How Cialfo protects your data
A major challenge for any Software-as-a-Service product is to release secure products while maintaining a healthy speed to market. Our goal is, and always has been, to achieve the right balance between speed and security. Key principles guiding us are:
- Continual improvement We believe security is a journey, not a destination. We aim to ensure our improvements will always grow through operational efficiencies, automation, new technologies, and proven practices.
- Assurance through testing We only know it works if we test it. With regularly scheduled testing and continual improvements, we’re able to keep disaster recovery at a minimum.
Here are some of the methods we use to protect your data:
Encryption and Key ManagementAll data you send to Cialfo (and vice versa) is encrypted in transit.
In its most basic form, encryption is the process of scrambling data to make it unintelligible. When data is encryption, the sender and receiver (in this case, Cialfo and you) are the only people that can decrypt the scrambled info back to a readable condition. This is achieved by ‘keys’, which grant only the users involved access to modify the data to make it unreadable and then readable again.
Put more simply: encryption is like translating your information into a language only you and Cialfo knows, and more importantly, a language which a cybercriminal cannot translate.
Cialfo uses the Transport Layer Security (TLS) protocol. It allows both sides (Cialfo and you) to authenticate our identities and prove that we are who we claim to be. It also encrypts our communication, ensuring no third-party can read or tamper with the data you send to Cialfo.
Cialfo also supports Perfect Forward Secrecy (PFS). Consider PFS the cybersecurity equivalent of the Cone of Silence. In the encryption system we described above, your information is safe… until an attacker gets hold of the server’s private key. Once the private key is no longer private, the attacker can now decrypt all historic data.
In Perfect Forward Secrecy, the key exchange is ephemeral. If a hacker got hold of Cialfo’s private key, they still wouldn’t be able to read your historic information.
And finally, Cialfo’s infrastructure is implemented with industry-leading services like Amazon Web Services (AWS). AWS is SSAE 16 audited, and encrypts all data sent to it.
Security TestingOur approach to vulnerability management starts before a single line of code is written.
Our testing approach spans the planning, development, and testing phases, with each test building on previous work and getting progressively tougher.
In the development phase, we focus on code scanning to remove any functional and readily identifiable, non-functional security issues.
In the testing phase, our development and QA team switch to an adversarial approach, deliberately attempting to break features using automated and manual testing techniques.
Cialfo uses the git revision control system. Changes to Cialfo's code begins in the development server, where it goes through a suite of automated tests. Once code pass the automated testing, the changes are then pushed to a staging server for other Cialfo employees to test. Only code that has passed both rounds of tests can be deployed to our customer-facing platform.
We also add a specific security review for particularly sensitive changes and features. Cialfo engineers have the ability to "highlight" critical updates and push them immediately to production servers, bypassing the staging phase.
BackupsWe have a comprehensive backup regime.
In addition to platform-wide resiliency, we also have a comprehensive backup program. Daily automated backups are taken everyday and sent to secure SSAE 16 audited data centers via Amazon RDS. We run backup fire drills monthly to simulate a disaster and its data recovery procedures.
As much as securing our product is a priority, we also understand the importance of being conscious of the way we conduct our internal day-to-day operations.
Cialfo customer success and support teams will only access customer data when necessary to resolve an open ticket or during the implementation process.
Being a SaaS solution, our customers are responsible for ensuring the appropriateness of user access to their data. We understand the classification of the data that goes into the system, and ensure users that have access to the system are authorized to access that data.
Role-based authentication makes it easy to align with access restrictions that may need to be imposed to comply with data handling and classification requirements.
We also encourage good password hygiene, which mitigates common threats like password guessing and malicious parties using leaked credentials.