We understand how important security and reliability are when it comes to keeping your business operations safe and always running. That’s why Issuetrak is loaded with built-in security measures that address a variety of vulnerabilities common to web-based applications.
cloud reliability + infrastructure
Reliability and security are important aspects of any successful business. As a business partner, we value the data and security of our customers. We leverage world-class hosting facilities provided by Amazon Web Services to deliver the best possible web experience to our customers.
- Physical access is routinely audited
- Authorized employees are challenged with two-factor authentication at least twice before being provided access to data center floors
- Around-the-clock interior and exterior surveillance
- Intrusion detection systems
- Unmarked facilities to help maintain low profile
- Physical security audited by an independent firm
- Data centers are fed power via different grids from independent utilities
- N+1 redundant UPS power subsystem with on-site generators
- N+1 redundant HVAC system
- Advanced fire suppression systems
- Multiple network paths with multiple service providers
- Regularly exceeds 99.96% uptime
system security and monitoring
- Website, ping, and port monitoring
- Server vital statistic monitoring (CPU, Memory, Disk, Network)
- SQL Server Severity alerts
- Windows Event Viewer alerts
- System Auditing
- Secure Socket Layer (SSL) encryption enforced on all sites
- Monitoring/security information restricted to limited authorized personnel
- Server event auditing
- Physical database integrity checks every night
- Logical database integrity checks every week
- Update database statistics every night
- Reorganize fragmented database indexes every night
disaster recovery and data security
- Our Disaster Recovery (DR) plan relies upon infrastructure-as-code automation deployment
- Recovery Time Objective (RTO) and Recovery Point Objective (RPO) within 4 hours
- Daily Elastic Block Storage (EBS) snapshots archived to Amazon Simple Storage Service (S3)
- Encryption at rest and transport
- Weekly Amazon Machine Images (AMI) are archived to S3
- Single tenant databases per customer
- Encrypted full database backups are taken daily and transferred to an encrypted S3 bucket
- Encrypted transaction log database backups are taken and transferred to S3 every 15 minutes
- Web data is synchronized throughout the day to secondary secure data storage in S3
- Network Traffic isolation
- Each function is isolated to a different subnet
- Nonconformant network traffic is rejected by firewall rules
- Customer traffic is managed separately from administrative traffic
- Network Access Control Lists (NACL) are used in conjunction with security groups
- Virtual Private Network (VPN) configured for support and maintenance access
security & prevention
- Cross-Site Scripting (XSS) Protection
- Encrypted UserIDs in HTTP Requests (POST)
- Buffer (Integer) Overflow Protection
- Ability to disable Form Caching (optional)
- Prevents hackers from accessing cached form field values
- Blocks multiple Users sharing a workstation from seeing cached form field values entered by other Users
- Secure Client Side Cookies
- Click-jacking Prevention and Security Measures (optional)
- Built in SQL Injection Prevention
- Cross-Site Referencing Forgery (CSRF) Security Measures (optional)
multiple encryption options
- Database Encryption provided through the SQL Server’s Data Encryption capabilities
- Supports usage of an SSL/TLS to encrypt network traffic
- Database Connection String Encryption via DPAPI (Data Protection Application Programming Interface) – DPAPI is a cryptographic application programming interface available as a built-in component in Microsoft Windows operating systems.
responsible development practices
- Security auditing via network and application penetration testing
- Vulnerability analysis and application scanning
- Code assessment via analysis tools and peer reviews
- Agile workflows for quick identification and resolution of vulnerabilities
- Regular updates released, ensuring customers the latest application and security innovation
active directory user authentication
- Encrypt all data exchanged between your Active Directory (AD) and Issuetrak servers using the Secure Sockets Layer (SSL)/Transport Layer Security (TLS) option.
- Requires valid LDAP over SSL (LDAPS) certificate installed on your Domain Controller (DC)
- Requires DNS and port settings configured within your network
- Requires AD module and AD server settings configured within Issuetrak site (supports multiple domains)
- Compatible with Common Access Cards (CAC) and Smart Cards to control Issuetrak User access and information
user access control & segmentation
- Roles and permissions – More than 55 permissions focused on access control
- Configuration options to segment access and visibility via Organizations, Departments, or Groups
- Private data fields accessible only by permission
- Issue Audit logging
- Restricted Searching and Reporting capabilities
- Customizable Password Policy
- Password Self Service [SS1]
- Configurable Password Complexity [SS2]
- Application user account passwords are secure with the NIST-recommended PBKDF-2 function, with an iteration count that exceeds current recommended standards, and that continues to increase automatically as time progresses.
- For each new password stored, a new, cryptographically random 64-byte salt is generated and supplied to the function along with the plaintext password.
- The hash used in the function is SHA-512.
- Password hashes are retained only as long as the site administrator has configured, and plaintext passwords are never sent to the database.
- Passwords for connecting to external servers (such as mail servers and Active Directory servers) are encrypted with AES-256 in CTR mode using HMAC for authentication, using the SHA-384 algorithm.
- Keys are generated as sets of cryptographically random 32-bytes.
- During use, these keys are stored as DPAPI-encrypted nodes within the ASP.NET website’s “web.config” file.
- All encryption libraries used are professionally audited.