Security Center
We take customer data very seriously and you can rest assured that we are using the highest security standards available.
Infrastructure
General
We use the Microsoft Azure cloud infrastructure as the basis for all eyko services. As an eyko customer you inherit all the best practices and policies of Microsoft's infrastructure and operations.
Microsoft's Azure global infrastructure maintains more regions than any other cloud provider. We leverage the Azure infrastructure to protect our Customer's data with industry-leading security, compliance and privacy standards, but also benefit from the reliability and sustainability factors embraced by Microsoft's cutting edge technology. Microsoft Azure holds more than 90 compliance and security certifications. We love standing on the shoulders of a giant.
Virtual Private Network (VPN)
eyko security enforces a mandatory VPN protocol for network access. Internal infrastructure components including: Database Servers, Virtual Machines, key-vaults and other private storage accounts are deployed on private networks and are accessible only from restricted networks through an encrypted VPN. VPN access is limited to select employees and multi-factor authentication (MFA) is enforced.
Encryption
We encrypt all data both in-transit and at rest. We use Microsoft Azure managed encryption to achieve the highest encryption standards available. Some tangible examples of steps that we take in order to encrypt data:
-
All Databases use TDE (Transparent Data Encryption), using customer-managed keys (CMKs, RSA-2048 encryption)
-
All Virtual Machines or servers used to handle any customer data have local Disk Encryption enabled (AES-256 encryption)
-
Cloud storage resources are encrypted using Azure Key/Vault customer-managed keys (CMKs, using RSA-2048 encryption)
-
All our web applications and API endpoints enforce HTTPS.
Backups
Customer data is routinely backed up automatically. This gives us the ability to restore data to any point in time according to the customer's configured backup retention policy. The following backup policies are in place for customer databases:
-
Point-in-time restore backups – 7 Days
-
Weekly long-term retention (LTR) backups – 12 Weeks
-
Monthly LTR backups – 4 Months
-
Yearly LTR backups – Keep Week 1 for 1 Year
By default, eyko stores backup data in geo-redundant storage blobs that are replicated to a paired region for High Availability purposes. This helps to protect against outages impacting backup storage in the primary region and allow us to restore the data to a different region in the event of a disaster. If the primary Database fails, the eyko support team will execute a Database failover procedure and restore normal operation within minutes.
Our databases are encrypted with TDE (Transparent Data Encryption). Backups are automatically encrypted at rest including long-term retention backups.
Customer data can be restored from either a point-in-time restore or LTR backups upon request. The duration of the restore process depends on the size of the database.
High Availability
Our applications run in a Highly Available manner following Cloud Architecture Best Practices. We leverage Azure Regions and Zones to ensure underlying infrastructure issues don’t affect the availability of our applications. To ensure reliability, we continuously monitor the health of our applications both internally within our cloud infrastructure but also externally using monitoring providers.
Network
We utilize Layer3/7 firewalls and modern network protection technologies to protect access to internal and customer resources over the network. We strongly believe that solely using Authorization and Authentication is not enough, and additional network controls are required.
-
For example, in addition to restricting specific Encrypted Vault data to specific Active Directory entities such as users or groups, we also require that these entities are accessed through internal VPN Networks.
Data Security and Availability
Data is the core of our business and when it comes to protecting it, we put all possible thought and efforts into it. Customer data can be divided into ingested data supplanted with our enterprise data warehousing service as well as Application metadata related to customers using our product. Ingested data is provided by the customer and can be re-ingested as much as needed. Application metadata such as designs, sources or streams is created by the customers. The highest possible security is applied to both kinds of customer data but each are treated slightly different from an operational and availability standpoint.
Product
Passwords
All customer-facing applications rely on Microsoft AD security features for authentication and authorization. We don’t store customer passwords, instead, we use a Role-based access control (RBAC) model in order to authorize AD entities.
Delivery pipeline
All changes made by our development team are automatically tested on an integration environment, and only deployed to customer-facing applications once these changes are approved and tested by team members.
Compliance
Azure Security Center executes a set of automated assessments of our Azure environment which can help provide evidence relevant to specific controls in a compliance framework or standard. Each compliance report summarizes the current status of those assessments, as they map to the associated controls.
In order to stay continuously compliant, we utilize alerts to notify immediately when a cloud resource is compromised.
For More information about Azure Security Benchmarks see https://docs.microsoft.com/en-us/azure/security/benchmarks/