• Security FAQ

    How securely is the data stored?
    We use AWS S3 service for files storage, which offers the best scalability, data availability, security and performance in the industry.
    And to store information we use Percona XtraDB Cluster (PXC)  – an open source enterprise-level solution that includes high availability and security features.

    Is system backup configured?
    Yes, we perform full database backups once a day. Backups are stored in encrypted form and are periodically tested to confirm their integrity. The Point-in-time recovery (PITR) mechanism is also available, which allows you to restore data almost with a delay of up to 1 hour. We avoid storing backups on portable or removable media.

    How is data encryption ensured?
    Data encryption can be divided into data at rest encryption and data in transit encryption.

    • for file storage – provided by AES-256 encryption at the AWS S3 service level
    • for storing personal information of users in the database – provided by AES-256 encryption in Percona XtraDB Cluster
    • for transmission – provided by TLS encryption at least version 1.2. The length of the RSA key is 2048 bits.

    In which data centers and where is the SaaS version of LMS Collaborator hosted?

    • The application and database servers are located on the Hetzner Cloud cloud service, in the region of Finland (Europe).
      File storage servers are located on the AWS cloud service, in the Frankfurt region (Europe).
    • Both providers have current ISO 27001 security certificates

    How is fault tolerance achieved?
    Fault-tolerant architecture based on AWS and Hetzner Cloud ensures full and permanent access to the service. All critical nodes of the architecture have 3x redundancy within the cluster. The CloudFlare service provides protection against DDoS attacks and traffic balancing.

    How are keys and passwords stored?
    All encryption keys and passwords become available to the application only when the application is launched in the environment. Hashes of user passwords are stored in an encrypted form with the addition of random data (salt). Encryption keys are managed using Terraform Vault and AWS KMS.

    Is it possible to configure a password policy?
    The system allows users to flexibly control password complexity (availability of characters, length), maximum validity period, uniqueness. It also allows setting temporary passwords and requiring a password change at the first login.

    What authentication methods are supported?
    Currently supported:

    • login is done through login and password
    • LDAP (Active Directory)
    • OAuth 2.0
    • SAML (ADFS)

    Is there 2FA (2-factor authentication)?
    Yes, through Google Authenticator / Microsoft Authenticator

    Are user actions logged in the system?
    The “Security Log” records events by level of importance in accordance with the table. If there are events of the “normal” and “high” levels, messages are sent to the Administrator by email and in the browser.

    Are systems scanned for vulnerabilities?
    Vulnerability scanning of system components is performed at the code compilation stage (CI/CD). Scanning is set to automatic mode every time the code is changed. If new vulnerabilities are found, the responsible members of our team are notified and the possibility of system release is blocked.

    Are penetration tests performed?
    Yes, we perform periodic (once a year) complex penetration tests involving independent experts.

    How is patch management of systems performed?
    Depending on the criticality (high and critical level according to CVSS), if updates were found that close vulnerabilities – no later than one week.
    Other updates are installed as needed or with the next release.
    Host OS kernel updates are installed automatically on the fly without rebooting the server.

    Is there a Secure Software Development Cycle (SDLC) in place?
    The development cycle goes through several stages – from the formation of TK to the release of a version into products, including testing on appropriate isolated environments, QA testing. During development, the main possible vulnerabilities identified in the OWASP TOP 10 are actively taken into account in order to ensure system security. Test environments do not contain any real data. Developers adhere to not using “hardcode” for credentials. In addition, software code reviews are regularly conducted to ensure its quality.

    I noticed something suspicious in the system, what should I do?
    If you notice anything unusual or suspicious in the system, try taking the following steps to keep your data safe:

    • Change your password if you suspect unauthorized access. It is important to use strong passwords and change them regularly.
    • Check the activity logs on your account or system to identify any unusual activity or accesses.
    • Notify the LMS Collaborator support team via the Help desk or by emailing security[@]equalteam.net about the suspicious activity you have detected. Provide detailed information to help them respond quickly.
    • Be careful when sending confidential information out of the system, especially if you have doubts about its security.

    Remember that your attentiveness and quick response can help maintain the security of your data and information security in general.