Microsoft Azure’s infrastructure on which IDOS is hosted is designed from facility to applications for hosting millions of customers simultaneously, and it provides a trustworthy foundation upon which businesses can meet their security requirements. Further, Azure facilitates multiple configurable security variants with control function. This enables organisations to select need-based security features.

At the option of the customers and subject to conditions, IDOS would be able to host the application on other trusted, secure and scalable cloud infrastructures.

IDOS by default denies access to customer data to operations and support personnel. When access to data related to a support case is granted, it is only granted using a just-in-time model using policies that are audited and we grant the least privilege that is required to complete the support task and audit of such access is conducted and a log maintained for every such support task. Prior written request and approval of the customer is mandatory even for taking up and managing the support task.

IDOS has put in place specific protocols for ensuring data security with respect to user authentication, multi-factor authentication, data encryption, data breach and elimination of data loss.

User Authentication
* IDOS encrypts password at client end and sends to server in encrypted format.

* We Verify user and password at every login.

* After login authentication, access to the user is provided as per pre-defined user role established by the administrator of the business / user organization.

* After authentication IDOS will generate token and send to client and token will be used on further request handling. Token based authentication ensures that each request to a server is accompanied by a signed token which is verified for authenticity and only then response is made to the request.

Multi-factor factor authentication
* Completely Automated Public Turing test is made mandatory for every login attempt to ensure that the user is real and not a spam robot.

* We provide the customers the additional security capability whereby they can opt for TOTP (Time based One Time Password) which will be generated and send to registered email at the time of every login and additional security measure.

Data Encryption in IDOS

Data on Transit
* SSL encryption

*
Additional encryption is applied for password and sensitive information is encrypted using RSA public-key encryption.

*
IDOS adopts token based validation of requests.

*
User account is locked after 5 consecutive failed attempts to login. Default value -5 failures.

*
After 20 minutes inactivity, user is automatically logged out and session is made to expire. Default is set at 20 minutes.

Data on Rest
* Sensitive information like password is encrypted and stored.

*
SHA-256 used to encrypt

*
After encryption, data masking / data obfuscation is done.

*
Data is stored behind firewall

*
Only authorize member can access the data and with least privileges

*
Backups are encrypted based on Microsoft Azure backup configuration on cloud.

*
Premium disks are used to store the data and these are encrypted disks.

Elimination of Data Breach
* After successful authentication and authorization each request validated before processing; using the token generated during authorization. If any request is sent from   unauthenticated source, IDOS will reject the request and logout the user.

*
User account gets locked after 5 consecutive attempts to login. Default value -5 failures

*
After 20 minutes inactivity, user logout and session expired. Default 20 minutes

*
Roles based least privilege backend access to user like DBA and support member based on written request and authorization by the customer for any support task.

*
An account is allowed to login only from one machine at any given point of time. If the user tries to login from second machine parallel to active login from first machine, then   most recent login is given access and earlier login is automatically logged out.

Elimination of data loss in IDOS
* SFTP/SSH using no regular ports

*
Single point access of VM using jump-box on Azure

*
Microsoft Azure MIP is configured to Data Loss Prevention for additional security.

*
Multiple layers are used to access the IDOS like application gateway, firewall, web server and proxy/load balancer and application server act only on SSL.

*
Anti-virus is installed on VMs

*
Documents are uploaded after validating the file type and virus scan.