, Azure AD, SAML 2.0, and OIDC. These services authenticate an individual’s identity and allows organisations to control authentication and enforce specific password policies, and multi-factor authentication technologies.
For API access to the FieldTwin platform itself, all requests to the API must be authenticated using an API key. FutureOn furthermore requires JWT tokens for specific access to FieldTwin platform functionality.
The FieldTwin platform also has specific sets of user roles and rights that determines which data a user can access and control their data create, read, update, and delete rights based on default or company created user roles.
Protection and residency of Customer Data¶
And data uploaded, created, or stored in a FieldTwin tenant is considered customer confidential and customer owned. This data is protected in transit across public networks and encrypted at rest. All data transmitted between a FieldTwin tenant and a FieldTwin end user browser session is protected using Transport Layer Security (TLS) and HTTP Strict Transport Security (HSTS).
Data is encrypted at rest and in transit. 256-bit Advanced Encryption Standard, and each encryption key is itself encrypted with a regularly rotated set of master keys. A user supplied encryption key option is also available. Specifically, we use strong 2048-bit keys for our SSL certificates, sign authentication tokens with SHA256 HMAC signatures, and use BCrypt for password storage.
FutureOn can deploy the FieldTwin tenants in any country/region supported by our Cloud Service Providers (CSPs) based on client’s request. Customer data fully resides in the selected tenant.
Access to Customer Data must be granted by customer and is limited to functions with a business requirement to do so such as a support request. FutureOn monitors our cloud infrastructure continuously for performance and security related events by using commercial technologies. Traffic and activity data are monitored and logged to identify and flag any malicious or unapproved behaviour so that appropriate steps can be taken by our cloud operations team.
Laws and Regulations¶
FutureOn FieldTwin solution is compliant with various data protection laws and regulations applicable to the services we provide such as GDPR.
FutureOn uses several third-party applications and services in support of the delivery of our products to our customers. These organisations, called “sub-processors,” are identified below with their locations and the types of services they provide.
|Google Cloud||Customer Selection||Cloud Service Provider|
|Microsoft Azure||Customer Selection||Cloud Service Provider|
|Amazon AWS||Customer Selection||Cloud Service Provider|
|SendGrid||USA||Email notification services|
|Office365||UK/Norway||Email and office applications|