SaaS security: How we keep subscriber data safe, and secure.

One Million Reasons NOT to Use Free Contact Management Solutions
May 8, 2017
Mac Salesforce
How to get Salesforce integration through Outlook for Macs and smartphone users
June 6, 2017

SaaS security: How we keep subscriber data safe, and secure.

security

SaaS security: Keeping subscriber data safe, and secure.

One of the most frequently asked questions we receive is, “What are the technical aspects of CiraSync security, and what steps do you take to ensure the security of users information?” When a company decides to look externally for help with information management, they want to ensure the utmost care is taken.

As a SaaS company, CiraSync integrates tightly with Microsoft Azure, utilizing the “Azure Consent Framework”.  If you are a subscriber, your data is being kept within the Microsoft Cloud. With over 100 million active users on Office 365 and more cloud security certifications than any other company, Microsoft Azure’s security is arguably the best in the world.

How Microsoft Ensures Your Security

Microsoft has made it a priority to ensure the highest levels of stability and security within their operations as companies rapidly transfer to the cloud. Their goal is to make data accessible to users anywhere, without security compromises.

A common issue is that older security solutions are not designed to protect data that runs in SaaS applications. Traditional methods like firewalls don’t give the in-depth accessibility and visibility to applications that are held off premise. These methods don’t offer protection and security for cloud applications since they only keep track of a small region of traffic and have limited access to many applications activities.

Azure’s infrastructure is designed as a secure foundation that can host millions of customers simultaneously, giving users control and customization via a wide array of configurable security options. Azure prevents unauthorized and unintentional transfer of information between deployments in a multitenant architecture, using virtual local area network isolation, access control lists, load balancers, and IP filters, along with traffic flow policies; network address translation separates internal network traffic from external traffic.

To put it simply, because CiraSync is hosted on Azure servers, their security, is our security.

We understand however, how this doesn’t answer all questions, as there are other points of vulnerability that can arrive.

Here are a number of frequently asked questions

 

How does CiraSync handle and protect PII data?

CiraSync is hosted in Azure. Azure has more cloud security certifications than any other cloud provider in the world.  Thus, the physical security of CiraSync servers are quite secure.

Only three VM’s are accessible via Public IP addresses.  All ports are locked down to inbound internet traffic with the exception of the dashboard which allows port 443.  Inter-server communication is via LAN connections on private IP addresses.

Backups stay in the Azure cloud.  Logs and any caching used for performance purposes are purged after 30 days.

What is the architectural dataflow of the system?

No formal architecture docs are available for release.  CiraSync interfaces with Azure AD using the Graph API. Access to Office 365 Exchange is via Exchange Web Services.

All customer data is passed on the Microsoft Azure network – not the internet.

The backend tenant subscriber information is stored in SQL server. Logging and caching data is stored in MongoDB. Billing information is stored in QuickBooks online.  All credit card transactions are done through Authorize.Net and is PCI compliant.

For performance reasons, contact lists and calendars are cached in a local database running on each worker. All cached information is automatically purged after 30 days.

However, data at rest is not encrypted.

What are the sign-on access and authentication policies?

CiaSync does not store or request passwords.  No code exists to store customer passwords.

All authentication is done via the Azure consent process. After the user grants consent to the Azure CiraSync application, all interaction with Tenant data is done using the token. 

At any time, you can remove consent for CiraSync — https://www.cirasync.com/removing-user-consent-update-office-365-global-address-list/

What policies are in place to thwart insider breaches?

RDP access to servers is limited to the CTO and three staff members who are all long time employees and heavily committed to the success of CiraSync. 

Our cloud admin and billing application has a shortlist of staff members able to access the console.  There is no ability to export customer contact or calendar data.

Do you have a written information on privacy policy?

Our Privacy Policy in full can be found here:  https://www.cirasync.com/data-security/